Using Let's Encrypt and virtual hosts

Support
1

Hi,

I am using the Apache in Nethserver as a virtual host and I want to use Let’s Encrypt for this virtual hosts (Linux/Windows).
If I create a certificate for the gateway using Let’s Encrypt: No Problem.
If I add an addional name using the following Syntax and create a new certificate, it will fail

db hosts setprop alias.mydomain.com LetsEncrypt enabled

That is fails, is due to the fact, that Let’s Encrypt is doing the following:

  1. It creates a temporary file on your webserver
  2. It queries the validation from Let’s Encrypt => The Let’s Encrypt servers will try to contact your webserver and download the temporary file
  3. If the file is valid, the domain is approved
  4. 2+3 will be repeated for every domain
  5. if every domain was valid, you will receive the certificate

The Problem is now:
nethserver.mydomain.com is the certificate for the Gateway (works)
I have two virtual hosts configured in the apache:
app1.mydomain.com (Linux Webserver)
app2.mydomain.com (Windows Webserver)

When I try to create one certificate for all three domains, it will fail. The reason is, that the validation-query from let’s encrypt will be redirected to the the app1 and the app2 server. The validation-file is not available on that hosts, because the script placed in the directory on the nethserver.

So, what I can do?

  1. Run let’s encrypt on the virtual hosts. The certificate will be successfully created, but: The virtualhost has to get the pem-file somehow automatically right after the certificate is created everytime. The advantage of this will be, that I will not have one certificate for all my domains (that I prefere, because nobody should know, that there is nethserver.mydomain.com).
  2. Get a way to let Nethserver answer the validation-queries of Let’s Encrypt. I don’t have a clou how to do that and if that is possible (automatically on every renew). The negative aspect is, that the nethserver.mydomain.com-address will be in every certificate.

Do you have any Ideas, hints, workarounds, …?

2

Hi, you can generate all files on NS and put them to other server, you can make hosts for each alias and it will be looped back to local host … and so on…

3

yes, but how do I exclude the nethserver.mydomain.com from the list? Or can I exclude it the same way as I include/exclude additional hosts?

And I don’t understand how to configure the loopback. I need everything beeing done automatically. I don’t want do update the certificates every 30 days manually.

4

Thus please use Wosign 3 year free ssl

5

@filippo_carletti may have some hint for you.

6

After I got my HTTP Reverse Proxy to work for HTTP and HTTPS, I will now try to solve it the following way for my IIS on Windows:
I will generate the Let’s Encrypt certificate on the Windows machine. When I got the certificate and the keyfile, I will upload it to a directory on the nethserver, where the certificates are stored using SCP or FTP (currently not know which one I will use).
That way Windows has the ability to store the answer-file for Let’s Encrypt in the folder on the webserver.

My second Webserver (Linux with Tomcat) will be harder I think. This is because it uses Tomcat - so there is no directory where the answerfile can be stored (as far as I figured out) and because I am really new to using Linux Systems (started with Nethserver (and a Counter-Strinke Server many years ago :slight_smile: )).
The Linux Server is not so important because just some tools for developers are running on it and nobody will care if it is down for some seconds. There is a manual how to do this by changing the port
http://blog.ivantichy.cz/blogpost/view/74
For my Windows-Server changing the port - even just for a few seconds - would not be a solution because there are some realtime-Applications running on it. But I don’t have to do it on Windows :slight_smile:

I will try this in the today evening. If I succeed, I will write a short summary for all Windows-Guys how to do this from the beginning to the end.

7

I think that you may find some hints on Let’s Encrypt support forum:

8

I tried to configure Let’s encrypt today on the nethserver using this guide:

In Step ./letsencrypt-auto it fails during “Installing Python packages…” it fails with this error (I think this is the first error in the long output):

c/_cffi_backend.c:13:17: error: ffi.h: No such file or directory

at the End there are additionally this two errors:

Command /root/.local/share/letsencrypt/bin/python -c "import setuptools;__file__='/tmp/pip-NB83nO-build/setup.py';exec(compile(open(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-oi7Glg-record/install-record.txt --single-version-externally-managed --install-headers /root/.local/share/letsencrypt/include/site/python2.7 failed with error code 1 in /tmp/pip-NB83nO-build

UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 75: ordinal not in range(128)

I searched on many websites for a solutions but found no one.
I did:

sudo yum install centos-release-scl --enablerepo=extras
yum update
yum install scl-utils python27 python27-scldevel
scl enable python27 bash
sudo yum install epel-release
rpm -ivh https://rhel6.iuscommunity.org/ius-release.rpm
yum --enablerepo=ius install git python27 python27-devel python27-pip python27-setuptools python27-virtualenv -y
sudo yum install gcc libffi-devel python-devel openssl-devel

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt
./letsencrypt-auto

Maybe some things in there are duplicates or not necessary. Never the less, it’s not working.

Because Let’s Encrypt is still in Beta and I hope that this issue may be solved someday by Let’s Encrypt client, I will use my current certificates until they are close to expire and then I will try again.

I will not do the idea I described in a previous thread. Its easier to manage it on the Apache of nethserver itself.
See https://www.shivering-isles.com/lets-encrypt-get-certifiactes-for-reverse-proxied-services/

1 Like