28 Mar
2017
28 Mar
'17
1:31 p.m.
Has anyone successfully used the version of certbot in jessie-backports
to install https certificates from letsencrypt on Apache?
The reason for asking is that I haven't :)
It doesn't help that the version there is older than the one covered by
the documentation at <https://certbot.eff.org/docs/using.html> - there's
no 'certificates' command, for example.
Ian
2:11 p.m.
On 28/03/17 14:31, Ian wrote:
Has anyone successfully used the version of certbot in
jessie-backports
to install https certificates from letsencrypt on Apache?
The reason for asking is that I haven't :)
Yes, it works well for me.
I used the Apache plugin to automatically reconfigure my vhosts, which
worked pretty much correctly. This generated new HTTPS versions of the
vhosts and added a redirect to the HTTP version.
Using the webroot mode is also easy, as it works with any web server
that serves files from the given webroot directory. You can then make
the HTTPS modifications to your web server's config after the
certificate's been retrieved.
The package automatically sets up a renewal command in /etc/cron.d/certbot.
It doesn't help that the version there is older
than the one covered by
the documentation at <https://certbot.eff.org/docs/using.html> - there's
no 'certificates' command, for example.
I don't think there are docs published for the older version, even on
the older readthedocs site, however cross-referencing with
https://github.com/certbot/certbot/blob/v0.9.3/docs/using.rst may help.
In any case, I think the missing "certificates" command is probably the
main difference from the current version - there's no certificate list
command in 0.9.3.
--
Dominic Cleal
dominic(a)computerkb.co.uk
5:07 p.m.
Dominic Cleal said:
Just to add to the annoyance, the Debian doc package wants to install a
pile of Javascript and display the help as HTML rather than as a man
file or even plain text.
Ian
Yes, it works well for me.
And it just has for me too, amazingly.
Read on for some of the problems before I reveal what worked :)
I used the Apache plugin to automatically reconfigure
my vhosts, which
worked pretty much correctly. This generated new HTTPS versions of the
vhosts and added a redirect to the HTTP version.
This is what I wanted to do. However, it complains about an error
parsing a different site's .conf file.
(It would be easier to show what went wrong with the various attempts,
but someone thought it was a good idea to overwrite the log file each
time you run certbot, rather than append to it.)
Using the webroot mode is also easy, as it works with
any web server
that serves files from the given webroot directory. You can then make
the HTTPS modifications to your web server's config after the
certificate's been retrieved.
Hmm, when I tried that, it 302s. From the Apache log file:
66.133.109.36 - - [28/Mar/2017:13:45:39 +0000] "GET
/.well-known/acme-challenge/rMJgBWEhAQy8AYJAm9earOoIoKotuz4OISUc1yrlpbM
HTTP/1.1" 302 274 "-" "Mozilla/5.0 (compatible; Let's Encrypt
validation
server; +https://www.letsencrypt.org)" 0
.. although I can create and read /.well-known/index.html
But because it deletes the acme-challenge and random name
subdirectories, there's no easy way to tell what's going on!
What's made it work is deleting the other site's .conf file. It wasn't
actually being used, but Apache had no problems with it.
I don't see a new version of vhosts - do you have your sites in a single
file, or in separate files in /etc/apache2/sites-available? - but it's
not difficult to do.
The package automatically sets up a renewal command in
/etc/cron.d/certbot.
Yes, this is one reason I wanted to do it this way.
It doesn't
help that the version there is older than the one covered by
the documentation at <https://certbot.eff.org/docs/using.html> - there's
no 'certificates' command, for example.
I don't think there are docs published for the older version, even on
the older readthedocs site, however cross-referencing with
https://github.com/certbot/certbot/blob/v0.9.3/docs/using.rst may help.
In any case, I think the missing "certificates" command is probably the
main difference from the current version - there's no certificate list
command in 0.9.3.
29 Mar
29 Mar
7:35 a.m.
On 28/03/17 18:07, Ian wrote:
Dominic Cleal said:
I work on the Augeas project, which is the underlying parser for the
Apache config files, so I've been fixing a few of the problems that
LE/CB's been hitting on real world files ever since its release. There
are five known issues[1] still, but I think 0.9.3 did contain all of the
published fixes so far.
If you have the original file still, then I'd be interested in obtaining
a copy to ensure we're tracking or are fixing the bug.
I used the Apache plugin to automatically
reconfigure my vhosts, which
worked pretty much correctly. This generated new HTTPS versions of the
vhosts and added a redirect to the HTTP version.
This is what I wanted to do. However, it complains about an error
parsing a different site's .conf file.
(It would be easier to show what went wrong with the various attempts,
but someone thought it was a good idea to overwrite the log file each
time you run certbot, rather than append to it.)
Using the webroot mode is also easy, as it works
with any web server
that serves files from the given webroot directory. You can then make
the HTTPS modifications to your web server's config after the
certificate's been retrieved.
Hmm, when I tried that, it 302s. From the Apache log file:
66.133.109.36 - - [28/Mar/2017:13:45:39 +0000] "GET
/.well-known/acme-challenge/rMJgBWEhAQy8AYJAm9earOoIoKotuz4OISUc1yrlpbM
HTTP/1.1" 302 274 "-" "Mozilla/5.0 (compatible; Let's Encrypt
validation
server; +https://www.letsencrypt.org)" 0
.. although I can create and read /.well-known/index.html
But because it deletes the acme-challenge and random name
subdirectories, there's no easy way to tell what's going on!
What's made it work is deleting the other site's .conf file. It wasn't
actually being used, but Apache had no problems with it. I don't see a new version of vhosts - do you have
your sites in a single
file, or in separate files in /etc/apache2/sites-available? - but it's
not difficult to do.
They're in separate files in sites-available, so I now have:
-rw-r--r-- 1 root root 2022 Aug 29 2016
/etc/apache2/sites-available/m0dlx.com
-rw-r--r-- 1 root root 2211 Aug 29 2016
/etc/apache2/sites-available/m0dlx.com-le-ssl.conf
The le-ssl.conf is identical to the regular file, except with an
IfModule wrapper and SSL* directives at the bottom for the key/cert.
[1]https://github.com/hercules-team/augeas/issues?utf8=%E2%9C%93&q=is%3A…
--
Dominic Cleal
dominic(a)computerkb.co.uk
31 Mar
31 Mar
11:33 a.m.
Dominic Cleal said:
I don't, sorry. One guess is that given how long the site hasn't
actually been live, the .conf file was still using the Apache 2.2
directives. Would Augeas decide that's an error if it knows it's looking
at Apache 2.4?
The reason I couldn't spot them is that they didn't exist - after the
default failed, I'd been using the certonly option and forgot to remove
it when reusing and editing lines from my history. (Blush!)
Thank you for your work.
Ian
What's
made it work is deleting the other site's .conf file. It wasn't
actually being used, but Apache had no problems with it.
If you have the original file still, then I'd be interested in obtaining
a copy to ensure we're tracking or are fixing the bug. I don't
see a new version of vhosts - do you have your sites in a single
file, or in separate files in /etc/apache2/sites-available? - but it's
not difficult to do.
They're in separate files in sites-available, so I now have: 
17 Apr
17 Apr
7:47 p.m.
I use "lego"
https://github.com/xenolf/lego
and a simple home-made 10-line script to get certs for all
websites/mailservers with the same name as a given directory.
The web-challenge stuff annoyed me, because it seemed unreliable. Might
well be, because I need certs for non-web stuff (e.g. mail and various
tunnels) as well.
Doing it all via DNS-Challenge works like a treat for a few quarters
now.
Conrad
P.S.: I'm hiring:
https://www.gurusystems.com/join-us/devops-engineer/
On Fri, 2017-03-31 at 12:33 +0100, Ian wrote:
Dominic Cleal said:
I don't, sorry. One guess is that given how long the site hasn't
actually been live, the .conf file was still using the Apache 2.2
directives. Would Augeas decide that's an error if it knows it's
looking
at Apache 2.4?
The reason I couldn't spot them is that they didn't exist - after
the
default failed, I'd been using the certonly option and forgot to
remove
it when reusing and editing lines from my history. (Blush!)
Thank you for your work.
Ian
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
What's made it work is deleting the other site's .conf file. It
wasn't
actually being used, but Apache had no problems with it.
If you have the original file still, then I'd be interested in
obtaining
a copy to ensure we're tracking or are fixing the bug. I
don't see a new version of vhosts - do you have your sites in a
single
file, or in separate files in /etc/apache2/sites-available? - but
it's
not difficult to do.
They're in separate files in sites-available, so I now have: 
28 Mar
28 Mar
7:32 p.m.
Hello,
On Tue, Mar 28, 2017 at 02:31:49PM +0100, Ian wrote:
Has anyone successfully used the version of certbot
in
jessie-backports to install https certificates from letsencrypt on
Apache?
No, but I am using certbot from jessie-backports together with
haproxy and
https://github.com/janeczku/haproxy-acme-validation-plugin to
automatically answer the ACME http-01 challenges.
It doesn't help that the version there is older
than the one covered
by the documentation at <https://certbot.eff.org/docs/using.html> -
there's no 'certificates' command, for example.
I haven't really read any docs except for the github page above; the
only command I have to use is:
$ sudo letsencrypt certonly --text --webroot --webroot-path /var/lib/haproxy --expand -d
example.com,www.example.com,test.example.com --renew-by-default --agree-tos --email
webmaster(a)example.com
…and something similar to
https://github.com/janeczku/haproxy-acme-validation-plugin/blob/master/cert…
in cron to renew them all.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
2194
days inactive
2579
days old
7 comments
5 participants
participants (5)
-
Andy Smith -
Conrad Wood -
Dominic Cleal -
Gavin Westwood -
Ian