From 724cc20ed29e6de0fbb6511e786404c3bf2d43dd Mon Sep 17 00:00:00 2001 From: Willy Sudiarto Raharjo Date: Sun, 14 May 2017 09:55:23 +0700 Subject: system/letsencrypt: Updated for version 0.14.1. Apache Plugin is now enabled, Thanks to Eric Pratt. Signed-off-by: Willy Sudiarto Raharjo --- system/letsencrypt/README.Slackware | 40 +++++++++++++++++++------------ system/letsencrypt/letsencrypt.SlackBuild | 16 +++++++++---- system/letsencrypt/letsencrypt.info | 6 ++--- 3 files changed, 39 insertions(+), 23 deletions(-) diff --git a/system/letsencrypt/README.Slackware b/system/letsencrypt/README.Slackware index 4a2e7e15fd..97d34b4f5b 100644 --- a/system/letsencrypt/README.Slackware +++ b/system/letsencrypt/README.Slackware @@ -1,12 +1,12 @@ -PLUGIN SUPPORT +PLUGINS SUPPORT letsencrypt support five plugins to obtain/install certificates and many more to come in the future. -However, we will only cover standalone plugin because apache plugin only works on Debian-based OS for now -and nginx is still considered very experimental. +However, we will only cover standalone and apache plugin. Using apache plugin is the recommended way +as it doesn't require the webserver to be taken offline causing downtime during validation. -OBTAINING CERTIFICATE USING STANDALONE PLUGIN -Since Slackware is not yet supported, instead of running "letsencrypt-auto certonly" -as instructed, you can run "letsencrypt certonly" to install certificates manually using standalone plugin. +All domain-spesific configuration files are stored in /etc/letsencrypt/live/ +Once certificate is created, you need to enable SSL module in httpd.conf and configure httpd-ssl.conf +OBTAINING CERTIFICATE USING STANDALONE PLUGIN Here's what i use to create a certificate using port 443 for domain validation certbot certonly --webroot-path= --preferred-challenges tls-sni-01 -d \ --email --renew-by-default --agree-tos --text --standalone @@ -16,23 +16,33 @@ If you want to use port 80 for domain validation, replace with --preferred-challenges http-01 +Since 0.14.1, letsencrypt is able to generate/renew all certificates for all of your configured vhost domains. +Just run letsencrypt or certbot and you will see all domains are available. + NOTE: You need to make sure that the port (80 or 443) is NOT USED before running above command (ie. you may need to temporarily stop your exising webserver) -All domain-spesific configuration files are stored in /etc/letsencrypt/live/ -Once certificate is created, you need to enable and configure httpd-ssl.conf +OBTAINING CERTIFICATE USING APACHE PLUGIN +Thanks to Eric Pratt, certbot/letsencrypt's Apache Plugin is now working well with Slackware. + +Here's what i use to create a certificate using port 443 for domain validation +certbot certonly --apache --webroot-path= --preferred-challenges tls-sni-01 -d \ +--email --renew-by-default --agree-tos --text RENEWAL PROCESS -Best way is to use a simple bash script that perform following actions: -- turn off httpd service -- give some delay (2s is enough) -- run the above command to renew automatically -- start httpd service +Best way to automate the certificate renewal is by using cron service. +Create a bash script in /etc/cron.d/monthly that does the following actions (depending on which plugin you used): +Standalone: - turn off httpd service + - give some delay (2s is enough) + - run the same command generate the certificate to renew automatically + - start httpd service +Apache Plugin: run the same command to generate the certificate to renew automatically RATE LIMIT Rate limit on registrations per IP is now 500 per 3 hours. Rate limit on certificates per Domain is now 20 per 7 days. +See complete documentation here: https://letsencrypt.org/docs/rate-limits/ CONFIGURATION FILES @@ -56,8 +66,8 @@ rsa-key-size = 4096 # Uncomment to use a text interface instead of ncurses # text = True -# Uncomment to use the standalone authenticator on port 443 -# authenticator = standalone +# Uncomment to use the standalone or apache authenticator on port 443 +# authenticator = standalone / apache # preferred-challenges = tls-sni-01 # Uncomment to use the webroot authenticator. Replace webroot-path with the diff --git a/system/letsencrypt/letsencrypt.SlackBuild b/system/letsencrypt/letsencrypt.SlackBuild index ceefe5f90b..fbbec0c1c4 100644 --- a/system/letsencrypt/letsencrypt.SlackBuild +++ b/system/letsencrypt/letsencrypt.SlackBuild @@ -24,7 +24,7 @@ PRGNAM=letsencrypt SRCNAM=certbot -VERSION=${VERSION:-0.14.0} +VERSION=${VERSION:-0.14.1} BUILD=${BUILD:-1} TAG=${TAG:-_SBo} @@ -72,6 +72,12 @@ find -L . \ sed -i "/'argparse',/d" setup.py sed -i "/'argparse',/d" acme/setup.py +sed -i 's/apache2ctl/apachectl/' certbot-apache/certbot_apache/constants.py + +for i in $(grep -ri /apache2 * | cut -d: -f1 | sort -u) +do + sed -i 's/\/apache2/\/httpd/' $i +done # install acme-protocol first cd acme @@ -79,17 +85,17 @@ python setup.py install --root=$PKG # install letsencrypt client cd .. - python setup.py install --root=$PKG # this plugins are not working for Slackware yet, but we will keep it here # install apache plugin -#cd letsencrypt-apache -#python setup.py install --root=$PKG +cd certbot-apache +python setup.py install --root=$PKG +cd .. # install nginx plugin -#cd ../letsencrypt-nginx +#cd ../certbot-nginx #python setup.py install --root=$PKG find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \ diff --git a/system/letsencrypt/letsencrypt.info b/system/letsencrypt/letsencrypt.info index b3226952ab..d9fd4e9e27 100644 --- a/system/letsencrypt/letsencrypt.info +++ b/system/letsencrypt/letsencrypt.info @@ -1,8 +1,8 @@ PRGNAM="letsencrypt" -VERSION="0.14.0" +VERSION="0.14.1" HOMEPAGE="https://letsencrypt.org/" -DOWNLOAD="https://github.com/certbot/certbot/archive/v0.14.0/certbot-0.14.0.tar.gz" -MD5SUM="d96ee153d27604ce1a52b19f674a56f1" +DOWNLOAD="https://github.com/certbot/certbot/archive/v0.14.1/certbot-0.14.1.tar.gz" +MD5SUM="9a0833266ea026e882009c6fe27ff49b" DOWNLOAD_x86_64="" MD5SUM_x86_64="" REQUIRES="configobj mock python-requests pytz python2-pythondialog zope.component pyrfc3339 psutil python-parsedatetime python-configargparse werkzeug ndg_httpsclient python-augeas pyparsing" -- cgit v1.2.3