Opened 8 months ago
Closed 8 months ago
#18451 closed enhancement (fixed)
Add 'uacme' (Tool to create LetsEncrypt certs)
| Reported by: | thomas | Owned by: | blfs-book |
|---|---|---|---|
| Priority: | low | Milestone: | 12.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
To complete the Apache-http installation i think it is state-of-the-art nowadays that web applications got secured by SSL (https). LetsEncrypt provides SSL certificates for free and the certificates are accepted all over the world (no self-signed-certificate issues).
LetsEncrypt provides an API to create and update certificates and do also refer to a tool which does the technical stuff. Me personally find this tool (certbot) horrible complicated and error prone.
IMHO, a nice alternative is uacme a C-coded client which is very easy to use.
Proposal for such a page:
In the 'lazarus'-branch where I have FreePascal&Lazarus (Delphi-like Pascal-IDE) added, i also added uacme. The tool is quite easy in terms of build (simple cmmi) as well as in usage. A crossref from Apache to uacme is added in apache.xml, too.
Change History (12)
comment:1 by , 8 months ago
comment:2 by , 8 months ago
Yeah I also use certbot on my server. It is a bit of a heavy package but for most instances it's set and forget, so maybe we should consider adding that instead?
comment:3 by , 8 months ago
I'd be fine with that, too. I proposed uacme as it was quite easy for me to get it built, package (destdir) and running, in very much contrast to certbot where i never became familiar with all the dirs it creates and so on. Well, might be another "just me"... ;-)
follow-up: 6 comment:4 by , 8 months ago
I'm having second thoughts about this. In order to get a cert from LetsEncrypt, the user needs a domain name, a network accessible IP address, and an entry into a name server for both the forward and reverse dns lookups connecting the name and IP address.
How many of our users have that? How would we test the procedures?
comment:5 by , 8 months ago
Good questions. At least three of three commenting here have that ;-) Ok, just kidding. We're not "our users", that's true, and I'm sure only a minority of them have that. Nevertheless, I still believe that we should cover "Securing a website" somehow.
Maybe a link at a prominent position in Apache's page to a wiki page (like the "editor note") can be used for that topic?
follow-up: 8 comment:6 by , 8 months ago
Replying to Bruce Dubbs:
How would we test the procedures?
Assign "uacme-tester.linuxfromscratch.org" to a server with public IP and test & tag this package there...
comment:8 by , 8 months ago
Replying to Xi Ruoyao:
Replying to Bruce Dubbs:
How would we test the procedures?
Assign "uacme-tester.linuxfromscratch.org" to a server with public IP and test & tag this package there...
I already have a restricted site at gondor.linuxfromscratch.org. It already has certbot/augeas installed. I don't know how to test a change. It would be confusing to the LetsEncrypt server since it already knows the IP address.
I don't have access to the dns site for a new name -- we would need to get Gerard to do that every time there was an update and we'd probably need to do a full LFS+apache build each time.
comment:9 by , 8 months ago
I've set up a draft (probably including trillions of typos) of such a wiki page in my own trac:
https://www.belfs.org/dev/wiki/Securing_a_website (Already copied to BLFS wiki, see below)
Let me know what you think about that one.
Btw, uacme does use http for the challenge, we do not need a DNS change. uacme as well as LE were very polite while my testing (i started several attempts to same domain). Both didn't complain. But ok, i did not request certs every second...
comment:10 by , 8 months ago
Not too bad. I can touch it up for you if you put it in the BLFS wiki. For certbot renewals, I have:
$ ls /etc/cron.weekly/ certbot.sh $ cat /etc/cron.weekly/certbot.sh #!/bin/bash date > /tmp/certbot /usr/bin/certbot --quiet renew ret=$? echo "certbot return value=$ret" >> /tmp/certbot # Restart daemons that use certs echo "Restarting apache from cron.weekly" >> /tmp/certbot /usr/sbin/apachectl -k restart 2>&1 >> /tmp/certbot echo "Restarting postfix from cron.weekly" >> /tmp/certbot /etc/init.d/postfix reload 2>&1 >> /tmp/certbot ret=$? echo "/etc/init.d/postfix reload return value=$ret" >> /tmp/certbot echo "Restarting dovecot from cron.weekly" >> /tmp/certbot #/etc/init.d/dovecot reload 2>&1 >> /tmp/certbot pid=$(cat /run/dovecot/master.pid) kill -HUP $pid ret=$? echo "dovecot 'kill -HUP' return value=$ret" >> /tmp/certbot
Of course all those messages to /tmp/certbot are just for status/debugging.
comment:11 by , 8 months ago
Ok, thanks!
I'll copy it over to BLFS (https://wiki.linuxfromscratch.org/blfs/wiki/Securing_a_website).
These are my notes for letsencrypt:
To get https to work, first install certbot. The instructions are at https://certbot.eff.org/lets-encrypt/otherpip-apache Note that augeas needs to be installed: https://augeas.net/ http://download.augeas.net/http://download.augeas.net/ The certbot looks for a certain configuration, even if 'Other Linux' is selected: /usr/sbin/apache2ctl -> apachectl /etc/apache2 -> httpd mkdir -p /etc/httpd/sites-enabled ls /etc/httpd/sites-enabled/ -l total 0 lrwxrwxrwx 1 root root 47 Mar 26 20:36 <fqdn>.conf -> ../vhosts.d/<fqdn>.conf Note that in httpd.conf we need LoadModule rewrite_module /usr/lib/httpd/modules/mod_rewrite.so Run as root: certbot --apache --must-staple --redirect --hsts --uir --staple-ocsp \ -d <fqdn> Updates vhosts.d/<fqdn>.conf and adds <fqdn>-le-ssl.conf Run in fcron weekly: certbot renew