Let's Encrypt for Internal Servers issues

Hi everyone,

I followed this procedure to get certs from Let’s Encrypt : https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers

I did get the certs no problem but when I look at the web page UI under System -> Certificates, they are not showing up. Also when I try to connect to my server using https, I still get the cert not valid. So I’m guessing on step is missing. Anyone has a clue?

Thanks

1 Like

OK looks like after a reboot it worked. However, I still can’t see the added certs in the UI. Is there a way for me to make it display in the UI?

it takes a while before the cockpit.socket uses the new certificate, IIRC it uses the new one restart cockpit systemctl restart cockpit.socket

Normal.

Not normal. What’s the exact error message?

Yeah, I guessed it was since I’m not pressing the button and it is not added to whatever ever database of file that is used to display what must be displayed there. But still would like to have a way to force it to show up in there.

I had to reboot after I changed the config, all his fine now.

I tried that, still doesn’t show the certs in the UI.

I’m pretty sure what shows in the GUI is going to be what’s in the /etc/letsencrypt directory. You could force acme.sh to put its certs there, but I wouldn’t really recommend it. You could also install the cloudflare plugin for certbot and get the certs that way; in that case they should show up there. I don’t like certbot and avoid when I can.

You’re probably right, I could end up deleting it by mistake and cause more confusion… But at the same time, what is confusing for someone trying to figure out what is going on is, they wont see the certs there and wonder that the heck is going on…

The best would be for Nethserver to have built-in DNS-01 support.

I just noticed that the default cert, after installing Nethserver, is included in the UI and not part of that directory, it is in the default directory where the procedure puts all the cert files…

So it is not just a question of the certs being in the letsencrypt folder, or could be in part… I don’t know, haven’t done the test though.

Could this be your confusion? :

As per instruction on the wiki you set your default certificate configuration to
certificate: /etc/pki/tls/certs/cert.pem
chain: /etc/pki/tls/certs/chain.pem
key: /etc/pki/tls/private/privkey.pem

You received one Let’s Encrypt certificate with multiple Alternative Name 's ; you may inspect the certificate by hitting the show button to see if all requested subdomains are included.

No that is not it. What I am talking about is, once the certificate is generated and I receive it from Let’s Encrypt, it will not show up in Nethserver’s Web UI under System -> Certificates.

hmm , my selfsigned cert shows up if doped in /etc/pki/tls/certs/

Could it be the extensions {.crt .key} I use?

EDIT:

# ls  /etc/pki/tls/*/service.*
/etc/pki/tls/certs/service.crt  /etc/pki/tls/private/service.key
1 Like

That is a good point, could be an extension issue. I will try that and let you guys know.

Looking at the code here it’s likely to show up with these name conventions

certificate: /etc/pki/tls/certs/cert.crt
chain: /etc/pki/tls/certs/cert-chain.crt
key: /etc/pki/tls/private/cert.key

In this cert is arbitrary, as-long the this name is consistent.

2 Likes

I confirm that is the solution! Thanks Mark!

@danb35 : took the liberty to update the wiki to reflect the finding in this post.

3 Likes

Hi Mark,

Nice solution.

Now, I will have to adjust some of my documentation…

Michel-André

2 Likes