VirtualHosts and updating Let's Encrypt certs

dvadell · March 27, 2019, 1:09pm

NethServer Version: 7.6.1810 (final)
Module: Server Certificate

Hello Everyone!

I’m trying to confirm that Let’s Encrypt is actually updating my Virtual Host’s certificate, and I think it’s not doing it.

I have 5 VirtualHosts. When I run “config show pki” I get (trimmed output):

LetsEncrypt=disabled
LetsEncryptDomains=domain1.com

So it looks like it’s just updating one. In /var/log/letsencrypt/letsencrypt.log I see that cerbot runs only for domain1.com.

BTW, In “Server Certificate”, I have all the let’s encrypt certs, properly assigned to all Virtual Hosts. Firefox says the certificates are the right ones. In “Virtual Hosts”, the proper (let’s encrypt) certificate are chosen.

Is there any other configuration I have to do to update them?

Thanks for all your support and for making nethserver.

Cheers

m.traeumner · March 28, 2019, 8:51am

Have you seen the following description of Let’s encrypt installing?

But don’t forgot, it’s a template system, create a custom template for the vhost configuration.

danb35 · March 28, 2019, 9:44am

Do your Virtual Hosts use a different certificate than the main server cert? And if so, why?

If HTTPS works on the virtual hosts, and you haven’t configured separate certificates for them, you can safely conclude that the main server cert covers them as well. If you want to confirm that, run certbot certificates and see what it says.

dvadell · March 28, 2019, 1:38pm

Hmmm… I installed different certificates for different virtualhosts, because they are different clients or webpages. It makes sense to make one cert per vitualhost. Do you think it’s better to make one big certificate with all the fqdns and use it for all virtualhosts? Why?

Thanks!

danb35 · March 28, 2019, 1:44pm

It’s certainly simpler. One cert for everything, Neth renews it automatically, you’re good. It’s what I do, FWIW, but I’m not hosting for anyone but myself. The only real downside I see is that if a visitor to site1 actually views the certificate, they’ll see that it also covers site2 and site3. That doesn’t hurt anything, particularly, but it may expose information you don’t want to expose.

Now, if you wanted to use a EV cert for one of the virtual hosts, that would be a different issue–but the value of EV certs is highly questionable in any event.

dvadell · March 28, 2019, 2:22pm

Thanks. I read it. That blog entry describes how to install and configure let’s encrypt in CentOS 6 and 7, but it doesn’t say anything about doing it with Nethserver’s infrastructure (for example, about /usr/libexec/nethserver/letsencrypt-certs ). I think I have the idea of how to do it manually. What’s the best way to do it with Nethserver?

dvadell · March 28, 2019, 2:23pm

I find it weird to have one such big cert, but I’ll think about it. Maybe there’s nothing wrong with it and you’re right.

Thanks!

danb35 · March 28, 2019, 2:30pm

The only real issue is that management (adding or removing hostnames to/from the cert) is a little cumbersome with either the Neth server manager or certbot at the command line. If I use the server manager, I have to enter every hostname I want. If I use certbot, I need to feed it -d flags with every hostname I want. It seems you should be able to do something like certbot expand --cert-name foo.bar.baz -d new.hostname.tld and have new.hostname.tld added to the other FQDNs already on the cert–but it doesn’t work that way.

You can reduce the size of the cert by using wildcards, but those require DNS validation, which Neth doesn’t support through the GUI.

m.traeumner · March 29, 2019, 10:57am

Perhaps the way of @mrmarkuz could help to understand how it is working:

It is not about the certificate, but changing the vost configuration for each vhost.

Virtual hosts Options

mkdir -p /etc/e-smith/templates-custom/httpd/vhost-extra/

Create /etc/e-smith/templates-custom/httpd/vhost-extra/30directory20optionsFollowSymlinks with following content:

# 30directory20optionsFollowSymlinks
{
    use esmith::ConfigDB;
    my $vdb = esmith::ConfigDB->open_ro('vhosts') || die("Can't open vhosts db");
    my $FollowSymlinks = $vdb->get_prop("$VhostName",'FollowSymlinks') || 'disabled';
    $OUT .= "      Options +FollowSymLinks\n" if ($FollowSymlinks eq 'enabled');
}

Set FollowSymlinks to enabled and expand the template:

db vhosts setprop YOURVHOST FollowSymlinks enabled
expand-template /etc/httpd/conf.d/virtualhosts.conf

I think you can change the function to your needs

dvadell · April 5, 2019, 9:15am

Thank you @m.traeumner . I think I found what I was looking for: there’s a systemd certbot-renew service that should renew all of them, and it seems enabled. I’m waiting for the certificates to be 61 days old, to see if they get updated by it. I’ll post my results for future references if it works.

Cheers