Page MenuHomeDevCentral

Install letsencrypt on Ysul
Closed, ResolvedPublic

Description

We should install Let's Encrypt python client letsencrypt on Ysul for certificates generation and lease operations.

Event Timeline

dereckson claimed this task.
dereckson raised the priority of this task from to Normal.
dereckson updated the task description. (Show Details)
dereckson added a project: Servers.
dereckson added a subscriber: Sandlayth.

Installation log

Nov 12 22:44:14 ysul pkg: py27-asn1-0.1.8,1 installed
Nov 12 22:44:14 ysul pkg: py27-idna-2.0 installed
Nov 12 22:44:14 ysul pkg: py27-ipaddress-1.0.14 installed
Nov 12 22:44:14 ysul pkg: py27-cryptography-1.0.2_2 installed
Nov 12 22:44:14 ysul pkg: py27-openssl-0.15.1 installed
Nov 12 22:44:14 ysul pkg: py27-pyrfc3339-0.2 installed
Nov 12 22:44:15 ysul pkg: py27-zope.interface-4.1.2 installed
Nov 12 22:44:15 ysul pkg: py27-zope.event-3.5.2_1 installed
Nov 12 22:44:15 ysul pkg: py27-werkzeug-0.10.4 installed
Nov 12 22:44:15 ysul pkg: py27-ndg_httpsclient-0.4.0_1 installed
Nov 12 22:44:15 ysul pkg: py27-mock-1.0.1_1 installed
Nov 12 22:44:16 ysul pkg: py27-psutil-3.2.2 installed
Nov 12 22:44:16 ysul pkg: py27-parsedatetime-1.4 installed
Nov 12 22:44:16 ysul pkg: py27-configobj-5.0.6_1 installed
Nov 12 22:44:16 ysul pkg: py27-zope.component-3.12.1 installed
Nov 12 22:44:16 ysul pkg: py27-acme-0.0.0.d20151104 installed
Nov 12 22:44:16 ysul pkg: py27-python2-pythondialog-3.3.0 installed
Nov 12 22:44:16 ysul pkg: py27-configargparse-0.9.3 installed
Nov 12 22:44:17 ysul pkg: py27-letsencrypt-0.0.0.d20151104 installed

Strange note

Note: The client currently requires the ability to bind on TCP port 80. If
you have a server running on this port, it will need to be temporarily stopped
so that the standalone server can listen on that port to complete
authentication.

Let's test the official auto client.

Installation log

Nov 12 22:51:46 ysul pkg: git upgraded: 2.6.2 -> 2.6.3
Nov 12 22:51:47 ysul pkg: augeas-1.4.0 installed

Compilation of the main soft pending.

T606 gives a good working procedure for nginx, and allowed to contact and get key/config files.

We're deploying that directly on Ysul.

Configuration files

We recover the configuration folder /usr/local/jails/letsencrypt/usr/local/etc/letsencrypt.

The nginx vhosts to receive Let's encrypt certificates can use include includes/letsencrypt.conf; which is defined at P150.

Test run

$ setenv DOMAINS "-d wiki.nasqueron.org"
$ setenv DIR /var/letsencrypt-auto
$ mkdir -p $DIR
$ letsencrypt certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR $DOMAINS
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /usr/local/etc/letsencrypt/live/wiki.nasqueron.org/fullchain.pem.
   Your cert will expire on 2016-04-04. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Result certificate

This certificate has been verified for the following usages:

SSL Server Certificate

Issued To

Common Name (CN)	wiki.nasqueron.org
Organization (O)	<Not Part Of Certificate>
Organizational Unit (OU)	<Not Part Of Certificate>
Serial Number	01:9A:E6:51:5F:7F:D1:16:CF:EC:DA:92:D0:9F:40:02:FD:1F

Issued By

Common Name (CN)	Let's Encrypt Authority X1
Organization (O)	Let's Encrypt
Organizational Unit (OU)	<Not Part Of Certificate>

Validity Period

Issued On	Tuesday, January 5, 2016 at 5:56:00 PM
Expires On	Monday, April 4, 2016 at 6:56:00 PM

Fingerprints

SHA-256 Fingerprint	7B AB 98 ED DA AC 09 FD F8 19 0E 37 F2 06 AA DB 0F EC 10 34 1D 4D 04 64 C4 F1 F3 C4 86 67 DC 65
SHA-1 Fingerprint	F6 F5 FF 95 3C 01 C5 35 2B C2 7C B7 2E E7 94 93 91 71 D2 98

SSL server test by Qualys SSL Labs

Grade A - https://www.ssllabs.com/ssltest/analyze.html?d=wiki.nasqueron.org&s=212.83.187.132&latest

How to add Let's encrypt support to a new site

When a vhost is created through TC2, use +letsencrypt to add the P151 block. Don't use +ssl.

After a reload of nginx, launch Let's encrypt client : letsencrypt certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=/var/letsencrypt-auto -d <your domain>.

Then, edit the vhost and uncomment the SSL instructions. Finally, reload again. These last two steps could be automated.