[opensuse] SSL For Free
Hi all, I have recently learned of letsencrypt.org and their service sslforfree.com. Does anyone use this? I have just set up a certificate with ssl for free on own website and it works great. No 'This website is improperly configured' message. (even though it is properly configured, just self-signed). The only problem I have with SSL For Free is that the certificates expire after 90 days. I can understand why they do this so as not to have lots of unused certificates but as I work on many sites any manually renewing them every 3 months would be a right pain in the proverbial. Is there a way to obtain a free certificate from SSL For Free and have it renew automatically? Thanks Paul -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I've used let's encrypt on many different projects. If you have access
to the web server, you can set up a cron job to renew the certificate.
On Wed, Oct 10, 2018 at 1:46 PM Paul Groves
Hi all,
I have recently learned of letsencrypt.org and their service sslforfree.com. Does anyone use this?
I have just set up a certificate with ssl for free on own website and it works great. No 'This website is improperly configured' message. (even though it is properly configured, just self-signed).
The only problem I have with SSL For Free is that the certificates expire after 90 days. I can understand why they do this so as not to have lots of unused certificates but as I work on many sites any manually renewing them every 3 months would be a right pain in the proverbial.
Is there a way to obtain a free certificate from SSL For Free and have it renew automatically?
Thanks Paul
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi all,
I have recently learned of letsencrypt.org and their service sslforfree.com. Does anyone
I have just set up a certificate with ssl for free on own website and it works great. No 'This website is improperly configured' message. (even though it is properly configured, just self-signed).
The only problem I have with SSL For Free is that the certificates expire after 90 days. I can understand why they do this so as not to have lots of unused certificates but as I work on many sites any manually renewing them every 3 months would be a right pain in the proverbial.
Is there a way to obtain a free certificate from SSL For Free and have it renew automatically?
Thanks Paul I use certbot to manage letsencrypt ssl certs, and have a crontab running a
Op woensdag 10 oktober 2018 21:46:24 CEST schreef Paul Groves: script -- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/10/18 21:57, Knurpht-openSUSE wrote:
Hi all,
I have recently learned of letsencrypt.org and their service sslforfree.com. Does anyone
I have just set up a certificate with ssl for free on own website and it works great. No 'This website is improperly configured' message. (even though it is properly configured, just self-signed).
The only problem I have with SSL For Free is that the certificates expire after 90 days. I can understand why they do this so as not to have lots of unused certificates but as I work on many sites any manually renewing them every 3 months would be a right pain in the proverbial.
Is there a way to obtain a free certificate from SSL For Free and have it renew automatically?
Thanks Paul I use certbot to manage letsencrypt ssl certs, and have a crontab running a
Op woensdag 10 oktober 2018 21:46:24 CEST schreef Paul Groves: script
OK that sounds a good plan. I have never used it before though. I have been to: https://certbot.eff.org/ and put in my webserver and os. Is this really all there is to it? Is there anything I should know from your experience with certbot, any tips or problems? Paul -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op donderdag 11 oktober 2018 10:02:10 CEST schreef Paul Groves:
On 10/10/18 21:57, Knurpht-openSUSE wrote:
Op woensdag 10 oktober 2018 21:46:24 CEST schreef Paul Groves:
Hi all,
I have recently learned of letsencrypt.org and their service sslforfree.com. Does anyone
I have just set up a certificate with ssl for free on own website and it works great. No 'This website is improperly configured' message. (even though it is properly configured, just self-signed).
The only problem I have with SSL For Free is that the certificates expire after 90 days. I can understand why they do this so as not to have lots of unused certificates but as I work on many sites any manually renewing them every 3 months would be a right pain in the proverbial.
Is there a way to obtain a free certificate from SSL For Free and have it renew automatically?
Thanks Paul
I use certbot to manage letsencrypt ssl certs, and have a crontab running a script
OK that sounds a good plan. I have never used it before though.
I have been to: https://certbot.eff.org/ and put in my webserver and os. Is this really all there is to it?
Is there anything I should know from your experience with certbot, any tips or problems?
Paul You need to put it somehwere ( preferably outside of the webroot. ). Then cd into the folder you downloaded certbot to, then run ./certbot-auto --help
FWIW I use the webroot option ... -- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi Paul, On 10/11/18 12:02 PM, Paul Groves wrote:
Is there anything I should know from your experience with certbot, any tips or problems?
You should also add a CAA [1] record to avoid any certificate issuance error. The domain to be specified for the CAA record would be simply "letsencrypt.org" [2] in the following format: yourdomain.com. CAA 0 issue "letsencrypt.org" Regards, Ish Sookun [1] https://tools.ietf.org/html/rfc6844 [2] https://letsencrypt.org/docs/caa -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
OK so I have now got a problem with certbot. I have already generated an SSL cert for www.mysite.com using the command: sudo certbot --apache -d www.mysite.com And this has worked perfectly, however I have a site alias of mysite.com and rewrite to always navigate to www.mysite.com Now as I expected when I go to mysite.com I get a bad domain error and it says certificate only valid for www.mysite.com So I used the command off the letsencrypt website: sudo certbot --apache -d mysite.com -d www.mysite.com and I get the following error (note: I replaced my account no. with stars): Obtaining a new certificate An unexpected error occurred: The server experienced an internal error :: Error retreiving account "https://acme-v02.api.letsencrypt.org/acme/acct/*****" Can anyone tell me what I am doing wrong here? Thanks -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op donderdag 11 oktober 2018 22:18:55 CEST schreef Paul Groves:
OK so I have now got a problem with certbot.
I have already generated an SSL cert for www.mysite.com using the command: sudo certbot --apache -d www.mysite.com
And this has worked perfectly, however I have a site alias of mysite.com and rewrite to always navigate to www.mysite.com
Now as I expected when I go to mysite.com I get a bad domain error and it says certificate only valid for www.mysite.com
So I used the command off the letsencrypt website: sudo certbot --apache -d mysite.com -d www.mysite.com
and I get the following error (note: I replaced my account no. with stars): Obtaining a new certificate An unexpected error occurred: The server experienced an internal error :: Error retreiving account "https://acme-v02.api.letsencrypt.org/acme/acct/*****"
Can anyone tell me what I am doing wrong here?
Thanks You can use -d www.mysite.com -d mysite.com -d blah.mysite.com and so on
-- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/10/18 21:27, Knurpht-openSUSE wrote:
Op donderdag 11 oktober 2018 22:18:55 CEST schreef Paul Groves:
OK so I have now got a problem with certbot.
I have already generated an SSL cert for www.mysite.com using the command: sudo certbot --apache -d www.mysite.com
And this has worked perfectly, however I have a site alias of mysite.com and rewrite to always navigate to www.mysite.com
Now as I expected when I go to mysite.com I get a bad domain error and it says certificate only valid for www.mysite.com
So I used the command off the letsencrypt website: sudo certbot --apache -d mysite.com -d www.mysite.com
and I get the following error (note: I replaced my account no. with stars): Obtaining a new certificate An unexpected error occurred: The server experienced an internal error :: Error retreiving account "https://acme-v02.api.letsencrypt.org/acme/acct/*****"
Can anyone tell me what I am doing wrong here?
Thanks You can use -d www.mysite.com -d mysite.com -d blah.mysite.com and so on
OK thanks I have sorted it, I was putting mysite.com first (which is the
site alias).
I had to put www.mysite.com first. this now worked:
certbot --apache -d www.mysite.com -d mysite.com
now I can get on via ssl easily. Now a more trivial question.
I have set up a second virtualhost for the same site which is http only
and I wish to redirect it to https:
Paul Groves wrote:
Hi all,
I have recently learned of letsencrypt.org and their service sslforfree.com. Does anyone use this?
letsencrypt yes, sslforfree no. Been using letsencrypt for two years or thereabouts.
The only problem I have with SSL For Free is that the certificates expire after 90 days.
Yes, that is letsencrypt standard.
I can understand why they do this so as not to have lots of unused certificates
It's more to make sure the identity of the certificate holder remains correct. The LE certificates are domain-validation only.
but as I work on many sites any manually renewing them every 3 months would be a right pain in the proverbial.
Is there a way to obtain a free certificate from SSL For Free and have it renew automatically?
With LE it is certainly easy, I don't know about sslforfree. -- Per Jessen, Zürich (15.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/10/18 08:30, Per Jessen wrote:
Paul Groves wrote:
Hi all,
I have recently learned of letsencrypt.org and their service sslforfree.com. Does anyone use this? letsencrypt yes, sslforfree no. Been using letsencrypt for two years or thereabouts.
The only problem I have with SSL For Free is that the certificates expire after 90 days. Yes, that is letsencrypt standard.
I can understand why they do this so as not to have lots of unused certificates It's more to make sure the identity of the certificate holder remains correct. The LE certificates are domain-validation only.
but as I work on many sites any manually renewing them every 3 months would be a right pain in the proverbial.
Is there a way to obtain a free certificate from SSL For Free and have it renew automatically? With LE it is certainly easy, I don't know about sslforfree.
Hi Per, The LetsEncrypt service seems like the way to go then if the certificates can be renewed automatically. How would I go about doing this? Also, from my initial reading of domain validation, I have to put a nonce in a file on the webserver or in a TXT record on he DNS. Although I use freedns.afraid.org and this only allows a TTL of 3600 which cannot be changed. Not sure if this would be a problem. How do you validate your domains? Thank you Paul -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Paul Groves wrote:
On 11/10/18 08:30, Per Jessen wrote:
Paul Groves wrote:
Hi all,
I have recently learned of letsencrypt.org and their service sslforfree.com. Does anyone use this? letsencrypt yes, sslforfree no. Been using letsencrypt for two years or thereabouts.
The only problem I have with SSL For Free is that the certificates expire after 90 days. Yes, that is letsencrypt standard.
I can understand why they do this so as not to have lots of unused certificates It's more to make sure the identity of the certificate holder remains correct. The LE certificates are domain-validation only.
but as I work on many sites any manually renewing them every 3 months would be a right pain in the proverbial.
Is there a way to obtain a free certificate from SSL For Free and have it renew automatically? With LE it is certainly easy, I don't know about sslforfree.
Hi Per,
The LetsEncrypt service seems like the way to go then if the certificates can be renewed automatically. How would I go about doing this?
Hi Paul it's basically what Gertjan also wrote - you use the 'certbot', and run a daily cronjob for renewals. certbot has hooks for automatically updating apache, for instance.
Also, from my initial reading of domain validation, I have to put a nonce in a file on the webserver or in a TXT record on he DNS.
Yup. ISTR, the methods are called http-01 or dns-01.
Although I use freedns.afraid.org and this only allows a TTL of 3600 which cannot be changed. Not sure if this would be a problem.
How do you validate your domains?
We use http-01, I don't think dns-01 was available when we started. I don't think the TTL should be a problem. With http-01, certbot puts a unique file in /.well-known/ which can then be retrieved by LE. That shows you have access to the website with that domain. -- Per Jessen, Zürich (16.1°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op donderdag 11 oktober 2018 10:51:16 CEST schreef Per Jessen:
Paul Groves wrote: We use http-01, I don't think dns-01 was available when we started. I don't think the TTL should be a problem.
A TTL is not about the persistence of the content of the TXT record but about how long that content should be held in a cache. When the cache is purged caused by the TTL, the content will again be fetched from the authoritative DNS server. -- fr.gr. member openSUSE Freek de Kruijf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
OK seems to have worked. I installed certbot and run sudo certbot --apache -d www.mysite.com obviously putting in my correct domain name. So to renew all I have to do is run: sudo certbot renew in a cron job? Is this right? Will this renew all the certs I create? Do I put it under the root user crontab? Thanks Paul On 11/10/18 13:30, Freek de Kruijf wrote:
Op donderdag 11 oktober 2018 10:51:16 CEST schreef Per Jessen:
Paul Groves wrote: We use http-01, I don't think dns-01 was available when we started. I don't think the TTL should be a problem.
A TTL is not about the persistence of the content of the TXT record but about how long that content should be held in a cache. When the cache is purged caused by the TTL, the content will again be fetched from the authoritative DNS server.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Paul Groves wrote:
OK seems to have worked. I installed certbot and run sudo certbot --apache -d www.mysite.com
obviously putting in my correct domain name.
So to renew all I have to do is run: sudo certbot renew in a cron job? Is this right?
This is mine : certbot-auto renew --quiet --no-self-upgrade --renew-hook myscript
Will this renew all the certs I create?
Yep.
Do I put it under the root user crontab?
Assuming you have /etc/lesencrypt owned by root:root, yes. -- Per Jessen, Zürich (17.6°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Freek de Kruijf -
Ish Sookun -
Knurpht-openSUSE -
Mike Henry -
Paul Groves -
Per Jessen