Announcement

Collapse
No announcement yet.

Server SSL Certificate via LetsEncrypt

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Server SSL Certificate via LetsEncrypt

    Within the Siteworx Interface for each account i can easily generate an SSL Certificate with "Generate All With Let's Encrypt" - unfortunately this option isn'd available for the Nodeworx - "Server - SSL Certificates".

    Is there any workaround to get the Letsencrypt SSL Certificate for the Server itself?

    Thanks,
    Thomas

  • #2
    Hi thomas

    The easiest way is to create a siteworx account for the server hostname, create the SSL and then copy the cert to nodeworx ssl

    This is because the server hostname is not a siteworx account

    You can view all the SSL files from siteworx SSL, copy them and then goto nodeworx, SSL and delete the current SSL cert, create new and paste accordingly on each

    I hope that helps

    Many thanks

    John

    Comment


    • #3
      I've always had a SW account for my server's host mostly for mail reasons. It probably would not have occurred to me I could just paste the LE certificate like that, so thanks from me too John!

      Comment


      • #4
        Hi John,

        Just tried it but as i have the DNS entries already (it's a productive system, currently with GoDaddy SSL Cert) so i can't create a new NodeWorxs account.

        In addition i just saw that i use a SAN certificate for that and with the GUI i just can issue standard SSL certificates.

        Can i just create the SSL certificates manually (found the binaries of letsencrypt in /root/.local/.....) or would that screw up the system?

        Thanks,
        Thomas

        Originally posted by d2d4j View Post
        Hi thomas

        The easiest way is to create a siteworx account for the server hostname, create the SSL and then copy the cert to nodeworx ssl

        This is because the server hostname is not a siteworx account

        You can view all the SSL files from siteworx SSL, copy them and then goto nodeworx, SSL and delete the current SSL cert, create new and paste accordingly on each

        I hope that helps

        Many thanks

        John

        Comment


        • #5
          Hi Thomas
          Many thanks, and yes, you can create SSL manually using LE, but please be careful
          The method I mentioned above, is not creating a Nodeworx Account, it is creating a siteworx account, which matches the hostname of the server, and therefore no DNS entries would have been made in IW. eg hostname myserver.url, create siteworx account called myserver.url
          Then login to your hostname siteworx account, and create LE SSL, once SSL is created, view the private key, and make a copy, and do the same with the SSL and chains.
          Then go back to your nodeworx admin account, goto server SSL, and click update SSL, then select all areas of change you want, and past the private key, the SSL (including chains) and other details you need, save and restart services.
          I have included 2 pics to show you if it helps.
          PLease note though, LE SSL is not a wildcard SSL, and ofcourse, you will need to renew every 3 Months I think it is
          I hope that helps a little
          Many thanks
          John
          Attached Files

          Comment


          • #6
            Hi John!

            I have a quick question about that: will this LE certs (both nodeworx and siteworx) will renew automatically (via cron maybe??) in every 3 month?

            Thank you, Gabor.

            Comment


            • #7
              Hi Gabor

              I hope your keeping well

              LE is only on siteworx accounts, and not on nodeworx

              You can copy and paste the SSL setup by LE into the nodeworx SSL but you would need to do this every time is renews

              I think LE requires a siteworx account for its DNS settings, which confirms the domain is live and pointed at your server, but I think this maybe a good feature to have for nodeworx, so I'll email IW this thread so you have credit

              I hope that helps a little

              Many thanks

              John

              Comment


              • #8
                Oops sorry

                All siteworx LE renew automatically on a cron

                Many thanks

                John

                Comment


                • #9
                  Thanks John for the quick reply, I sucessfully generated the LE cert in siteworx, this will work and auto renew by cron - as You described.

                  If I'm right I only have to copy this into nodeworx in every 3 month because the LE cron is working only in siteworx. It will be a great feature if it is also can auto renew like in siteworx :)

                  Thanks, Gabor.

                  Comment


                  • #10
                    It also would be a good option to use an existing CSR on renewal. It is necessary if you are using HPKP.

                    Comment


                    • #11
                      Hi dss

                      Many thanks, sorry I seem to think you had to generate a new CSR for every new SSL, and was not allowed under RFC to keep same CSR for renewal

                      I could be wrong so apologies in advance as it's just something I seem to remember

                      Sorry, what is HPKP

                      Many thanks

                      John

                      Comment


                      • #12
                        Hi John,

                        HPKP (HTTP Public Key Pinning) is against MITM attack, you can read more here. As I know, the Let's Encrypt plugin generates everything on renew it is not possible to have "fixed" public keys. It is possible to generate certificate manually with certonly --csr commands but as I know it will not work with automatic renew.

                        Comment


                        • #13
                          Hi dss

                          Many thanks

                          I think as LE expires every 3 months, the CSR does need to be renewed. As I said, it's in my mind over CSR renewal is required when cert expires

                          On this occasion, it maybe better using a paid SSL with max 3 years

                          I could be wrong though, so I apologise in advance

                          Many thanks

                          John

                          Comment


                          • #14
                            Here's a bash script I just completed to copy the siteworx SSL certificates to nodeworx SSL and update all the services automatically. It would be nice if it ran right after the renewal process :)

                            #!/bin/bash


                            user="INSERT__NODEWORX_EMAIL__HERE"
                            domain="INSERT__DOMAIN_HERE__INLOWERCASE"

                            key=$(cat "/home/server/var/$domain/ssl/$domain.priv.key")
                            sslcrt=$(cat "/home/server/var/$domain/ssl/$domain.crt")
                            chain=$(cat "/home/server/var/$domain/ssl/$domain.chain.crt")


                            cypher='HIGH:MEDIUM:!EXPORT:!SSLv2:!ADH:!aNULL:!eN ULL:!NULL:!LOW'


                            nodeworx -u "$user" -o pretty -n -v -c Ssl --ssl_ciphersuite $cypher --key "$key" --crt "$sslcrt
                            $chain" --restart_now 1 --services all --action updateall



                            This assumes you already have a siteworx account with the same domain name as your control panel on the same server. It will work with LetsEncrypt.
                            Note that RETURN is intentional so that it creates the CHAIN in the next line down.

                            Enjoy!
                            Last edited by marco114; 03-22-2017, 03:05 PM.
                            ---
                            Marc Pope
                            Falcon Internet
                            http://www.falconinternet.net/

                            Comment


                            • #15
                              Hi marco114

                              Kudos to you, many thanks for sharing

                              John

                              Comment

                              Working...
                              X