Httpd not using letsencrypt certificates on 6.8

EddieA · November 8, 2016, 7:17am

OK, so I finally got around to installing/testing LetsEncrypt on my current 6.8 system following this guide. I installed the additional rpms, from the regular repositories, as they’ve been promoted from “testing”:

yum install nethserver-letsencrypt letsencrypt.sh

And nethserver-base and nethsever-httpd are already at the required level. Ran the test configure, which appeared to work OK:

[root@NethServer ~]# /usr/libexec/nethserver/letsencrypt-certs -v -t
/usr/sbin/letsencrypt.sh --cron  --config /tmp/kVXVmQdrO4/config.sh  -d NethServer.BogoLinux.net
# INFO: Using main config file /tmp/kVXVmQdrO4/config.sh
+ Generating account key...
+ Registering account key with letsencrypt...
Processing nethserver.bogolinux.net
 + Signing domains...
 + Creating new directory /tmp/kVXVmQdrO4/certs/nethserver.bogolinux.net ...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for nethserver.bogolinux.net...
 + Responding to challenge for nethserver.bogolinux.net...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!
[root@NethServer ~]#

So went ahead with the real deal:

[root@NethServer ~]# /usr/libexec/nethserver/letsencrypt-certs -v
/usr/sbin/letsencrypt.sh --cron  --config /etc/letsencrypt.sh/config.sh  -d NethServer.BogoLinux.net
# INFO: Using main config file /etc/letsencrypt.sh/config.sh
+ Generating account key...
+ Registering account key with letsencrypt...
Processing nethserver.bogolinux.net
 + Signing domains...
 + Creating new directory /etc/letsencrypt.sh/certs/nethserver.bogolinux.net ...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for nethserver.bogolinux.net...
 + Responding to challenge for nethserver.bogolinux.net...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!
[root@NethServer ~]#

Switched to another system and ran a quick check to see what certificate was being presented:

[eddieath@IIB ~]$ openssl s_client -connect www.bogolinux.net:443
CONNECTED(00000003)
depth=0 CN = NethServer, O = BogoLinux Net, ST = CA, OU = SomeOrganizationalUnit, emailAddress = root@NethServer.BogoLinux.net, C = US, subjectAltName = .BogoLinux.net, L = Los Angeles
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = NethServer, O = BogoLinux Net, ST = CA, OU = SomeOrganizationalUnit, emailAddress = root@NethServer.BogoLinux.net, C = US, subjectAltName = .BogoLinux.net, L = Los Angeles
verify return:1

Certificate chain
0 s:/CN=NethServer/O=BogoLinux Net/ST=CA/OU=SomeOrganizationalUnit/emailAddress=root@NethServer.BogoLinux.net/C=US/subjectAltName=.BogoLinux.net/L=Los Angeles
i:/CN=NethServer/O=BogoLinux Net/ST=CA/OU=SomeOrganizationalUnit/emailAddress=root@NethServer.BogoLinux.net/C=US/subjectAltName=.BogoLinux.net/L=Los Angeles

Oops. That’s still the original self signed certificate, not the LetsEncrypt. Just for sh!ts and giggles, I restarted the httpd service:

[root@NethServer ~]service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@NethServer ~]#

Still didn’t make any difference, still getting the original self-signed. So, digging around further, it looks like the new certificates didn’t make it into the httpd.conf:

[root@NethServer ~]# cat /etc/httpd/conf.d/ssl.conf
# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at https://dev.nethesis.it/projects/nethserver/wiki/NethServer
# original work from http://www.contribs.org/development/
#
# Copyright (C) 2013 Nethesis S.r.l.
# http://www.nethesis.it - support@nethesis.it
#
LoadModule ssl_module modules/mod_ssl.so
Listen 443

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

# SSLCertificateChainFile
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex  default
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin

SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES;



[root@NethServer ~]#

A little more digging shows that they didn’t make it to the configuration DB:

[root@NethServer ~]# config show pki
pki=configuration
    CertificateDuration=3650
    ChainFile=
    CommonName=NethServer
    CountryCode=US
    CrtFile=
    EmailAddress=
    KeyFile=
    LetsEncrypt=enabled
    LetsEncryptMail=admin@BogoLinux.net
    LetsEncryptRenewDays=30
    Locality=Los Angeles
    Organization=BogoLinux Net
    OrganizationalUnitName=Main
    State=CA
    SubjectAltName=*.BogoLinux.net
[root@NethServer ~]#

Any ideas on what I missed/goofed up on.

Cheers.

giacomo · November 8, 2016, 8:28am

After LE script has run, you should have something like this inside the pki prop:

pki=configuration
…
ChainFile=/etc/letsencrypt.sh/certs/nethserver.bogolinux.net/chain.pem
CrtFile=/etc/letsencrypt.sh/certs/nethserver.bogolinux.net/cert.pem
KeyFile=/etc/letsencrypt.sh/certs/nethserver.bogolinux.net/privkey.pem
…

I can’t reproduce the problem, but you could force the update of the properties in two ways.

Try to execute /usr/libexec/nethserver/letsencrypt-certs -vf
Or set the prop manually:

config setprop pki ChainFile=/etc/letsencrypt.sh/certs/nethserver.bogolinux.net/chain.pem
config setprop pki CrtFile=/etc/letsencrypt.sh/certs/nethserver.bogolinux.net/cert.pem
config setprop pki KeyFile=/etc/letsencrypt.sh/certs/nethserver.bogolinux.net/privkey.pem
signal-event certificate-update

EddieA · November 8, 2016, 6:32pm

The script did create the certificates under /etc/letsencrypt.sh/certs/nethserver.bogolinux.net/ as expected. It just didn’t, as you can see, populate the pki properties.

Re-running produces the same:

[root@NethServer ~]# /usr/libexec/nethserver/letsencrypt-certs -vf
/usr/sbin/letsencrypt.sh --cron  --config /etc/letsencrypt.sh/config.sh  -d NethServer.BogoLinux.net  -x
# INFO: Using main config file /etc/letsencrypt.sh/config.sh
Processing nethserver.bogolinux.net
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb  5 23:43:00 2017 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for nethserver.bogolinux.net...
 + Responding to challenge for nethserver.bogolinux.net...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!
[root@NethServer ~]# config show pki
pki=configuration
    CertificateDuration=3650
    ChainFile=
    CommonName=NethServer
    CountryCode=US
    CrtFile=
    EmailAddress=
    KeyFile=
    LetsEncrypt=enabled
    LetsEncryptMail=admin@BogoLinux.net
    LetsEncryptRenewDays=30
    Locality=Los Angeles
    Organization=BogoLinux Net
    OrganizationalUnitName=Main
    State=CA
    SubjectAltName=*.BogoLinux.net
[root@NethServer ~]#

Again, the pki properties are not populated.

Cheers.

EddieA · November 8, 2016, 7:13pm

OK, I updated /usr/libexec/nethserver/letsencrypt-certs with:

    my $before = defined($tmp) ? $tmp->mtime : 0;
print $before."\n";
    my $cmd = "$lebin $opts";

And:

    my $after = defined($tmp) ? $tmp->mtime : 0;
print $after."\n";
    if ($before != $after) {

Guess what. Both “before” and “after” have the value “0”, hence no updates to the pki properties.

Cheers.

EddieA · November 8, 2016, 7:32pm

I think it’s a case issue. My domain name has capitalisation: NethServer.BogoLinux.net, but the directory where the certificates are stored doesn’t: /etc/letsencrypt.sh/certs/nethserver.bogolinux.net/.

So when looking for the timestamps to compare, nothing is found.

** Edit**: Not tested, but I think adding the “lc” function here should work:

my $fqdn = lc $cdb->get_value('SystemName').".".$cdb->get_value('DomainName');

Cheers.

enzoturri · November 11, 2016, 7:32pm

This is a case for the @dev_team