Forum
going bonkers over letsencrypt
commandline.be
4 December 2018, 22:54
each time i set up a new letsencrypt certificat for my test vps commandline.be i run into issues
despite my rave review of letsencrypt as supplied with hiawatha i now get a timeout, before it was unclear if the script would also generate the san for all virtualhostname entries in hiawatha.conf
so, i switched to using acme.sh to find it works quite well and quite easily, i just cannot figure out how to get the certificates generated to work with hiawatha
sigh
despite my rave review of letsencrypt as supplied with hiawatha i now get a timeout, before it was unclear if the script would also generate the san for all virtualhostname entries in hiawatha.conf
so, i switched to using acme.sh to find it works quite well and quite easily, i just cannot figure out how to get the certificates generated to work with hiawatha
sigh
commandline.be
4 December 2018, 23:42
okay, found it, it is working
helpful resource: https://wiki.archlinux.org/index.php/Hiawatha#Enable_SSL/TLS (explains how the PEM cert is constructed)
## on Linux / BSD
# download most recent acme.sh
curl https://get.acme.sh
chmod a+x acme.sh
# install acme.sh into ~/.acme.sh/
./acme.sh --install --accountemail youraddress@email.tld
# generate a certificate
./acme.sh --issue -d domain.tld -d www.domain.tld -d blog.domain.tld -d stats.domain.tld --standalone --keystrength ec-256
cd ~/.acme.sh
cat domain.tld_ecc/domain.tld.key > /usr/local/etc/hiawatha/tls/domain.tld.key
cat domain.tld_ecc/domain.tld.cer >> /usr/local/etc/hiawatha/tls/domain.tld.key
cat domain.tld_ecc/ca.cer >> /usr/local/etc/hiawatha/tls/domain.tld.key
## just for sakes of checking, notice th fullchain.cer is also not identical to the domain.tld.key file
diff domain.tld_ecc/fullchain.cer /usr/local/etc/hiawatha/tls/domain.tld.key
helpful resource: https://wiki.archlinux.org/index.php/Hiawatha#Enable_SSL/TLS (explains how the PEM cert is constructed)
## on Linux / BSD
# download most recent acme.sh
curl https://get.acme.sh
chmod a+x acme.sh
# install acme.sh into ~/.acme.sh/
./acme.sh --install --accountemail youraddress@email.tld
# generate a certificate
./acme.sh --issue -d domain.tld -d www.domain.tld -d blog.domain.tld -d stats.domain.tld --standalone --keystrength ec-256
cd ~/.acme.sh
cat domain.tld_ecc/domain.tld.key > /usr/local/etc/hiawatha/tls/domain.tld.key
cat domain.tld_ecc/domain.tld.cer >> /usr/local/etc/hiawatha/tls/domain.tld.key
cat domain.tld_ecc/ca.cer >> /usr/local/etc/hiawatha/tls/domain.tld.key
## just for sakes of checking, notice th fullchain.cer is also not identical to the domain.tld.key file
diff domain.tld_ecc/fullchain.cer /usr/local/etc/hiawatha/tls/domain.tld.key
commandline.be
5 December 2018, 22:47
Just to be clear, it's probably me, but i could not find the issue
acme.sh just gives a lot of control and is eventually workable and reproducible in effect
acme.sh just gives a lot of control and is eventually workable and reproducible in effect
commandline.be
5 December 2018, 23:25
ignore whatever i said, i need to take time and study letsencrypt (teeths grinding)
Hugo Leisink
6 December 2018, 11:38
That's the case for many people. 
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
