Acme.sh EOL and Let's Encrypt

Hi all,

As you all know, June 2021 will be EOL for acme.sh version-1.

Now, I install socat and I use the latest acme.sh version (2.8.9).

Installation command:

As specified by: https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers.
I use:

curl https://get.acme.sh | sh

From: https://github.com/acmesh-official/acme.sh/wiki/How-to-install

curl https://get.acme.sh | sh -s email=my@example.com

But it should be OK as I use Cloudflare.com as my dns server and I specify my email address with

# export CF_Email=my@example.com

and I get the certificate, and it’s working correctly.

QUESTION #1

  • Can somebody confirm the need for acme.sh version-2 to install socat, as it is not installed by default.
  • The use of acme.sh without the option -s email=my@example.com.

To be able to see the certificate in the NethServer Manager, you have to specify in pki DB:

# config setprop pki ChainFile /etc/pki/tls/certs/cert-chain.crt
# config setprop pki CrtFile /etc/pki/tls/certs/cert.crt 
# config setprop pki KeyFile /etc/pki/tls/private/cert.key 

QUESTION #2
Can I specify the “full chain” file instead of the “chain” file.


QUESTION #3
In relation with QUESTION #2, what is the best “full chain”:
ca-bundle.crt
or
ca-bundle.trust.crt ?

Thank you in advance,

Michel-André

1 Like

Irrelevant. The -s parameter specifies the (optional) email address to use to register your Let’s Encrypt account, though that’s something added since I wrote the wiki page. The CF_Email variable is the email address for your account with Cloudflare. They can be the same, but there’s no reason they have to be.

acme.sh (any version) only needs socat if you’re going to use it in standalone mode, which you should never need to do on a Neth server.

No. The version of Apache that ships with Nethserver doesn’t support this.

The “full chain” as acme.sh saves it is the file called fullchain.cer.

Edit:

No, not at all. June 2021 will be EOL for ACME v1. This has nothing at all to do with acme.sh specifically; it affects all ACME clients–except that any reasonably-maintained ACME client has been doing ACME v2 by default for years.

1 Like