Updates February 2016
We would like to announce a new bunch of updates for NS 6:
- Web filter antivirus whitelist: all domains added to the global whitelist are now also excluded from antivirus scan
- Line quality monitor for multiWAN: if nethserver-collectd is installed and multiWAN is configured, the system will automatically create new graphs based on line quality for each configured provider (graphs will be visible only using nethserver-collectd-web)
- SOGo has been updated to 2.3.8 release, which includes a new button for SPAM reporting (thanks to @mark_nl)
- Fixes on DHCP server (see: Bug #3353: DHCP TFTP server ignored by clients - NethServer 6 - NethServer.org )
- ClamAV has been updated to 0.99 release along with antispam signatures
- Updated language pack (thanks to @Linux4All for fixes German translation)
- Dashboard now correctly reports last antivirus signature update
- IPSec tunnels are now supported on PPPoE red interfaces
- Mail server and mail filter minor tweaks (see: Enhancement #3348: Amavis virus+spam policy tweaks - NethServer 6 - NethServer.org and Enhancement #3347: Disable Postfix address_verify_negative_cache - NethServer 6 - NethServer.org)
Thanks to @filippo_carletti for the work, to @dz00te and @nrauso for the QA!
Let’s Encrypt is ready for testing!
From https://letsencrypt.readthedocs.org:
The Let’s Encrypt Client is a fully-featured, extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol) that can automate the tasks of obtaining certificates and configuring webservers to use them.
Also:
The Let’s Encrypt Client is BETA SOFTWARE. It contains plenty of bugs and rough edges, and should be tested thoroughly in staging environments before use on production systems.
We are trying to integrate Let’s Encrypt inside NethServer: NS 6 will have a partial support without a web interface ( Feature #3355: Let's Encrypt (partial) support - NethServer 6 - NethServer.org ), but we are developing a fully-featured integration for NS 7.
We need your support to design a good experience for the end user, so please test it and share your opinion!
Prerequisites for testing:
- the server must be reachable from outside at port 80 (make sure your port 80 is open to the public Internet, you can check with sites like http://www.canyouseeme.org/)
- the server must have at least one public domain name associated to its own public IP
(make sure you have a public DNS name pointing to your server, you can check with sites like http://viewdns.info/)
When Let’s Encrypt is enabled, the system will create and automatically renew:
- one certificate for server FQDN
- all enabled server alias will be added as SAN (Subject Alternative Name - Wikipedia) to the FQDN certificate
- one certificate for each domain enabled inside the certificates database
Step 1
Install the packages from testing repository:
yum --enablerepo=nethserver-testing install nethserver-base nethserver-httpd
To globally enable Let’s Encrypt:
config setprop pki LetsEncrypt enabled
Step 2 (optional)
Create a server alias inside the DNS page, then enable Let’s Encrypt on server alias:
db hosts setprop alias.mydomain.com LetsEncrypt enabled
Step 3 (optional, but recommended)
Since you can request the certificate maximum 5 times per week, let’s make sure the configuration is correct by requesting a fake certificate. Execute:
/usr/libexec/nethserver/letsencrypt-certs -v -t
The output should be:
This command will try to generate a fake certificate using Let’s Encrypt server. If everything goes well, the output should be something like this:
INFO: Using main config file /tmp/3XhzEPg7Dt
- Generating account key…
- Registering account key with letsencrypt…
Processing test1.neth.eu- Signing domains…
- Creating new directory /etc/letsencrypt.sh/certs/test1.neth.eu …
- Generating private key…
- Generating signing request…
- Requesting challenge for test1.neth.eu…
- Responding to challenge for test1.neth.eu…
- Challenge is valid!
- Requesting certificate…
- Checking certificate…
- Done!
- Creating fullchain.pem…
- Done!
Executing certificate-update event…
Verify the presented certificate has been signed by Let’s Encrypt CA on all SSL-enabled services like:
If something goes wrong, please make sure all requisites are met! If all requisites are met, but something still doesn’t work, feel free to request support here.
Step 4
If you followed step 3, first clean up you system by removing staging certificate and account:
rm -rf /etc/letsencrypt.sh/certs/
rm -f /etc/letsencrypt.sh/private_key.pem
Execute the following script against the real Let’s Encrypt server:
/usr/libexec/nethserver/letsencrypt-certs -v
Step 5
Done! Access your http server and check you’r certificate is valid.
The certificate will be automatically renewed.
Options
You can customize the following options by using config
command:
LetsEncryptMail
: if set, Let’s Encrypt will send notification about your certificate to this mail address (this must be set before executing the letsencrypt-certs
script for the first time!)LetsEncryptRenewDays
: minimum days before expiration to automatically renew certificate (default: 30)
Example:
config setprop pki LetsEncryptMail admin@mydomain.com