How to get Let's Encrypt certificates for internal servers

mrmarkuz · February 16, 2018, 1:07pm

You can set it like this:

config setprop pki CrtFile /etc/pki/tls/certs/cert.pem

hucky · February 16, 2018, 1:15pm

okay, thank you very much. if i try to start the httpd service it says error in ssl.conf
SSLCertificateKeyFile: file ‘/etc/pki/tls/private/localhost.key’ does not exist or is empty what is true.
then
httpd.service: main process exited, code=exited, status=1/FAILURE

kill: cannot find process ""
systemd[1]: httpd.service: control process exited, code=exited status=1
systemd[1]: Failed to start The Apache HTTP Server.
systemd[1]: Unit httpd.service entered failed state.
systemd[1]: httpd.service failed.
Unit httpd.service cannot be reloaded because it is inactive.

danb35 · February 16, 2018, 1:18pm

Why would you do that? But even more to the point, how would you do that? The instructions call for your Cloudflare API key. If you don’t have a Cloudflare account, you don’t have a Cloudflare API key. So what did you enter as your API key?

In any event, the following should correct your problem and return you to a self-signed certificate:

config delprop pki CrtFile
config delprop pki KeyFile
config delprop pki ChainFile
signal-event nethserver-base-update

Once you’ve done that, confirm that the key file is again present:

ls -l /etc/pki/tls/private

hucky · February 16, 2018, 1:24pm

because i did not read it carefully, it was my fault, sorry

after doing that delprop and the baseupate
i got:
ls -l /etc/pki/tls/private
total 20
-rw-r–r-- 1 root root 1801 Dec 8 14:10 cert.pem
-rw-r–r-- 1 root root 1647 Dec 8 14:10 chain.pem
-rw-r–r-- 1 root root 3448 Dec 8 14:10 fullchain.pem
-rw------- 1 root root 0 Feb 16 11:16 httpd-admin.key
-rw------- 1 root root 0 Feb 16 13:50 localhost.key
-rw-------. 1 root root 1704 Dec 18 2016 NSRV.key
-rw-r–r-- 1 root root 1704 Dec 8 14:10 privkey.pem
localhost.key is empty

danb35 · February 16, 2018, 1:29pm

What’s the output now of

config show pki

hucky · February 16, 2018, 1:31pm

config show pki
pki=configuration
CertificateDuration=3650
ChainFile=
CommonName=SBS
CountryCode=DE
CrtFile=
EmailAddress=xxxx@xxxxxxxxx.de
KeyFile=
LetsEncrypt=disabled
LetsEncryptDomains=xxxxx.spdns.de
LetsEncryptMail=xxxx@xxxxx.de
LetsEncryptRenewDays=30
Locality=Berlin
Organization=anyname
OrganizationalUnitName=Main
State=germany
SubjectAltName=xxx.xxxxx.lan,xxxxx.xxx.de

danb35 · February 16, 2018, 1:45pm

According to the manual, that should have worked. Try

/etc/e-smith/events/actions/nethserver-generate-certificate
signal-event certificate-update
ls -l /etc/pki/tls/private

hucky · February 16, 2018, 1:51pm

now something changed.
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2018-02-16 14:45:43 CET; 1min 37s ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 13873 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
├─13873 /usr/sbin/httpd -DFOREGROUND
├─14003 /usr/sbin/httpd -DFOREGROUND
├─14004 /usr/sbin/httpd -DFOREGROUND
├─14005 /usr/sbin/httpd -DFOREGROUND
├─14006 /usr/sbin/httpd -DFOREGROUND
└─14007 /usr/sbin/httpd -DFOREGROUND
but dont be able to get the webgui…

hucky · February 16, 2018, 1:53pm

okay, now i got the webgui, uffffffff

hucky · February 16, 2018, 2:02pm

Thanks a lot for your support @danb35 and @mrmarkuz !!!

hucky · February 16, 2018, 2:15pm

Just a question, because that was the reason why i try this, is it possible to use acme.sh without Cloudflare to renew the certificat? Just for a single server and to renew the certificat?

danb35 · February 16, 2018, 2:20pm

As I wrote above, the method I described uses DNS validation. To effectively use that, your DNS host must be supported by acme.sh. I gave a link above to the documentation file that describes what DNS hosts are supported, and what you’d need to do to use each of them. If your DNS hosting is with one of those providers, you should be able to use this technique. If not, as a practical matter, you won’t (you can do DNS validation manually, but you’d need to manually update the DNS records for your domain every time you wanted to renew the cert).

alefattorini · February 16, 2018, 2:29pm

Yeah! Readability has been improved now thanks for taking my suggestions into the account

planet_jeroen · February 16, 2018, 8:17pm

It might be an option to just open a port on the firewall for 2 minutes and have letsencrypt validate the certificate, then close the port again. This works for me.

If the location has no internet, maybe you can use your mobile phone to create an internet link, and use that for 2 minutes to verify the certificate.

danb35 · February 16, 2018, 8:23pm

It can work, but it’s probably harder to automate. Lots of ways to skin this cat though.

In my case, I have a different web server behind my pfSense firewall, and ports 80 and 443 (among others) are forwarded there. I don’t think there’s a way I could script the changes to the port forwarding on the firewall, and I don’t think I’d want to anyway (I have a number of internal servers that are getting certs this way, so contention could be an issue–and I wouldn’t want to interrupt traffic to the machine that’s supposed to be the web server anyway).

Another option (and what I had been doing before I started messing with DNS validation) is to run the ACME client on the Internet-facing device, use that to get all your certs, and then script deployment of those certs to the various internal servers that needed them.

planet_jeroen · February 16, 2018, 8:26pm

In my case, I use the renewal mail as input for a task that is manually executed on a spare public IP. No services run over it so it can be abused this way

KdB · February 23, 2018, 10:51pm

Thanks for the HowTo and Wiki entry @danb35 - very helpful.

I had a minor glitch with OnlyOffice / Nginx not being able to verify the cert CA internally, so I added the ‘–fullchain’ option. Pointing nginx conf to /etc/pki/tls/certs/fullchain.pem instead of the cert.pem resolved that issue.

danb35 · March 12, 2018, 10:37am

Removed the content from the OP, so it’s just in the wiki–just one place to maintain now. Also changed the --renew-hook command to --reloadcmd so that things will sequence better on renewal.

Unfortunately, --renew-hook runs before the new cert is copied to its destination, which means the certificate-update event is run before the new certs being put in place. The info currently in the wiki is corrected. If you’ve already issued a cert using the --renew-hook parameter (i.e., following the instructions that were there until yesterday), it’s easy to fix it.

The configuration file for your domain is in /root/.acme.sh/your_fqdn/your_fqdn.conf. Edit that file with your editor of choice. In that file, look for the line that sets Le_RenewHook, and remove that value leaving only the single quotes. Enter that value toward the end, on the line that sets Le_ReloadCmd. Now the certificate-update event will be triggered at the proper time when the cert is next renewed.

hucky · April 28, 2018, 6:44am

hey @danb35, maybe you remember my fault with the acme script without having a cloudflare account, again sorry for that. When i try to renew my certificate with letsencrypt i got an error:

Failed authorization procedure. xxxx.xxx.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xxx.xxx.de/.well-known/acme-challenge/hHxM4ZHi86sKWccXKF9PwhxumSlSi67nJNWy7LICgfo: Timeout during connect (likely firewall problem)

firewall is not the problem… maybe u have a tip?

danb35 · April 28, 2018, 11:11am

How did you issue that certificate in the first place, and how are you trying to renew it?