Henry den Hengst's picture
Henry den Hengst - Wed, 2016/03/23 - 17:20

Why not use https://letsencrypt.org/ with autorenewal. It runs stable like a rock, check https://hendric.us/

Forum: 
General
Tags: 
ssl
https
letsencrypt
GMo's picture

GMo - Sat, 2016/04/30 - 04:00

Seconded, letsencrypt can be used to generate TLS/SSL certs that will be accepted by browsers without the warning page caused by self-signed certs.

This would be a useful improvement.

Jeremy Davis's picture

Jeremy Davis - Fri, 2016/05/06 - 05:47
Yes great suggestion from both of you. FWIW "Easy way to add SSL certs to TurnKey appliances" has been in our plans for some time now. See the relevant issues on our tracker here: https://github.com/turnkeylinux/tracker/issues/382 https://github.com/turnkeylinux/tracker/issues/546

We've been watching Let's Encrypt for quite a while now. It was still in private beta when we released v14.0 so wasn't an option for us then. And whilst it appears to have been pretty stable and reliable the whole time it was in public beta; we didn't think that it would be a good idea to include a beta product (which might change with little or no warning) in v14.1.

But now that it's no longer in beta (as of about 3 weeks ago) we certainly intend to include it in v14.2! :)

GMo's picture

GMo - Mon, 2016/05/09 - 05:28

I'm happy to hear about that, and am looking forward to it.

One thing to note, LetsEncrypt certs only last 90 days, so there will need to be an automated renewal mechanism.

Here's the rationale for the 90-day limit: https://letsencrypt.org/2015/11/09/why-90-days.html

I haven't found any winning documentation on autorenewal but I've only done 5 minutes of searching. I know there are a number of cron-based methods.

Jeremy Davis's picture

Jeremy Davis - Mon, 2016/05/09 - 05:41
We intend to have it configured to auto renew. I'm not sure on the exact timeframe but we'll probably do it more regularly than required (perhaps the 60 days they recommend?) so if something goes wrong (which it shouldn't) then there is an opportunity to rectify any issues prior to it becoming critical.

I imagine that we'll use a cron job to perform the autorenewal. We have already selected a 3rd party (open source) client to do the registration/renewal. Unfortunately I can't give you any further info OTTOMH as I haven't been working on this myself.

GMo's picture

GMo - Tue, 2016/05/10 - 01:43

Excellent, thanks so mouch for your hard work!

Drew Ruggles's picture

Drew Ruggles - Sat, 2016/07/16 - 21:42

First off, this was entirely my fault, and in no way am I laying blame on anybody other than myself.

Second, I need help fixing my error, please?

I have the TKL Odoo VM running on my host machine and wanted to practice with the Let's Encrypt SSL Certificates (NOTE: This is *not* production server, but an evaluation server. If it's easier, I can re-install the VM, though I have some customizations I would like to save. I don't yet, have the TKL-BAM running on this server.)

I walked throught the instructions: https://github.com/turnkeylinux/tracker/issues/382

but when I went to "restart lighttpd", I received an error that it was not installed. So I restarted Apache (via Webmin)... probably not right, but that's what I did.

Now I can reach neither Webmin nor the website via a browser, however, I can still log in via ssh.

I haven't restarted the VM, but can if someone thinks that would work.

Any thoughts or any more information I can provide?

Thank you!

Drew

Jeremy Davis's picture

Jeremy Davis - Tue, 2016/07/19 - 04:51
Those instructions assume that the appliance you are using has the Lighttpd webserver. The Odoo appliance uses Apache, not Lighttpd, so you'll need to substitute "apache2" for "lighttpd" when you perform the stop/restart etc commands.

TBH I haven't tried Let's Encrypt yet so I'm not sure if that's the only thing that will need adjustment.

Ryan's picture

Ryan - Tue, 2016/08/02 - 18:42

I've been trying to install Certbot (letsencrpyt client) on my turnkey appliance. (it's a Joomla3 appliance). I followed the instructions here: https://certbot.eff.org/#debianjessie-apache

 

Everything appears to install fine, but then I get these messages when trying to run any certbot command: 

root@joomla3 ~# certbot
Traceback (most recent call last):
  File "/usr/bin/certbot", line 5, in <module>
    from pkg_resources import load_entry_point
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2927, in <module>
    @_call_aside
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2913, in _call_aside
    f(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2940, in _initialize_master_working_set
    working_set = WorkingSet._build_master()
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 635, in _build_master
    ws.require(__requires__)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 943, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 829, in resolve
    raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'python2-pythondialog>=3.2.2rc1' distribution was not found and is required by certbot

I believe this to already be installed.

 

Any suggestions? 

Thank you, Ryan

 

I think the same issue is mentioned here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818587

but I'm unsure about the fix mentioned. 

 

Ryan's picture

Ryan - Tue, 2016/08/02 - 19:11

I tried to reinstall python-dialog; it did not help; I noticed that the .deb used was from turnkey. I wonder if I get one from the main debian repositiories would it work better and how would I do that? 

 

 apt-get install --reinstall python-dialog
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 34.4 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://archive.turnkeylinux.org/debian/ jessie/main python-dialog amd64 2.7-1turnkey+9+g97403e1 [34.4 kB]
Fetched 34.4 kB in 0s (1146 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 30473 files and directories currently installed.)
Preparing to unpack .../python-dialog_2.7-1turnkey+9+g97403e1_amd64.deb ...
Unpacking python-dialog (2.7-1turnkey+9+g97403e1) over (2.7-1turnkey+9+g97403e1) ...
Processing triggers for python-support (1.0.15) ...
Setting up python-dialog (2.7-1turnkey+9+g97403e1) ...
Processing triggers for python-support (1.0.15) ...
Counting objects: 1526, done.
Compressing objects: 100% (942/942), done.
Writing objects: 100% (1526/1526), done.
Total 1526 (delta 96), reused 1526 (delta 96)

 

Ryan's picture

Ryan - Tue, 2016/08/02 - 19:29

Well... after working about 3/4 day I broke down and posted the question above, then in about 30 more mins, I fugured it out. I guess the questions were what I needed to get the answers. 

For some reason the package python-dialog that is from the turnkey archive is not compatible or not as up-to-date as the one in the debian main archive. 

What I did was commented out the turnkey archive in the sources.list file and then ruan 

apt-get update

apt-get upgrade python-dialog

it finds an update for the package and installs it; after that certbot ran for me.

fiy, i've not tried to actually generate the cirt yet

Jeremy Davis's picture

Jeremy Davis - Wed, 2016/08/03 - 05:46
I'm glad to hear that you resolved the issue and thanks tons for posting back.

FWIW as you discovered our version of python-dialog is old. Currently it is a requirement of some of our custom software (confconsole & inithooks - so if you use either of them in the future and experience weirdness that is why). TBH we need to do something about that but it has never been a major priority as it will be a fair bit of work and has generally not been much of an issue for most users. However that the situation is only going to get worse with time (as the versions drift further apart).

We intend to include the facility to use Let's Encrypt with TurnKey via a slightly different method using a third party client (which is compatible with our version of python-dialog). But it's (still) not ready yet. It will be included in v14.2 (when we get to that) but hopefully we'll release it prior to then.

Ryan's picture

Ryan - Wed, 2016/08/03 - 21:02

Yeah, I though there might be unintended consequences for updating that package. However, it servers me for now. I'm currently using a LAMP image and a Joomla3 image. I'm not sure how those might use confsconsole &/or inithooks.

 

Looking forward to the built-in Letsencrypt integration.

Jeremy Davis's picture

Jeremy Davis - Thu, 2016/08/04 - 06:24
And confconsole is the commandline screen that displays the current IP address etc. So on a server that has been completed the firtboot config and is up and running, neither are critical.

So you should be fine, but re-initialisation may not work properly (if you ever need/want to do that). Currently the only really useful function Confconsole provides (beyond showing you the current IP) is allowing you to switch between DHCP and static IP. Depending on where your servers are running, that is probably of limited value at best - especially if you have already set a static IP (if running on a LAN) or plan to continue using DHCP (if running on Amazon etc). Worst case scenario you can still configure that, but you'll need to do it manually.

Ryan's picture

Ryan - Thu, 2016/08/04 - 17:24

thank you!

mar85's picture

mar85 - Tue, 2019/07/09 - 11:09

This forum is very helpfull!

Add new comment