Using Let's Encrypt and virtual hosts

Hi,

I am using the Apache in Nethserver as a virtual host and I want to use Let’s Encrypt for this virtual hosts (Linux/Windows).
If I create a certificate for the gateway using Let’s Encrypt: No Problem.
If I add an addional name using the following Syntax and create a new certificate, it will fail

db hosts setprop alias.mydomain.com LetsEncrypt enabled

That is fails, is due to the fact, that Let’s Encrypt is doing the following:

  1. It creates a temporary file on your webserver
  2. It queries the validation from Let’s Encrypt => The Let’s Encrypt servers will try to contact your webserver and download the temporary file
  3. If the file is valid, the domain is approved
  4. 2+3 will be repeated for every domain
  5. if every domain was valid, you will receive the certificate

The Problem is now:
nethserver.mydomain.com is the certificate for the Gateway (works)
I have two virtual hosts configured in the apache:
app1.mydomain.com (Linux Webserver)
app2.mydomain.com (Windows Webserver)

When I try to create one certificate for all three domains, it will fail. The reason is, that the validation-query from let’s encrypt will be redirected to the the app1 and the app2 server. The validation-file is not available on that hosts, because the script placed in the directory on the nethserver.

So, what I can do?

  1. Run let’s encrypt on the virtual hosts. The certificate will be successfully created, but: The virtualhost has to get the pem-file somehow automatically right after the certificate is created everytime. The advantage of this will be, that I will not have one certificate for all my domains (that I prefere, because nobody should know, that there is nethserver.mydomain.com).
  2. Get a way to let Nethserver answer the validation-queries of Let’s Encrypt. I don’t have a clou how to do that and if that is possible (automatically on every renew). The negative aspect is, that the nethserver.mydomain.com-address will be in every certificate.

Do you have any Ideas, hints, workarounds, …?

Hi, you can generate all files on NS and put them to other server, you can make hosts for each alias and it will be looped back to local host … and so on…

yes, but how do I exclude the nethserver.mydomain.com from the list? Or can I exclude it the same way as I include/exclude additional hosts?

And I don’t understand how to configure the loopback. I need everything beeing done automatically. I don’t want do update the certificates every 30 days manually.

Thus please use Wosign 3 year free ssl

@filippo_carletti may have some hint for you.

After I got my HTTP Reverse Proxy to work for HTTP and HTTPS, I will now try to solve it the following way for my IIS on Windows:
I will generate the Let’s Encrypt certificate on the Windows machine. When I got the certificate and the keyfile, I will upload it to a directory on the nethserver, where the certificates are stored using SCP or FTP (currently not know which one I will use).
That way Windows has the ability to store the answer-file for Let’s Encrypt in the folder on the webserver.

My second Webserver (Linux with Tomcat) will be harder I think. This is because it uses Tomcat - so there is no directory where the answerfile can be stored (as far as I figured out) and because I am really new to using Linux Systems (started with Nethserver (and a Counter-Strinke Server many years ago :slight_smile: )).
The Linux Server is not so important because just some tools for developers are running on it and nobody will care if it is down for some seconds. There is a manual how to do this by changing the port
http://blog.ivantichy.cz/blogpost/view/74
For my Windows-Server changing the port - even just for a few seconds - would not be a solution because there are some realtime-Applications running on it. But I don’t have to do it on Windows :slight_smile:

I will try this in the today evening. If I succeed, I will write a short summary for all Windows-Guys how to do this from the beginning to the end.

I think that you may find some hints on Let’s Encrypt support forum:

I tried to configure Let’s encrypt today on the nethserver using this guide:

In Step ./letsencrypt-auto it fails during “Installing Python packages…” it fails with this error (I think this is the first error in the long output):

c/_cffi_backend.c:13:17: error: ffi.h: No such file or directory

at the End there are additionally this two errors:

Command /root/.local/share/letsencrypt/bin/python -c "import setuptools;__file__='/tmp/pip-NB83nO-build/setup.py';exec(compile(open(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-oi7Glg-record/install-record.txt --single-version-externally-managed --install-headers /root/.local/share/letsencrypt/include/site/python2.7 failed with error code 1 in /tmp/pip-NB83nO-build

UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 75: ordinal not in range(128)

I searched on many websites for a solutions but found no one.
I did:

sudo yum install centos-release-scl --enablerepo=extras
yum update
yum install scl-utils python27 python27-scldevel
scl enable python27 bash
sudo yum install epel-release
rpm -ivh https://rhel6.iuscommunity.org/ius-release.rpm
yum --enablerepo=ius install git python27 python27-devel python27-pip python27-setuptools python27-virtualenv -y
sudo yum install gcc libffi-devel python-devel openssl-devel

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt
./letsencrypt-auto

Maybe some things in there are duplicates or not necessary. Never the less, it’s not working.

Because Let’s Encrypt is still in Beta and I hope that this issue may be solved someday by Let’s Encrypt client, I will use my current certificates until they are close to expire and then I will try again.

I will not do the idea I described in a previous thread. Its easier to manage it on the Apache of nethserver itself.
See https://www.shivering-isles.com/lets-encrypt-get-certifiactes-for-reverse-proxied-services/

1 Like