Henry den Hengst's picture
Henry den Hengst - Wed, 2016/03/23 - 17:20

Why not use https://letsencrypt.org/ with autorenewal. It runs stable like a rock, check https://hendric.us/

Forum: 
General
Tags: 
ssl
https
letsencrypt
Jeremy Davis's picture

Jeremy Davis - Fri, 2016/05/06 - 05:47
Yes great suggestion from both of you. FWIW "Easy way to add SSL certs to TurnKey appliances" has been in our plans for some time now. See the relevant issues on our tracker here: https://github.com/turnkeylinux/tracker/issues/382 https://github.com/turnkeylinux/tracker/issues/546

We've been watching Let's Encrypt for quite a while now. It was still in private beta when we released v14.0 so wasn't an option for us then. And whilst it appears to have been pretty stable and reliable the whole time it was in public beta; we didn't think that it would be a good idea to include a beta product (which might change with little or no warning) in v14.1.

But now that it's no longer in beta (as of about 3 weeks ago) we certainly intend to include it in v14.2! :)

Jeremy Davis's picture

Jeremy Davis - Mon, 2016/05/09 - 05:41
We intend to have it configured to auto renew. I'm not sure on the exact timeframe but we'll probably do it more regularly than required (perhaps the 60 days they recommend?) so if something goes wrong (which it shouldn't) then there is an opportunity to rectify any issues prior to it becoming critical.

I imagine that we'll use a cron job to perform the autorenewal. We have already selected a 3rd party (open source) client to do the registration/renewal. Unfortunately I can't give you any further info OTTOMH as I haven't been working on this myself.

Drew Ruggles's picture

Drew Ruggles - Sat, 2016/07/16 - 21:42

First off, this was entirely my fault, and in no way am I laying blame on anybody other than myself.

Second, I need help fixing my error, please?

I have the TKL Odoo VM running on my host machine and wanted to practice with the Let's Encrypt SSL Certificates (NOTE: This is *not* production server, but an evaluation server. If it's easier, I can re-install the VM, though I have some customizations I would like to save. I don't yet, have the TKL-BAM running on this server.)

I walked throught the instructions: https://github.com/turnkeylinux/tracker/issues/382

but when I went to "restart lighttpd", I received an error that it was not installed. So I restarted Apache (via Webmin)... probably not right, but that's what I did.

Now I can reach neither Webmin nor the website via a browser, however, I can still log in via ssh.

I haven't restarted the VM, but can if someone thinks that would work.

Any thoughts or any more information I can provide?

Thank you!

Drew

Jeremy Davis's picture

Jeremy Davis - Tue, 2016/07/19 - 04:51
Those instructions assume that the appliance you are using has the Lighttpd webserver. The Odoo appliance uses Apache, not Lighttpd, so you'll need to substitute "apache2" for "lighttpd" when you perform the stop/restart etc commands.

TBH I haven't tried Let's Encrypt yet so I'm not sure if that's the only thing that will need adjustment.

Jeremy Davis's picture

Jeremy Davis - Wed, 2016/08/03 - 05:46
I'm glad to hear that you resolved the issue and thanks tons for posting back.

FWIW as you discovered our version of python-dialog is old. Currently it is a requirement of some of our custom software (confconsole & inithooks - so if you use either of them in the future and experience weirdness that is why). TBH we need to do something about that but it has never been a major priority as it will be a fair bit of work and has generally not been much of an issue for most users. However that the situation is only going to get worse with time (as the versions drift further apart).

We intend to include the facility to use Let's Encrypt with TurnKey via a slightly different method using a third party client (which is compatible with our version of python-dialog). But it's (still) not ready yet. It will be included in v14.2 (when we get to that) but hopefully we'll release it prior to then.

Jeremy Davis's picture

Jeremy Davis - Thu, 2016/08/04 - 06:24
And confconsole is the commandline screen that displays the current IP address etc. So on a server that has been completed the firtboot config and is up and running, neither are critical.

So you should be fine, but re-initialisation may not work properly (if you ever need/want to do that). Currently the only really useful function Confconsole provides (beyond showing you the current IP) is allowing you to switch between DHCP and static IP. Depending on where your servers are running, that is probably of limited value at best - especially if you have already set a static IP (if running on a LAN) or plan to continue using DHCP (if running on Amazon etc). Worst case scenario you can still configure that, but you'll need to do it manually.

mar85's picture

mar85 - Tue, 2019/07/09 - 11:09

This forum is very helpfull!

Add new comment