Page 1 of 2 12 LastLast
Results 1 to 15 of 20
  1. #1
    Join Date
    Nov 2014
    Posts
    12
    Points
    967
    Level
    12

    Server SSL Certificate via LetsEncrypt

    Within the Siteworx Interface for each account i can easily generate an SSL Certificate with "Generate All With Let's Encrypt" - unfortunately this option isn'd available for the Nodeworx - "Server - SSL Certificates".

    Is there any workaround to get the Letsencrypt SSL Certificate for the Server itself?

    Thanks,
    Thomas

  2. #2
    Join Date
    Apr 2012
    Posts
    2,127
    Points
    21,893
    Level
    64
    Hi thomas

    The easiest way is to create a siteworx account for the server hostname, create the SSL and then copy the cert to nodeworx ssl

    This is because the server hostname is not a siteworx account

    You can view all the SSL files from siteworx SSL, copy them and then goto nodeworx, SSL and delete the current SSL cert, create new and paste accordingly on each

    I hope that helps

    Many thanks

    John

  3. The Following User Says Thank You to d2d4j For This Useful Post:


  4. #3
    Join Date
    Apr 2006
    Location
    Louisville, KY
    Posts
    182
    Points
    7,340
    Level
    36
    I've always had a SW account for my server's host mostly for mail reasons. It probably would not have occurred to me I could just paste the LE certificate like that, so thanks from me too John!

  5. #4
    Join Date
    Nov 2014
    Posts
    12
    Points
    967
    Level
    12
    Hi John,

    Just tried it but as i have the DNS entries already (it's a productive system, currently with GoDaddy SSL Cert) so i can't create a new NodeWorxs account.

    In addition i just saw that i use a SAN certificate for that and with the GUI i just can issue standard SSL certificates.

    Can i just create the SSL certificates manually (found the binaries of letsencrypt in /root/.local/.....) or would that screw up the system?

    Thanks,
    Thomas

    Quote Originally Posted by d2d4j View Post
    Hi thomas

    The easiest way is to create a siteworx account for the server hostname, create the SSL and then copy the cert to nodeworx ssl

    This is because the server hostname is not a siteworx account

    You can view all the SSL files from siteworx SSL, copy them and then goto nodeworx, SSL and delete the current SSL cert, create new and paste accordingly on each

    I hope that helps

    Many thanks

    John

  6. #5
    Join Date
    Apr 2012
    Posts
    2,127
    Points
    21,893
    Level
    64
    Hi Thomas
    Many thanks, and yes, you can create SSL manually using LE, but please be careful
    The method I mentioned above, is not creating a Nodeworx Account, it is creating a siteworx account, which matches the hostname of the server, and therefore no DNS entries would have been made in IW. eg hostname myserver.url, create siteworx account called myserver.url
    Then login to your hostname siteworx account, and create LE SSL, once SSL is created, view the private key, and make a copy, and do the same with the SSL and chains.
    Then go back to your nodeworx admin account, goto server SSL, and click update SSL, then select all areas of change you want, and past the private key, the SSL (including chains) and other details you need, save and restart services.
    I have included 2 pics to show you if it helps.
    PLease note though, LE SSL is not a wildcard SSL, and ofcourse, you will need to renew every 3 Months I think it is
    I hope that helps a little
    Many thanks
    John
    Attached Images Attached Images   

  7. #6
    Join Date
    Nov 2011
    Location
    Hungary
    Posts
    36
    Points
    3,274
    Level
    23
    Hi John!

    I have a quick question about that: will this LE certs (both nodeworx and siteworx) will renew automatically (via cron maybe??) in every 3 month?

    Thank you, Gabor.

  8. The Following User Says Thank You to Gabor For This Useful Post:


  9. #7
    Join Date
    Apr 2012
    Posts
    2,127
    Points
    21,893
    Level
    64
    Hi Gabor

    I hope your keeping well

    LE is only on siteworx accounts, and not on nodeworx

    You can copy and paste the SSL setup by LE into the nodeworx SSL but you would need to do this every time is renews

    I think LE requires a siteworx account for its DNS settings, which confirms the domain is live and pointed at your server, but I think this maybe a good feature to have for nodeworx, so I'll email IW this thread so you have credit

    I hope that helps a little

    Many thanks

    John

  10. The Following User Says Thank You to d2d4j For This Useful Post:


  11. #8
    Join Date
    Apr 2012
    Posts
    2,127
    Points
    21,893
    Level
    64
    Oops sorry

    All siteworx LE renew automatically on a cron

    Many thanks

    John

  12. The Following User Says Thank You to d2d4j For This Useful Post:


  13. #9
    Join Date
    Nov 2011
    Location
    Hungary
    Posts
    36
    Points
    3,274
    Level
    23
    Thanks John for the quick reply, I sucessfully generated the LE cert in siteworx, this will work and auto renew by cron - as You described.

    If I'm right I only have to copy this into nodeworx in every 3 month because the LE cron is working only in siteworx. It will be a great feature if it is also can auto renew like in siteworx

    Thanks, Gabor.

  14. #10
    Join Date
    May 2010
    Posts
    193
    Points
    7,835
    Level
    37
    It also would be a good option to use an existing CSR on renewal. It is necessary if you are using HPKP.

  15. #11
    Join Date
    Apr 2012
    Posts
    2,127
    Points
    21,893
    Level
    64
    Hi dss

    Many thanks, sorry I seem to think you had to generate a new CSR for every new SSL, and was not allowed under RFC to keep same CSR for renewal

    I could be wrong so apologies in advance as it's just something I seem to remember

    Sorry, what is HPKP

    Many thanks

    John

  16. The Following User Says Thank You to d2d4j For This Useful Post:

    dss

  17. #12
    Join Date
    May 2010
    Posts
    193
    Points
    7,835
    Level
    37
    Hi John,

    HPKP (HTTP Public Key Pinning) is against MITM attack, you can read more here. As I know, the Let's Encrypt plugin generates everything on renew it is not possible to have "fixed" public keys. It is possible to generate certificate manually with certonly --csr commands but as I know it will not work with automatic renew.

  18. The Following User Says Thank You to dss For This Useful Post:


  19. #13
    Join Date
    Apr 2012
    Posts
    2,127
    Points
    21,893
    Level
    64
    Hi dss

    Many thanks

    I think as LE expires every 3 months, the CSR does need to be renewed. As I said, it's in my mind over CSR renewal is required when cert expires

    On this occasion, it maybe better using a paid SSL with max 3 years

    I could be wrong though, so I apologise in advance

    Many thanks

    John

  20. The Following User Says Thank You to d2d4j For This Useful Post:

    dss

  21. #14
    Join Date
    Sep 2007
    Location
    Greensboro, NC
    Posts
    42
    Points
    5,001
    Level
    30
    Here's a bash script I just completed to copy the siteworx SSL certificates to nodeworx SSL and update all the services automatically. It would be nice if it ran right after the renewal process

    #!/bin/bash


    user="INSERT__NODEWORX_EMAIL__HERE"
    domain="INSERT__DOMAIN_HERE__INLOWERCASE"

    key=$(cat "/home/server/var/$domain/ssl/$domain.priv.key")
    sslcrt=$(cat "/home/server/var/$domain/ssl/$domain.crt")
    chain=$(cat "/home/server/var/$domain/ssl/$domain.chain.crt")


    cypher='HIGH:MEDIUM:!EXPORT:!SSLv2:!ADH:!aNULL:!eN ULL:!NULL:!LOW'


    nodeworx -u "$user" -o pretty -n -v -c Ssl --ssl_ciphersuite $cypher --key "$key" --crt "$sslcrt
    $chain" --restart_now 1 --services all --action updateall



    This assumes you already have a siteworx account with the same domain name as your control panel on the same server. It will work with LetsEncrypt.
    Note that RETURN is intentional so that it creates the CHAIN in the next line down.

    Enjoy!
    Last edited by marco114; 03-22-2017 at 03:05 PM.
    ---
    Marc Pope
    Falcon Internet
    http://www.falconinternet.net/

  22. The Following 2 Users Say Thank You to marco114 For This Useful Post:


  23. #15
    Join Date
    Apr 2012
    Posts
    2,127
    Points
    21,893
    Level
    64
    Hi marco114

    Kudos to you, many thanks for sharing

    John

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •