NethServer 6.7 02/16 updates & Let's Encrypt

Updates February 2016

We would like to announce a new bunch of updates for NS 6:

Thanks to @filippo_carletti for the work, to @dz00te and @nrauso for the QA!

Let’s Encrypt is ready for testing!

From https://letsencrypt.readthedocs.org:

The Let’s Encrypt Client is a fully-featured, extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol) that can automate the tasks of obtaining certificates and configuring webservers to use them.

Also:

The Let’s Encrypt Client is BETA SOFTWARE. It contains plenty of bugs and rough edges, and should be tested thoroughly in staging environments before use on production systems.

We are trying to integrate Let’s Encrypt inside NethServer: NS 6 will have a partial support without a web interface ( Feature #3355: Let's Encrypt (partial) support - NethServer 6 - NethServer.org ), but we are developing a fully-featured integration for NS 7.
We need your support to design a good experience for the end user, so please test it and share your opinion! :smile:

Prerequisites for testing:

  • the server must be reachable from outside at port 80 (make sure your port 80 is open to the public Internet, you can check with sites like http://www.canyouseeme.org/)
  • the server must have at least one public domain name associated to its own public IP
    (make sure you have a public DNS name pointing to your server, you can check with sites like http://viewdns.info/)

When Let’s Encrypt is enabled, the system will create and automatically renew:

  • one certificate for server FQDN
  • all enabled server alias will be added as SAN (Subject Alternative Name - Wikipedia) to the FQDN certificate
  • one certificate for each domain enabled inside the certificates database

Step 1
Install the packages from testing repository:

yum --enablerepo=nethserver-testing install nethserver-base nethserver-httpd

To globally enable Let’s Encrypt:

config setprop pki LetsEncrypt enabled

Step 2 (optional)
Create a server alias inside the DNS page, then enable Let’s Encrypt on server alias:

db hosts setprop alias.mydomain.com LetsEncrypt enabled 

Step 3 (optional, but recommended)
Since you can request the certificate maximum 5 times per week, let’s make sure the configuration is correct by requesting a fake certificate. Execute:

/usr/libexec/nethserver/letsencrypt-certs -v -t 

The output should be:

This command will try to generate a fake certificate using Let’s Encrypt server. If everything goes well, the output should be something like this:
INFO: Using main config file /tmp/3XhzEPg7Dt

  • Generating account key…
  • Registering account key with letsencrypt…
    Processing test1.neth.eu
  • Signing domains…
  • Creating new directory /etc/letsencrypt.sh/certs/test1.neth.eu …
  • Generating private key…
  • Generating signing request…
  • Requesting challenge for test1.neth.eu…
  • Responding to challenge for test1.neth.eu…
  • Challenge is valid!
  • Requesting certificate…
  • Checking certificate…
  • Done!
  • Creating fullchain.pem…
  • Done!
    Executing certificate-update event…
    Verify the presented certificate has been signed by Let’s Encrypt CA on all SSL-enabled services like:

If something goes wrong, please make sure all requisites are met! If all requisites are met, but something still doesn’t work, feel free to request support here.

Step 4

If you followed step 3, first clean up you system by removing staging certificate and account:

rm -rf /etc/letsencrypt.sh/certs/
rm -f /etc/letsencrypt.sh/private_key.pem

Execute the following script against the real Let’s Encrypt server:

/usr/libexec/nethserver/letsencrypt-certs -v 

Step 5

Done! Access your http server and check you’r certificate is valid.
The certificate will be automatically renewed.

Options
You can customize the following options by using config command:

  • LetsEncryptMail: if set, Let’s Encrypt will send notification about your certificate to this mail address (this must be set before executing the letsencrypt-certs script for the first time!)
  • LetsEncryptRenewDays: minimum days before expiration to automatically renew certificate (default: 30)

Example:

config setprop pki LetsEncryptMail admin@mydomain.com
8 Likes

HI @giacomo , IT WORKS :+1:

[root@nethserver ~]# rm -rf /etc/letsencrypt.sh/certs/
[root@nethserver ~]# rm -f /etc/letsencrypt.sh/private_key.pem
[root@nethserver ~]# /usr/libexec/nethserver/letsencrypt-certs -v
/usr/sbin/letsencrypt.sh --cron  --config /etc/letsencrypt.sh/config.sh  -d nethserver.itc-s.net
# INFO: Using main config file /etc/letsencrypt.sh/config.sh
+ Generating account key...
+ Registering account key with letsencrypt...
Processing nethserver.itc-s.net
 + Signing domains...
 + Creating new directory /etc/letsencrypt.sh/certs/nethserver.itc-s.net ...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for nethserver.itc-s.net...
 + Responding to challenge for nethserver.itc-s.net...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!
Executing certificate-update event...

[root@nethserver ~]# config show pki
pki=configuration
    CertificateDuration=3650
    ChainFile=/etc/letsencrypt.sh/certs/nethserver.itc-s.net/chain.pem
    CommonName=
    CountryCode=
    CrtFile=/etc/letsencrypt.sh/certs/nethserver.itc-s.net/cert.pem
    EmailAddress=
    KeyFile=/etc/letsencrypt.sh/certs/nethserver.itc-s.net/privkey.pem
    LetsEncrypt=enabled
    LetsEncryptMail=nas@pp.ua
    LetsEncryptRenewDays=30
    Locality=
    Organization=
    OrganizationalUnitName=
    State=
    SubjectAltName=

@giacomo,
Also, we need to make CRON task for background certificate update task.

We already have it: https://github.com/NethServer/nethserver-base/commit/d5d17d76abdb46b5a40f087df8dd885c1b33620a :wink:

1 Like

Hi! I wanted to try out LetsEnrypt but in Step 3 I get an error:

ERROR: An error occured while sending post-request to https://acvme-staging.api.letsencrypt.org/acme/new-authz

Details: “Error creating new authz :: Name does not end in a public suffix”

Any idea why this could have happened?

It may be related to your domain name. Could you show it to us?
You may have better luck asking in letsencrypt forum.

I created a domain that points to the public address and I can reach owncloud through the domain (I created it on freeDNS as a subdomain just to meet the requirments for the LetsEncrypt). Do I maybe need to add this created domain somewhere in the nethserver configuration? At the moment when I enter the Dashboard I see under “domain” just the word I used for the domain when I installed Nethserver the first time.

You need to RENAME your NethServer with the public DNS name.
In other words, the Hostname must match the public DNS name.

Note: we may remove this requirement in the future, but LE is still in beta, we’ll wait a bit.

P.S. We need your tests, to better understand how to develop this feature. Thank you.

Ok so given the public DNS name xxx.info.tm the hostname should be xxx and the domain info.tm? Or should the whole name xxx.info.tm be the hostname?

Also I have to generate the server certificate new after I changed the hostname and domain right?

Hostname=xxx
Domain=info.tm

Yes, generate after the hostname change.

Ok i did that. Now I get an error when “Responding to challenge for …”. It says “Challenge is invalid”.

I wonder if my port forwarding on the Nethserver could have something to do with it. I forwarded router:666 -> nethserver:666 -> nethserver:443 since the 443 port on the router was used by someone else. The port 80 is open in general but not forwarded anywhere (should it be?).

Yes, it MUST be forwarded to NS itself.
See the first condition:

Ok, all the web traffic will then also go to the server though right?

Exactly :smile:

Will the clients be able to surf the web though?

That’s action is in no way related to the prerequisite above :wink:

Ok, I just thought that since Port 80 is HTTP Traffic any web traffic will be forwarded to the server and doesn’t reach the clients in the network.

Will there be in the future the possibility to use another port and not port 80? The problem I am running into is that the port is already forwarded to another server behind the same router (which is Windows Server), so I can’t forward it to the nethserver itself.

Maybe there is a temporary workaround to this?

It should be checked on forum about letsencrypt.

Ok thank you. I am going to try it out soon.