Jump to content
Froxlor Forum
  • 0
llucps

Let's Encrypt configuration

Question

Hi everyone,

 

I've been struggling to make Let's Encrypt work on my own server.. specially because it's not really clear what I have to do, sorry about that :)

 

On my IP/PORT settings the Webserver Config SSL fields port 443 (all of them are empty) and also on System/Settings/SSL Settings Path to the SSL certificate, Path to the SSL Keyfile and Path to the SSL CertificateChainFile.

 

Before I had setup my own certificate which was for my own use only but I assumed that if Let's Encrypt is activated because creates a certificate for each of the domains, the general SSL settings won't be needed anymore.. The problem is if I leave the IP/Ports settings and System/Settings/SSL Settings with no values and Let's Encrypt is activated I get this error:

 

[error] xxxxxx.com :: empty certificate file! Cannot create ssl-directives

 

If I put the previous values on the SSL settings doesn't give any error.. but Let's encrypt doesn't generate any certificate for the domains that have Let's Encrypt activated..

 

I created the acme.conf with the right permissions and the /var/www/froxlor/.well-known/acme-challenge was created successfully but is empty.

 

I'm pretty sure that I'm doing something wrong but I can't figure out what it is.

 

More progress.. I put back the my self-created certificate on IP/Port SSL settings and on the log says:

 

Could not get Let's Encrypt certificate for xxxxxxxx.com: Please check http://xxxxxxxxxx.com/.well-known/acme-challenge/7wcMM9v04yGEmDB97po3ljdpjzxYaJuxa-IHeC4tKvs - token not available

 

Thank you,

Lluc

Share this post


Link to post
Share on other sites

14 answers to this question

Recommended Posts

  • 0

Your ip/port vhost needs to have a ssl-cert too...(10_froxlor_...*.conf vhosts). This can be a simple self-signed cert but it's needed

 

Also, /var/www/froxlor/.well-known/acme-challenge is mostly empty because the files are not kept, they exist just for the challenge and are being removed right after

Share this post


Link to post
Share on other sites
  • 0

Thanks for your help,

 

Yes I put my sef-signed certificate back to IP/Port settings.. so now the 10_froxlor_ipandport_xxxxxxxxxxx.443.conf has the ceritifcate and doesn't give me the [error] xxxxxx.com :: empty certificate file! Cannot create ssl-directives error. That's good.

 

But if I try to access to the domain that has Let's Encrypt activated (I disabled wildcard and changed to www) I see that is using my self-signed certificated instead of using a Let's encrypt.. and I don't see any errors on the log:

 

The settings for that domain are:

 

SSL IP address(es): activated

Use Let's Encrypt: Yes

ServerAlias value for the domain: WWW (wwww.domain.tld)

 

On System/Settings/SSL Settings:

 

Let's Encrypt environment: Live

Let's Encrypt country code : ES

Let's Encrypt state: Spain

Path for Let's Encrypt challenges: /var/www/froxlor (which is correct)

Key size for new Let's Encrypt certificates 4096

Re-use Let's Encrypt key / CSR No

 

How can I check that is Let's encrypt is generating the certificate? It seems is not doing anything at all.

 

Thanks,

Lluc

Share this post


Link to post
Share on other sites
  • 0

check whether letsencrypt is in your /etc/cron.d/froxlor file (if not, run the cronjob with --force, see note in announcement)

Share this post


Link to post
Share on other sites
  • 0

Yes it is..

 

# automatically generated cron-configuration by froxlor
# do not manually edit this file as it will be re-generated periodically.
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#
*/5 * * * * root /usr/bin/nice -n 5 /usr/bin/php5 -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --tasks 1> /dev/null
0 */6 * * * root /usr/bin/nice -n 5 /usr/bin/php5 -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --mailboxsize 1> /dev/null
*/5 * * * * root /usr/bin/nice -n 5 /usr/bin/php5 -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --letsencrypt 1> /dev/null

 

Also according to the logs, it seems it's trying to look for a token.. but that directory doesn't really exists, that directory is on /var/www/froxlor.well/known/acme-challenge:

 

Could not get Let's Encrypt certificate for xxxxxxxx.com: Please check http://xxxxxxxx.com/.well-known/acme-challenge/8fyzyv9H_IW2BNwwNGlKaME1NVurzavIZN9ut-QpZao - token not available

 

Any ideas?

 

Thanks

Lluc

Share this post


Link to post
Share on other sites
  • 0

can you validate that the acme Alias is being included correctly in your webserver? 

 

Regarding the files in the folder, i already told you:

 

Also, /var/www/froxlor/.well-known/acme-challenge is mostly empty because the files are not kept, they exist just for the challenge and are being removed right after

Share this post


Link to post
Share on other sites
  • 0

I did it! it's working now :)

 

For some reason when I enable Let's encrypt on one of the domains, if I force the cronjob and check the 35_froxlor_ssl_vhost_xxxxxxxxx.com.conf file I see is using the certificate from the system hostname domain (the one setu pin PORTS/IP).. If i force the cronjob again then it gets the Let's encrypt certificate.

 

Although I have one last question which is how can I use Let's encrypted on the system hostname instead of the self-signed that I'm using now.. I don't see how it can done.

 

Thanks for your help ;)

Share this post


Link to post
Share on other sites
  • 0

It does take two cronruns for LE to work, one for the challenge and one for the cert.

 

LE for the Hostname itself will be available in 0.9.36

Share this post


Link to post
Share on other sites
  • 0

hi,

 

Version 0.9.36 is out. Did I miss the option for the host or will it be released later?

 

Regards,

 

Afox

Share this post


Link to post
Share on other sites
  • 0

No it's not added yet. It's not as easy as for customer domains because the system-hostname is not a "normal" domain in the domain-table. We are working on it, but I can't make any promises, we do this in our sparetime and for free

Share this post


Link to post
Share on other sites
  • 0

No it's not added yet. It's not as easy as for customer domains because the system-hostname is not a "normal" domain in the domain-table. We are working on it, but I can't make any promises, we do this in our sparetime and for free

 

Thank you for the hard work, appreciate that. Can we please have any update on the progress of this?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×