Koozali – Single multi-domain SSL certificate using Let’s Encrypt
Installation(Koozali SME server v9.x)
yum install git
Then download the dehydrated client:
cd /etc git clone https://github.com/lukas2511/dehydrated mv dehydrated/dehydrated /usr/local/bin/
You’ll need to create two configuration files for the dehydrated script to work.
cd dehydrated mkdir -p /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge vi domains.txt
In this file, you’ll list every hostname that you want your certificate to cover, all on one line. It will look like this:
domain1.com www.domain1.com mail.domain1.com domain2.net www.domain2.net domain3.org ftp.domain3.org
Second, you’ll need to create the configuration file:
vi config
It should look like this:
#!/bin/bash # config # CA="https://acme-staging.api.letsencrypt.org/directory" WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge" HOOK="/usr/local/bin/dehydrated-hook" # E-mail to use during the registration (default: <unset>) CONTACT_EMAIL="admin@yourdomain.com"
For testing purposes, it’s recommended that you uncomment the third line (so it begins with “CA=”). Any certificates issued while testing will not be trusted, but they will also not count against your rate limits. Once your configuration is set, you can comment out that line and re-run dehydrated.
NOTE: I instead opted to use the default directory “/etc/dehydrated” for the location of “config” and “domains.txt”
You’ll need to create a custom “hook” script to set the config database up properly, and to trigger reloads of your system services when a certificate is issued or renewed.
vi /usr/local/bin/dehydrated
Its contents should look like this:
#!/bin/bash if [ $1 = "deploy_cert" ]; then KEY=$3 CERT=$4 CHAIN=$6 /sbin/e-smith/db configuration setprop modSSL key $KEY /sbin/e-smith/db configuration setprop modSSL crt $CERT /sbin/e-smith/db configuration setprop modSSL CertificateChainFile $CHAIN /sbin/e-smith/signal-event domain-modify /sbin/e-smith/signal-event email-update /sbin/e-smith/signal-event ibay-modify fi
If you have at least version 5.6.0-26 of e-smith-base installed (i.e., if you’ve installed updates since late January of 2016), replace the three signal-event lines with
/sbin/e-smith/signal-event ssl-update
Then make it executable:
chmod +x /usr/local/bin/dehydrated-hook
You’ll also need to create a custom template fragment for Apache:
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf vi /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts40ACME
The contents of that file should look like:
# Alias for letsencrypt Alias /.well-known/acme-challenge /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
Expand the template and restart apache:
expand-template /etc/httpd/conf/httpd.conf service httpd-e-smith restart
Now you’re ready to run dehydrated and get your certificate.
dehydrated -c
The script will run for a moment and should report success. If it does, look in /etc/dehydrated/certs/YOURDOMAIN and see if you have your files there. You should see a number of .pem files, at least one .csr file, and five symbolic links (chain.pem, cert.csr, cert.pem, fullchain.pem, and privkey.pem). If you do, congratulations! You’ve successfully obtained your certificate. The hook script should have also configured your server to use the new certificate. To make sure, run
config show modSSL
and make sure there are values set for crt, key, and CertificateChainFile.
As above, once you’ve obtained your certificate and configured your server, test your server with a tool like SSLLabs.com to make sure it’s working properly.
Troubleshooting
Errors in the certificate files may prevent Apache and some other services from starting. If you previously had custom settings for modSSL, revert those with:
config setprop modSSL crt (old value) config setprop modSSL key (old value) config setprop modSSL CertificateChainFile (old value--if this property was empty, delete it using the command line below)
If you did not have custom settings for modSSL, remove your changes with:
config delprop modSSL crt config delprop modSSL key config delprop modSSL CertificateChainFile
Once you’ve made these changes, force a renewal of the certificates (and update modSSL configuration):
dehydrated -c -x
To let the changes have effect:
signal-event post-upgrade signal-event reboot
Renewal of the certificates
As part of the security of Letsencrypt the certificates must be renewed every 3 months. The process will differ depending on whether you’re using the official client or dehydrated.
Using Dehydrated
When run, the dehydrated script will check your existing certificate to see how long it’s valid. If it has less than 30 days’ lifetime remaining (by default; this can be changed by setting RENEW_DAYS in config to something other than 30), the script will renew your certificates. If more than 30 days remain, the script will exit without further action. All that’s necessary is to run dehydrated daily:
vi /etc/cron.daily/call-dehydrated
Enter the following in this file:
#!/bin/bash /usr/local/bin/dehydrated -c
Then make it executable:
chmod +x /etc/cron.daily/call-dehydrated
Backup
Your certificate, private key, and other important information are stored in /etc/dehydrated, which is not included in the standard SME Server backup routines. Make sure to add this directory to your backups.