Arch Linux

CarterCox

Member

From: Argentina

Registered: 2018-02-24

Posts: 116

Prerequisites for Let's Encrypt

Hi guys. I'm trying to set up a HTTPS server in my old laptop. So far everything is working but SSL. I've tried Apache and Nginx. My question is what do I need to do before running (other than installing certbot-<plugin_name>):

#certbot --nginx      # or --apache

Do I need to forward specific ports to my computer? Do I need to create virtual hosts/server blocks?

---

And neither the angels in Heaven above
   Nor the demons down under the sea
Can ever dissever my soul from the soul
   Of the beautiful Annabel Lee;

Trilby

Inspector Parrot

Registered: 2011-11-29

Posts: 29,530

Website

Re: Prerequisites for Let's Encrypt

You may need to be listening on an open port 443.  I say 'may' as you may be able to get the certs regardless, but it wouldn't make a whole lot of sense if you aren't going to be listening on 443.

But otherwise, just follow the wiki or the certbot documentation.  I prefer to not let certbot modify my configs, so I use 'certonly', but that's a matter of preference.  But yes, you will need any relevant virtual host set up first, otherwise you have nothing to get certs for (edit: it might be possible to work around this too using various manual steps, but as you will be setting up the vhosts anyways, just do it the easy way: set up the server, vhosts and all, then get whatever cert(s) you need.)

Last edited by Trilby (2018-05-22 13:55:23)

---

"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

WorMzy

Forum Moderator

From: Scotland

Registered: 2010-06-16

Posts: 11,863

Website

Re: Prerequisites for Let's Encrypt

Let's Encrypt needs to verify your certificate requests are valid, and AFAIK you can either automate the validation by letting certbot create files in your webroot (under .well-known/acme-challenge), or you can verify your requests manually by updating the TXT record for your domain. The former requires that your webserver be open to the internet (presumably on port 443), and capable of serving files. Both methods are somewhat documented on the wiki, but as Trilby says, you should check Let's Encrypt's documentation.

---

Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

CarterCox

Member

From: Argentina

Registered: 2018-02-24

Posts: 116

Re: Prerequisites for Let's Encrypt

Ok thanks guys. I've been reading Apache, cerbot and Let's encrypt documentation and I got a lot of progress. What I did so far:

0- Installed apache, certbot-apache
1- Forwarded 80 and 443
2- Allowed 80 and 443 on my firewall
3- Edited required files (see end of the post)
4- Generated the keys using openssl (the 2nd method for CSR)
5- I configured everything and ran certbot --apache. After that it told me I had to create a virtual host on 80 (I forgot to do it before), which I did, using this one https://wiki.archlinux.org/index.php/Ap … tual_hosts changing what needed to be changed, which is my URL and email for most settings in the main config file.
6- Ran certbot --apache and now I get this error that I can't solve:

Error while running apachectl configtest.

AH00526: Syntax error on line 1 of /etc/httpd/conf/le_http_01_challenge_pre.conf:
Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration

And that stupid file doesn't even exist, I'm guessing it's generated by certbot, which leads me to believe there is some setting wrong.

Should I repeat everything with the virtual host on 80?

Files:

/etc/httpd/conf/extra/httpd-acme.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

/etc/httpd/conf/extra/httpd-ssl.conf
# Here I only changed the server name and my email address

/etc/httpd/conf/httpd.conf
ServerAdmin <my_email_address>
Listen 80
...
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Include conf/extra/httpd-ssl.conf
Include conf/extra/httpd-acme.conf

<VirtualHost *:80>    # I added this in step 5 
    ServerAdmin <my_email_address>
    DocumentRoot "/home/archie/http/<my_url>"
    ServerName <my_url>
    ServerAlias <my_url>
    ErrorLog "/var/log/httpd/<my_url>-error_log"
    CustomLog "/var/log/httpd/<my_url>-access_log" common

    <Directory "/home/archie/http/<my_url>">
        Require all granted
    </Directory>
</VirtualHost>

---

And neither the angels in Heaven above
   Nor the demons down under the sea
Can ever dissever my soul from the soul
   Of the beautiful Annabel Lee;

Trilby

Inspector Parrot

Registered: 2011-11-29

Posts: 29,530

Website

Re: Prerequisites for Let's Encrypt

When I used apache, certbot's automatic mechanisms never worked (and they were documented as not yet working).  It seems they may have improved a bit, but I'd still definitely just use 'certonly' with apache and just add the certs to your vhosts.conf yourself.

But on a much bigger picture level, you are definitely doing things the hard way: take it one step at a time making sure each step works first.

First, just set up your server the way you want (including any vhosts) and make sure that's all working.  You can serve http on port 80 without any certs.  You can even serve https on 443 without any certs, but browsers will just complain a lot: Firefox is the most pedantic and might not show any content, but most browsers will just warn you and ask if you want to continue.

Then - only after your server is up and running - run certbot to generate your cert(s) then just add the relevant lines to your config and restart the server.  For apache that'd just mean adding two lines to your vhosts listening on 443:

   SSLCertificateKeyFile "/etc/letsencrypt/live/<whatever>/privkey.pem"
   SSLCertificateFile "/etc/letsencrypt/live/<whatever>/fullchain.pem"

Then, once you are serving reliably on 80 and 443, you can redirect everything from http to https if you want (also just edit your vhosts.conf)

At no time in this process do you need to generate a self-signed certificate.

Overall, I suspect the root of your problem may be that your server itself isn't yet running properly.  Debug that first before you add certbot (or any TLS/SSL) to the mix.

Last edited by Trilby (2018-05-22 17:18:54)

---

"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

CarterCox

Member

From: Argentina

Registered: 2018-02-24

Posts: 116

Re: Prerequisites for Let's Encrypt

Yeah the browsers complain a lot if you don't have a certificate. In fact, they make it seem worse than not having SSL at all...

Aaaanyways, problem solved. It wasn't the server, but some missing information in the Wiki. For it to succeed there is a module that needs to be enabled in httpd.conf:

/etc/httpd/conf/httpd.conf
...
LoadModule rewrite_module modules/mod_rewrite.so

after that certbot --apache succeds fine.

Thanks guys!

PS: I added it to the Wiki.

https://wiki.archlinux.org/index.php/Ap … #TLS.2FSSL

Last edited by CarterCox (2018-05-22 19:04:54)

---

And neither the angels in Heaven above
   Nor the demons down under the sea
Can ever dissever my soul from the soul
   Of the beautiful Annabel Lee;