Within the Siteworx Interface for each account i can easily generate an SSL Certificate with “Generate All With Let’s Encrypt” - unfortunately this option isn’d available for the Nodeworx - “Server - SSL Certificates”.
Is there any workaround to get the Letsencrypt SSL Certificate for the Server itself?
Thanks,
Thomas
Hi thomas
The easiest way is to create a siteworx account for the server hostname, create the SSL and then copy the cert to nodeworx ssl
This is because the server hostname is not a siteworx account
You can view all the SSL files from siteworx SSL, copy them and then goto nodeworx, SSL and delete the current SSL cert, create new and paste accordingly on each
I hope that helps
Many thanks
John
I’ve always had a SW account for my server’s host mostly for mail reasons. It probably would not have occurred to me I could just paste the LE certificate like that, so thanks from me too John!
Hi John,
Just tried it but as i have the DNS entries already (it’s a productive system, currently with GoDaddy SSL Cert) so i can’t create a new NodeWorxs account.
In addition i just saw that i use a SAN certificate for that and with the GUI i just can issue standard SSL certificates.
Can i just create the SSL certificates manually (found the binaries of letsencrypt in /root/.local/…) or would that screw up the system?
Thanks,
Thomas
[QUOTE=d2d4j;29172]Hi thomas
The easiest way is to create a siteworx account for the server hostname, create the SSL and then copy the cert to nodeworx ssl
This is because the server hostname is not a siteworx account
You can view all the SSL files from siteworx SSL, copy them and then goto nodeworx, SSL and delete the current SSL cert, create new and paste accordingly on each
I hope that helps
Many thanks
John[/QUOTE]
Hi Thomas
Many thanks, and yes, you can create SSL manually using LE, but please be careful
The method I mentioned above, is not creating a Nodeworx Account, it is creating a siteworx account, which matches the hostname of the server, and therefore no DNS entries would have been made in IW. eg hostname myserver.url, create siteworx account called myserver.url
Then login to your hostname siteworx account, and create LE SSL, once SSL is created, view the private key, and make a copy, and do the same with the SSL and chains.
Then go back to your nodeworx admin account, goto server SSL, and click update SSL, then select all areas of change you want, and past the private key, the SSL (including chains) and other details you need, save and restart services.
I have included 2 pics to show you if it helps.
PLease note though, LE SSL is not a wildcard SSL, and ofcourse, you will need to renew every 3 Months I think it is
I hope that helps a little
Many thanks
John
Hi John!
I have a quick question about that: will this LE certs (both nodeworx and siteworx) will renew automatically (via cron maybe??) in every 3 month?
Thank you, Gabor.
Hi Gabor
I hope your keeping well
LE is only on siteworx accounts, and not on nodeworx
You can copy and paste the SSL setup by LE into the nodeworx SSL but you would need to do this every time is renews
I think LE requires a siteworx account for its DNS settings, which confirms the domain is live and pointed at your server, but I think this maybe a good feature to have for nodeworx, so I’ll email IW this thread so you have credit
I hope that helps a little
Many thanks
John
Oops sorry
All siteworx LE renew automatically on a cron
Many thanks
John
Thanks John for the quick reply, I sucessfully generated the LE cert in siteworx, this will work and auto renew by cron - as You described.
If I’m right I only have to copy this into nodeworx in every 3 month because the LE cron is working only in siteworx. It will be a great feature if it is also can auto renew like in siteworx 
Thanks, Gabor.
It also would be a good option to use an existing CSR on renewal. It is necessary if you are using HPKP.
Hi dss
Many thanks, sorry I seem to think you had to generate a new CSR for every new SSL, and was not allowed under RFC to keep same CSR for renewal
I could be wrong so apologies in advance as it’s just something I seem to remember
Sorry, what is HPKP
Many thanks
John
Hi John,
HPKP (HTTP Public Key Pinning) is against MITM attack, you can read more here. As I know, the Let’s Encrypt plugin generates everything on renew it is not possible to have “fixed” public keys. It is possible to generate certificate manually with certonly --csr commands but as I know it will not work with automatic renew.
Hi dss
Many thanks
I think as LE expires every 3 months, the CSR does need to be renewed. As I said, it’s in my mind over CSR renewal is required when cert expires
On this occasion, it maybe better using a paid SSL with max 3 years
I could be wrong though, so I apologise in advance
Many thanks
John
Hi marco114
Kudos to you, many thanks for sharing
John
Careful I think you have an error in your script with a space in !eN ULL which should be !eNULL. *** Funny, it displays ok in edit mode but when I read the post it show a space that appear in the copy paste as well.
/** cypher=‘HIGH:MEDIUM:!EXPORT:!SSLv2:!ADH:!aNULL:!eN ULL:!NULL:!LOW’ **/
[QUOTE=marco114;29637]Here’s a bash script I just completed to copy the siteworx SSL certificates to nodeworx SSL and update all the services automatically. It would be nice if it ran right after the renewal process
#!/bin/bash
user=“INSERT__NODEWORX_EMAIL__HERE”
domain=“INSERT__DOMAIN_HERE__INLOWERCASE”
key=$(cat “/home/server/var/$domain/ssl/$domain.priv.key”)
sslcrt=$(cat “/home/server/var/$domain/ssl/$domain.crt”)
chain=$(cat “/home/server/var/$domain/ssl/$domain.chain.crt”)
cypher=‘HIGH:MEDIUM:!EXPORT:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW’
nodeworx -u “$user” -o pretty -n -v -c Ssl --ssl_ciphersuite $cypher --key “$key” --crt “$sslcrt
$chain” --restart_now 1 --services all --action updateall
This assumes you already have a siteworx account with the same domain name as your control panel on the same server. It will work with LetsEncrypt.
Note that RETURN is intentional so that it creates the CHAIN in the next line down.
Enjoy!
[/QUOTE]
Hi toordog
Welcome to Iw forums
Good catch, must be my old eyes as not spotted
Many thanks
John
I’ve implemented this on my servers and so far seems to be working well, but I did make a few tweaks ? mainly just the paths to the Let’s Encrypt SSL certs. I’m running CentOS so that might make a difference.
#!/bin/bash
# Copies Let's Encrypt certificates from SiteWorx account to the server SSL certs
interworxUser="INSERT__NODEWORX_EMAIL__HERE"
siteworxDomain="INSERT__DOMAIN_HERE__INLOWERCASE"
key=$(cat "/etc/letsencrypt/live/$siteworxDomain/privkey.pem")
sslcrt=$(cat "/etc/letsencrypt/live/$siteworxDomain/cert.pem")
chain=$(cat "/etc/letsencrypt/live/$siteworxDomain/chain.pem" "/etc/letsencrypt/live/$siteworxDomain/fullchain.pem")
cypher='HIGH:MEDIUM:!EXPORT:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW'
# this needs to be 2 lines
nodeworx -u "$interworxUser" -o pretty -n -v -c Ssl --ssl_ciphersuite $cypher --key "$key" --crt "$sslcrt
$chain" --restart_now 1 --services all --action updateall
Thanks for doing the hard work!
LE is only on siteworx accounts, and not on nodeworx
Hi bestellen
I hope your well
Sorry, the code written copies the siteworx LE certificate to nodeworx SSL and keeps recopying so it never is outdated
So if you setup a siteworx account which matches your nodeworx domain, then use LE to create SSL, this is then copied to nodeworx SSL
Good idea and kudos to them for writing/sharing
It would be lovely if every user shared
Many thanks
John