Hi! Thank you for testing NethServer 8 Beta!
We’ve just recently added the entry in the manual at this link.
Just be sure to run the up to date versions:
core version should be 1.1.0 or greater
traefik module should be 0.0.13 or greater
(if you have trouble finding the core/modules versions you can find them in Software center → kebab menu on the top right, near Reload repositories → Core apps)
Yesterday, I asked a Let’s Encrypt cert on my main server after entering the DNS (hosts), created a MAIL to LOCAL, and Revere Proxy all (with the CNAME created by it) to point to LOCAL IP.
On my main server, in the archive directory of Let’s Enscrypt under rocky.toto.org
I copy the directory on my station and I uploaded privkey1.pem and fullchain.pem to the Rocky server.
You say you uploaded these files, but the screen shot you posted indicates you uploaded account.key. If that’s the case, it would explain the error; that’s your ACME account private key, which would not correspond to any certificate you’d obtained.
No, that would not have worked. I’m referring to your earlier attempt, where you’d obtained the cert using acme.sh. The screen shot you uploaded shows that you uploaded your ACME account private key (account.key), not the private key for the cert (rocky.toto.org.key). You should never be uploading the account private key, and it’d really be pretty unusual for you to deal with it at all.
Luckily the issue reported by the UI is tightly coupled to the actual OpenSSL command run by the api-server, would you kindly run openssl rsa -check -in $KEY_FILE, replacing $KEY_FILE with the key generated by acme.sh? Thank you
Conclusion: rocky.toto.org.key created by acme.sh is Not an RSA key privkey2.pem created by Let’s Encrypt => RSA key ok
In NethSerer-7.9, the last parameter of acme.sh => "/sbin/e-smith/signal-event certificate-update" transforms the key files in the right format before copying them to their proper places ?
Tommaso,
What is your conclusions about the results of that test ?
Should I continue to use the files created by Let’s Encrypt and copied to NS8 ?
Try to modify the comand "/sbin/e-smith/signal-event certificate-update" to do the job (this should be a little complex) ?
Fo sure, one day the NS8 dev team will have to come up with a startegy for acme.sh for LOCAL NS8 as they did for NethServer-7.x.
Tests are needed using certificates from acme.sh, at least to figure out what’s wrong about the key (haven’t touched the tool yet and I’ve found out about it with this post )
Is there a specific need for this? NS8 automatically does that for you through the Request Certificate function, please clarify if the feature lacks something, feedback is always welcome!
Not sure about this due to the limited knowledge I’ve got on NS7, maybe someone with more know-how will help me figure something out.
Traefik handles for himself basically every certificate you can give to it, probably this is something just related to the output of acme.sh. BTW here’s the script that validates the key/certificates, maybe you can check the acme.sh output against this commands so we can figure out what’s wrong.
if ! openssl rsa -check -in $KEY_FILE >/dev/null 2>&1; then
is the same as the test you gave above.
Also, the first block of code deletes the uploaded certificate files:
del_certs() {
rm -f $KEY_FILE $CERT_FILE
}
Since I am on a LOCAL virtual machine, i doubt the system can ask a certificate as the
challenges will not get a good response.
I remember, at some point, I allow the certificate demand and it failled.
Hoping the dev team will add some parameters to the acme.sh script to transform the certificates
into the proper format and upload them like the way they upload certs in the UI manager.
)