(see the wiki page instead)
14 Likes
Ehi man I’d like to thank you on behalf the whole community for the howto!
I’d like to suggest format the post better highlighting goals and steps 
@docs_team would help you here
1 Like
Edited for formatting, and a few content additions.
2 Likes
Seems stuff like this would be better off in the wiki than on the forums:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers
4 Likes
when i try to install it, like you described it in the wiki, it finished with -bash: acme.sh: command not found
any suggestion?
Hi @hucky,
did you logoff/logon after installing acme to make PATH active?
Log out and back in to activate the new PATH.
3 Likes
you got it, thank you @mrmarkuz
1 Like
f… something i do wrong, i restart the server and now it is not possible to reach the gui. httpd did not start.
got errors about the certificat.
systemd[1]: Starting The Apache HTTP Server…
httpd[4136]: AH00526: Syntax error on line 107 of /etc/httpd/conf.d/ssl.conf:
httpd[4136]: SSLCertificateKeyFile: file ‘/etc/pki/tls/private/localhost.key’ does not exist or is empty
systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
kill[4138]: kill: cannot find process ""
systemd[1]: httpd.service: control process exited, code=exited status=1
systemd[1]: Failed to start The Apache HTTP Server.
systemd[1]: Unit httpd.service entered failed state.
systemd[1]: httpd.service failed
That should have been created by the certificate-update event–it was, at least, on my clean 7.4 install. What’s the output of ls -l /etc/pki/tls/private/?
1 Like
ls: cannot access /etc/pki/tls/private/?: No such file or directory
Please try ls -l /etc/pki/tls/private/ without question mark.
1 Like
total 4
-rw------- 1 root root 0 Feb 16 11:16 httpd-admin.key
-rw------- 1 root root 0 Feb 16 11:58 localhost.key
-rw-------. 1 root root 1704 Dec 18 2016 NSRV.key
That’s strange; your key should have been placed there when you issued it. Let’s see the output of
config show pki
ls -l ~/.acme.sh/your_fqdn/
cat ~/.acme.sh/your_fqdn/your_fqdn.conf
In all three cases above, replace your_fqdn with the fully-qualified domain name of your server. In the output of the last command, mask the API key and email address.
1 Like
config show pki
pki=configuration
CertificateDuration=3650
ChainFile=/etc/pki/tls/certs/chain.pem
CommonName=SBS
CountryCode=DE
CrtFile=/etc/pki/tls/certs/cert.pem
EmailAddress=xxx@xx.de
KeyFile=/etc/pki/tls/private/privkey.pem
LetsEncrypt=disabled
LetsEncryptDomains=xxx.xxx.de
LetsEncryptMail=xxx@xxx.de
LetsEncryptRenewDays=30
Locality=Berlin
Organization=xxxxxxxxxx
OrganizationalUnitName=Main
State=Deutschland
SubjectAltName=xxx.xxxx.de,xxx.spdns.de
ls -l ~/.acme.sh/xxx.xxxxxx.de/
total 16
-rw-r–r-- 1 root root 202 Feb 16 12:36 xxxxxx.spdns.de.conf
-rw-r–r-- 1 root root 985 Feb 16 12:36 xxxxxx.spdns.de.csr
-rw-r–r-- 1 root root 212 Feb 16 12:36 xxxxxx.spdns.de.csr.conf
-rw-r–r-- 1 root root 1679 Feb 16 11:07 xxxxxx.spdns.de.key
cat ~/.acme.sh/your_fqdn/your_fqdn.conf
cat ~/.acme.sh/xxx.xxxx.de/xxx.xxx.de.conf
Le_Domain=‘xxx.xxxx.de’
Le_Alt=‘no’
Le_Webroot=’/home/wwwroot/example.com,tls’
Le_PreHook=’‘
Le_PostHook=’‘
Le_RenewHook=’‘
Le_API=‘https://acme-v01.api.letsencrypt.org/directory’
Le_Keylength=’’
OK, lots of problems here. You don’t have a cert generated at all. The reason for that can be seen in the .conf file. The Cloudflare credentials aren’t there, so it won’t validate domain control. The cert, key, and chain paths are missing, so acme.sh won’t copy those to the correct place. And the renew command is blank, so acme.sh won’t signal the certificate-update event after it runs.
The acme.sh command I gave on the wiki page is the same one I gave in my post here, just broken onto several lines for readability. Did you enter it exactly as shown? With the backslashes ( \ ) at the end of each line but the last?
yes, i run it exactly like it was wrote, i guess that was the error cause i do it like a cloudflare but i dont have one. very sorry for it. do you think it is possible to generate a certificat just for getting the webgui back? at the moment apache, httpd etc. wont start cause it miss the certificat 
really sorry for that mess
It may be enough to set the ssl cert directives in /etc/httpd/conf.d/ssl.conf to default:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
1 Like
hmm, it is like you wrote:
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.keySorry, I did not recognize your empty localhost.key…
I moved my key and fired certificate-update event and localhost.key is recreated.
mv /etc/pki/tls/private/localhost.key ~
signal-event certificate-update
Maybe you have to set the db props you changed to default values again.
My values with letsencrypt cert:
# config show pki
pki=configuration
CertificateDuration=3650
ChainFile=/etc/letsencrypt/live/mrmarkuz.goip.de/chain.pem
CommonName=
CountryCode=
CrtFile=/etc/letsencrypt/live/mrmarkuz.goip.de/cert.pem
EmailAddress=
KeyFile=/etc/letsencrypt/live/mrmarkuz.goip.de/privkey.pem
LetsEncrypt=disabled
LetsEncryptDomains=mrmarkuz.goip.de
LetsEncryptMail=some@mail.at
LetsEncryptRenewDays=30
Locality=
Organization=
OrganizationalUnitName=
State=
SubjectAltName=
1 Like
i dont get it, maybe i am too dumb. if i look at config show pki i got
ChainFile=/etc/pki/tls/certs/chain.pem
CrtFile=/etc/pki/tls/certs/cert.pem
KeyFile=/etc/pki/tls/private/privkey.pem
formerly, i guess, it was like your configuration cause i have exact this kind of folders from letsencrypt.
is there a file to edit for changing the pathes?