Weblog

1 April 2016, 00:56

I've written a script to get a Let's Encrypt certificate. Please, download the script and let me know what you think of it.

Kapageridis Stavros
1 April 2016, 13:47
Hi Hugo,

Your script is a power tool. In a matter of minutes, I have registered
an account, requested and deployed a Let's Encrypt certificate. Even
without basic knowledge off SSL certificates, anyone can install and
request an SSL certificate from Let’s Encrypt. I was also amazed that
it provides a feature to first request a test certificate, before
switching it to production state. And in case of expiration i can easy renew it with
a single command.
There was nothing more to do than to only run three commands via your
script.

Thank you very much for everything.
samiux
3 April 2016, 14:37
Hi Hugo,

It works as expect. Please include this good script in the Hiawatha package.

Thanks a lot.
Alex
6 April 2016, 22:50
Hey Hugo,
very nice job, but why php?
I don't have installed PHP on my server. IMHO shell would be better solution.
Here is another good tool to create SSL certificates https://github.com/lukas2511/letsencrypt.sh
Take a look, maybe you can optimize it quickly for Hiawatha

Thank you.
Hugo Leisink
7 April 2016, 08:01
PHP, because I know it well. Shell, Perl, PHP, Python, they're all just interpreters. Don't be afraid of an interpreter, it's just a tool. I used it because it's the language, besides C, I know best. So, for me it's the right tool to deliver a proper application. Just install it, let my script use it, and ignore it for the rest.
Thomas
9 April 2016, 11:49
Hi,
can you confirm if this scrip will work when running Hiawatha as reverse proxy?

The intention is to terminate SSL on loadbalancer (=reverse proxy) and work with non-encrypted connection in backend.

THX
Hugo Leisink
10 April 2016, 18:17
Use the script at the final webserver and place the retrieved certificate at the reverse proxy.
Andrew H
14 April 2016, 04:12
Finally got around to trying this - what a great tool! Works perfectly for me. Thanks Hugo!
Dan Larsson
15 April 2016, 15:44
When i request the certificate from the testing server it works fine, but when i change to the Production i get the following messages, and no certificate. Tried a lot of things here, but no luck yet.

Authorizing slas.se.
- Retrieving HTTP authentication challenge.
- No registration exists matching provided key.
- Authentication token for HTTP challenge not found.
samiux
15 April 2016, 18:19
Hi hugo,

How to use the script to apply public-key-in feature?
Hugo Leisink
15 April 2016, 18:54
@Dan Larsson: Did you register your key at the production server? I realize I didn't mention that step in the README. Will add it.

@Samiux: What do you mean with public-key-in?
samiux
15 April 2016, 19:01
Hi Hugo,

Sorry for the typo. It should be header Public-Key-Pin.
Hugo Leisink
15 April 2016, 19:02
Uhm, that's something for a browser to do. Not this script.
samiux
15 April 2016, 20:00
Hi Hugo,

It is quote from your How-to :
http://dotbalm.org/hiawatha-public-key-pinning-hpkp/
samiux
15 April 2016, 20:02
Hi hugo,

The script do not have the fringerprint of the cert that cannot be used in the customheader for public-key-pin.
Hugo Leisink
16 April 2016, 07:57
First, that website is not my HOWTO. Second, you can create the fingerprint of a certificate yourself as described at that webpage.
samiux
17 April 2016, 16:33
Hi Hugo,

Thanks for the hints. The Public-Key-Pin header is applied successfully.

May I know how to renew the certificate with the script?
Hugo Leisink
17 April 2016, 16:58
Yes, you may know. It's described in the readme...
Dan Larsson
18 April 2016, 11:21
@Hugo Sometime it´s to simple, thanks for the answer. All i had to do was to rename the account.key and run the register option again.

Thank you for the very nice webserver and usefull script.
samiux
18 April 2016, 19:29
Hi Hugo,

Would you mind to consider to change the script to handle "Include" keyword?
Hugo Leisink
19 April 2016, 10:17
It already handles the include statement. Doesn't it work for you?
samiux
22 April 2016, 08:25
Hi Hugo,

My previous download version doesn't work for "include" keyword. But not sure about the current version. Any harm if I re-run the script?
Hugo Leisink
23 April 2016, 00:25
No, specially if you run against the test server.
Fred
25 April 2016, 11:12
Hi Hugo,
This is probably a silly question but do I need to change the code below:
LE_ISSUERS = Let's Encrypt Authority X1 \
Let's Encrypt Authority X2 \
Let's Encrypt Authority X3 \
Fake LE Intermediate X1 \
happy hacker fake CA

If I'm suppose to edit that bits, what would it be?
Fred
25 April 2016, 11:22
Hi,
I decided the give it a go by leaving the code previously mentioned as they are and I got the following error when runing php ./letsencrypt register:
HTTP error while registering account

What I have do wrong?
Hugo Leisink
25 April 2016, 14:18
You can ignore the LE_ISSUERS setting for now.
I'll look at the registering issue. I can reproduce it here. It looks like the API has changed... again.

Update:
I've made some changes. Redownload the letsencrypt package and please try again.
Fred
25 April 2016, 23:20
Hi hugo,

I downloaded the latest update and gone further but now having another issue
 php ./letsencrypt request mydomain.co.uk
Generating account key.
Hostname mydomain.co.uk not found in Hiawatha configuration.

I do have a virtual host {} with mydomain.co.uk.
Could you please advise on what to do next?

Thank you
Hugo Leisink
27 April 2016, 13:35
Can you send me your complete configuration? Send it to hugo@hiawatha-webserver.org.
Fred
28 April 2016, 01:22
Sent you an email
David Oliver
30 April 2016, 02:08
I've just tried this out and it seems to be an extremely easy and convenient way of registering (and automatically renewing!) certificates. Thanks, Hugo!

I found that a VirtualHost needs to be in the main Hiawatha config file as opposed to in a file which has been included with, for example, 'Include /etc/hiawath/websites.conf'. That's easily sorted, of course, and I'll move all my vhosts back to the main file.

I'll probably add some code to send Pushover alerts on failed renew requests.
Hugo Leisink
30 April 2016, 10:42
I included support for the include option. But apparently that doesn't work properly. I'll take a look at it.

Update:
I've solved this issue. Redownload the package and it should work now.
Zaigham
3 May 2016, 13:27
The download is going 404 now.
Jeff
16 May 2016, 18:21
I downloaded from github and it is working great, still waiting for the 3 months expiration to see if the renew cron job works as expected, but so far this is a dream come true , thanks for developing and sharing this!
Vondutch
15 September 2016, 21:45
To make the tool work after August, 2016. Change "LE_CA_TERMS = https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" to "LE_CA_TERMS = https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" in the "letsencrypt.conf" file.
Bakelnaar
5 January 2017, 11:54
I got stuck with the fact that the letsencrypt cript could not find the hostname in my config files. This was due to the fact that I did not include a space after the VirtualHost (so VirtualHost{ instead of VirtualHost {). Hiawatha is able to read these config files without a problem, however the letsencrypt script could not recognize.
However, it is a very useful tool.
David Oliver
26 January 2017, 14:08
In Ubuntu I found that when running the script to renew certs as root (sudo crontab -e) Hiawatha was not restarting because the start-stop-daemon program could not be found; cron's PATH env var does not include /sbin, which is where start-stop-daemon is. Adding the appropriate path to PATH for the cron task gets round this.

52 03 * * * PATH=$PATH:/sbin /path/to/letsencrypt renew restart >> /var/log/letsencrypt-hiawatha.log 2>&1
kfft
11 April 2017, 22:49
the process seemed to work fine (writing private key, certificate and CA certificate) but eventually the certificate is not recognized in the browser.
"The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER"
I managed to get a certificate working using another script and havent spent too much time debugging this one, is it still supposed to work or are there some parameters to be adjusted?


kfft
11 April 2017, 23:00
More precisely the browser says:
issuer : "Fake LE Intermediate X1"
Looking into my pem file I see the same certificate as this one https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
kfft
11 April 2017, 23:20
eventually got it right, it was because the account key used had been created with the test LE_CA_HOSTNAME. It is working now.
Thanks for this great tool!

Question for Hugo: I had to remove all the IPs like 127.0.0.1 from the Hostname list because it was making it fail. Could you pass on IP addresses instead of failing or what is the config I should adopt instead of having IP addresses in the list?
Note my VirtualHost does not necessarily require TLS and i access the IP addresses with http, the certificate is used for the other hostnames in the list accessed via https.
Hugo Leisink
12 April 2017, 09:04
Looks like you use an older version of the letsencrypt script. Or, at least an older version of its configuration file. Use the lastest version and try again. And its not my script, but the Let's Encrypt CA that doesn't allow IP addresses in the CN.
kfft
12 April 2017, 20:14
thanks very much Hugo I used this version https://www.hiawatha-webserver.org/files/letsencrypt.tar.gz I downloaded yesterday, is there a more recent one?

Indeed Let's Encrypt does not allow IPs, but if I want to have IPs in my list of hostnames and at the same time I want to get certificates (not for the IPs but for the names in the list), the LE script will go through all the hostnames of the list and fail when it encounters an IP I believe.
Does it mean I need to create one VirtualHost for the IPs and one different VirtualHost for the certification with domain names only?

*** I have been a very happy user of Hiawatha for the past 10 years on Windows and I recently moved to Arch Linux ***
Hugo Leisink
13 April 2017, 19:20
The one you mentioned is the latest one. The next version of Hiawatha (soon to be released) will ignore IP addresses in the hostname list.
kfft
13 April 2017, 21:22
It sounds great, thanks Hugo [CLOSED]
kfft
27 August 2017, 21:40
Hi Hugo sorry to come back on this but from my tests it has not been implemented in 10.6, is it for the next version or should I try again?
kfft
27 August 2017, 21:47
to clarify my config I would like to use

VirtualHost {
Hostname = www.mysite.org,127.0.0.1
...
}

and run 'letsencrypt renew restart' on this config
kfft
27 August 2017, 22:18
Actually I think it is working now you have implemented a filtering out of IP Addresses in letsencrypt php scripts. My mistake. Thanks Hugo.
Jack
14 September 2017, 14:00
Hi Hugo

It appears that 'EnforceFirstHostname = yes' breaks the tool?

Watching the webroot whilst the tool is running I see the .well-known directory appear for the first hostname, and then the folder disappears and fails to reappear whilst the tool tries to authorize the second hostname.

Does the second hostname actually need to be included on the certificate if the above setting is on?
kfft
29 September 2017, 13:00
@Hugo do you expect to maintain the tool in 2018 and port it to ACMEv2?
btw find here the list of client scripts including yours [https://letsencrypt.org/docs/client-options/]
Hugo Leisink
29 September 2017, 13:01
Of course!
kfft
29 September 2017, 13:32
great news , no need to look for another LetsEncrypt client then I will stick with it!