(see the wiki page instead)
Ehi man I’d like to thank you on behalf the whole community for the howto!
I’d like to suggest format the post better highlighting goals and steps
@docs_team would help you here
Edited for formatting, and a few content additions.
Seems stuff like this would be better off in the wiki than on the forums:
when i try to install it, like you described it in the wiki, it finished with -bash: acme.sh: command not found
did you logoff/logon after installing acme to make PATH active?
Log out and back in to activate the new PATH.
you got it, thank you @mrmarkuz
f… something i do wrong, i restart the server and now it is not possible to reach the gui. httpd did not start.
got errors about the certificat.
systemd: Starting The Apache HTTP Server…
httpd: AH00526: Syntax error on line 107 of /etc/httpd/conf.d/ssl.conf:
httpd: SSLCertificateKeyFile: file ‘/etc/pki/tls/private/localhost.key’ does not exist or is empty
systemd: httpd.service: main process exited, code=exited, status=1/FAILURE
kill: kill: cannot find process ""
systemd: httpd.service: control process exited, code=exited status=1
systemd: Failed to start The Apache HTTP Server.
systemd: Unit httpd.service entered failed state.
systemd: httpd.service failed
That should have been created by the certificate-update event–it was, at least, on my clean 7.4 install. What’s the output of
ls -l /etc/pki/tls/private/?
ls: cannot access /etc/pki/tls/private/?: No such file or directory
ls -l /etc/pki/tls/private/ without question mark.
-rw------- 1 root root 0 Feb 16 11:16 httpd-admin.key
-rw------- 1 root root 0 Feb 16 11:58 localhost.key
-rw-------. 1 root root 1704 Dec 18 2016 NSRV.key
That’s strange; your key should have been placed there when you issued it. Let’s see the output of
config show pki ls -l ~/.acme.sh/your_fqdn/ cat ~/.acme.sh/your_fqdn/your_fqdn.conf
In all three cases above, replace your_fqdn with the fully-qualified domain name of your server. In the output of the last command, mask the API key and email address.
config show pki
ls -l ~/.acme.sh/xxx.xxxxxx.de/
-rw-r–r-- 1 root root 202 Feb 16 12:36 xxxxxx.spdns.de.conf
-rw-r–r-- 1 root root 985 Feb 16 12:36 xxxxxx.spdns.de.csr
-rw-r–r-- 1 root root 212 Feb 16 12:36 xxxxxx.spdns.de.csr.conf
-rw-r–r-- 1 root root 1679 Feb 16 11:07 xxxxxx.spdns.de.key
OK, lots of problems here. You don’t have a cert generated at all. The reason for that can be seen in the .conf file. The Cloudflare credentials aren’t there, so it won’t validate domain control. The cert, key, and chain paths are missing, so acme.sh won’t copy those to the correct place. And the renew command is blank, so acme.sh won’t signal the certificate-update event after it runs.
The acme.sh command I gave on the wiki page is the same one I gave in my post here, just broken onto several lines for readability. Did you enter it exactly as shown? With the backslashes ( \ ) at the end of each line but the last?
yes, i run it exactly like it was wrote, i guess that was the error cause i do it like a cloudflare but i dont have one. very sorry for it. do you think it is possible to generate a certificat just for getting the webgui back? at the moment apache, httpd etc. wont start cause it miss the certificat really sorry for that mess
It may be enough to set the ssl cert directives in
/etc/httpd/conf.d/ssl.conf to default:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
hmm, it is like you wrote:
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
# Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
Sorry, I did not recognize your empty localhost.key…
I moved my key and fired certificate-update event and localhost.key is recreated.
mv /etc/pki/tls/private/localhost.key ~ signal-event certificate-update
Maybe you have to set the db props you changed to default values again.
My values with letsencrypt cert:
# config show pki pki=configuration CertificateDuration=3650 ChainFile=/etc/letsencrypt/live/mrmarkuz.goip.de/chain.pem CommonName= CountryCode= CrtFile=/etc/letsencrypt/live/mrmarkuz.goip.de/cert.pem EmailAddress= KeyFile=/etc/letsencrypt/live/mrmarkuz.goip.de/privkey.pem LetsEncrypt=disabled LetsEncryptDomains=mrmarkuz.goip.de LetsEncryptMailemail@example.com LetsEncryptRenewDays=30 Locality= Organization= OrganizationalUnitName= State= SubjectAltName=
i dont get it, maybe i am too dumb. if i look at config show pki i got
formerly, i guess, it was like your configuration cause i have exact this kind of folders from letsencrypt.
is there a file to edit for changing the pathes?