You are here
Henry den Hengst - Wed, 2016/03/23 - 17:20
Why not use https://letsencrypt.org/ with autorenewal. It runs stable like a rock, check https://hendric.us/
Forum:
Tags:
Why not use https://letsencrypt.org/ with autorenewal. It runs stable like a rock, check https://hendric.us/
better than self-signed certs
Seconded, letsencrypt can be used to generate TLS/SSL certs that will be accepted by browsers without the warning page caused by self-signed certs.
This would be a useful improvement.
Sorry I missed this post previously!
We've been watching Let's Encrypt for quite a while now. It was still in private beta when we released v14.0 so wasn't an option for us then. And whilst it appears to have been pretty stable and reliable the whole time it was in public beta; we didn't think that it would be a good idea to include a beta product (which might change with little or no warning) in v14.1.
But now that it's no longer in beta (as of about 3 weeks ago) we certainly intend to include it in v14.2! :)
yay!
I'm happy to hear about that, and am looking forward to it.
One thing to note, LetsEncrypt certs only last 90 days, so there will need to be an automated renewal mechanism.
Here's the rationale for the 90-day limit: https://letsencrypt.org/2015/11/09/why-90-days.html
I haven't found any winning documentation on autorenewal but I've only done 5 minutes of searching. I know there are a number of cron-based methods.
Yes it will auto renew
I imagine that we'll use a cron job to perform the autorenewal. We have already selected a 3rd party (open source) client to do the registration/renewal. Unfortunately I can't give you any further info OTTOMH as I haven't been working on this myself.
Excellent, thanks so mouch
Excellent, thanks so mouch for your hard work!
I hosed my server trying to install Let's Encrypt
First off, this was entirely my fault, and in no way am I laying blame on anybody other than myself.
Second, I need help fixing my error, please?
I have the TKL Odoo VM running on my host machine and wanted to practice with the Let's Encrypt SSL Certificates (NOTE: This is *not* production server, but an evaluation server. If it's easier, I can re-install the VM, though I have some customizations I would like to save. I don't yet, have the TKL-BAM running on this server.)
I walked throught the instructions: https://github.com/turnkeylinux/tracker/issues/382
but when I went to "restart lighttpd", I received an error that it was not installed. So I restarted Apache (via Webmin)... probably not right, but that's what I did.
Now I can reach neither Webmin nor the website via a browser, however, I can still log in via ssh.
I haven't restarted the VM, but can if someone thinks that would work.
Any thoughts or any more information I can provide?
Thank you!
Drew
Odoo doesn't have Lighttpd
TBH I haven't tried Let's Encrypt yet so I'm not sure if that's the only thing that will need adjustment.
issue installing certbot / letsencrypt on turnkey appliance
I've been trying to install Certbot (letsencrpyt client) on my turnkey appliance. (it's a Joomla3 appliance). I followed the instructions here: https://certbot.eff.org/#debianjessie-apache
Everything appears to install fine, but then I get these messages when trying to run any certbot command:
root@joomla3 ~# certbot
Traceback (most recent call last):
File "/usr/bin/certbot", line 5, in <module>
from pkg_resources import load_entry_point
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2927, in <module>
@_call_aside
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2913, in _call_aside
f(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2940, in _initialize_master_working_set
working_set = WorkingSet._build_master()
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 635, in _build_master
ws.require(__requires__)
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 943, in require
needed = self.resolve(parse_requirements(requirements))
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 829, in resolve
raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'python2-pythondialog>=3.2.2rc1' distribution was not found and is required by certbot
I believe this to already be installed.
Any suggestions?
Thank you, Ryan
I think the same issue is mentioned here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818587
but I'm unsure about the fix mentioned.
reinstalling does not help
I tried to reinstall python-dialog; it did not help; I noticed that the .deb used was from turnkey. I wonder if I get one from the main debian repositiories would it work better and how would I do that?
apt-get install --reinstall python-dialog
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 34.4 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://archive.turnkeylinux.org/debian/ jessie/main python-dialog amd64 2.7-1turnkey+9+g97403e1 [34.4 kB]
Fetched 34.4 kB in 0s (1146 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 30473 files and directories currently installed.)
Preparing to unpack .../python-dialog_2.7-1turnkey+9+g97403e1_amd64.deb ...
Unpacking python-dialog (2.7-1turnkey+9+g97403e1) over (2.7-1turnkey+9+g97403e1) ...
Processing triggers for python-support (1.0.15) ...
Setting up python-dialog (2.7-1turnkey+9+g97403e1) ...
Processing triggers for python-support (1.0.15) ...
Counting objects: 1526, done.
Compressing objects: 100% (942/942), done.
Writing objects: 100% (1526/1526), done.
Total 1526 (delta 96), reused 1526 (delta 96)
solved:issue installing certbot / letsencrypt on turnkey applian
Well... after working about 3/4 day I broke down and posted the question above, then in about 30 more mins, I fugured it out. I guess the questions were what I needed to get the answers.
For some reason the package python-dialog that is from the turnkey archive is not compatible or not as up-to-date as the one in the debian main archive.
What I did was commented out the turnkey archive in the sources.list file and then ruan
apt-get update
apt-get upgrade python-dialog
it finds an update for the package and installs it; after that certbot ran for me.
fiy, i've not tried to actually generate the cirt yet
Thanks for posting
FWIW as you discovered our version of python-dialog is old. Currently it is a requirement of some of our custom software (confconsole & inithooks - so if you use either of them in the future and experience weirdness that is why). TBH we need to do something about that but it has never been a major priority as it will be a fair bit of work and has generally not been much of an issue for most users. However that the situation is only going to get worse with time (as the versions drift further apart).
We intend to include the facility to use Let's Encrypt with TurnKey via a slightly different method using a third party client (which is compatible with our version of python-dialog). But it's (still) not ready yet. It will be included in v14.2 (when we get to that) but hopefully we'll release it prior to then.
thanks for the info
Yeah, I though there might be unintended consequences for updating that package. However, it servers me for now. I'm currently using a LAMP image and a Joomla3 image. I'm not sure how those might use confsconsole &/or inithooks.
Looking forward to the built-in Letsencrypt integration.
Initihooks is the firstboot scripts
So you should be fine, but re-initialisation may not work properly (if you ever need/want to do that). Currently the only really useful function Confconsole provides (beyond showing you the current IP) is allowing you to switch between DHCP and static IP. Depending on where your servers are running, that is probably of limited value at best - especially if you have already set a static IP (if running on a LAN) or plan to continue using DHCP (if running on Amazon etc). Worst case scenario you can still configure that, but you'll need to do it manually.
thank you
thank you!
helpfull!
This forum is very helpfull!
Add new comment