[HOWTO] Let's Encrypt

Unknown said:

One of the first lines should be something like: 'ca' => 'REF_CaVerXXXXXXX'"

there is no line REF_CaVerXXXXXX when i use the "host_key_cert" command, only REF_CaHosXXXXX.
I can however find the certificate REF_CaVerLetsEncryAutho with command "verification_ca".
I copied the info of my host certificate.

127.0.0.1 OBJS ca host_key_cert > REF_CaHosXXXXXXXXXX[xxxxxxx,ca,host_key_cert]
Logged into object 'REF_CaHosxxxxxxx'. Use 'w' to write eventual changes.
{
'ca' => '',
'certificate' => 'Certificate:

I gues the 'ca' value need to be updated?

Hi René, hi guys,

I don´t get a crt-file, I only have a csr and key file. I execute the command ./getssl -f -d mydomain.com and get the following message:

./getssl: line 472: -4: substring expression < 0

What have I done wrong? Any suggestions?

Thanks in advance.

Greets

Sérgio

Hans Gooijen said:

I gues the 'ca' value need to be updated?

I have not yet been able to reproduce this. When I unset the ca value for my host certificate I still get the full certificate chain.

Can you have a look at the generated apache config file:

cat /var/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf

Under the virtualhost with the corresponding server name there should be a SSLCACertificateFile configured. 

The same issue is also reported on github: https://github.com/rklomp/sophos-utm-letsencrypt/issues/1

Unknown said:

I don´t get a crt-file, I only have a csr and key file. I execute the command ./getssl -f -d mydomain.com and get the following message:

./getssl: line 472: -4: substring expression < 0

Have you been able to solve this already?

It mentionons this value
SSLCACertificateFile /usr/apache/conf/ssl/REF_CaHosXXXXXXXXX.CAs
The files does exists.

Hello René,

First of all, thank for your script and for clearly written instructions. Great work.

Despite following it step-by-step I encountered a problem: when running the script all seems to work, the certificate can indeed by found in the indicated location but the certificate Sophos uses is not updated... it even says in the output "Updating certificate meta to object None".

The message seems clear but I have no clue in how to fix it.

To be complete, I had to deviate from your tutorial by removing "/root/" from SSLCONF="/root/openssl.cnf" in the "getssl.cfg" file else "openssl.cnf" was not found.

This is the output (I replaced my actual domain by "domain.com")

./getssl -f domain.com
Registering account
Verify each domain
Verifying domain.com
domain.com is already validated
Verification completed, obtaining certificate.
Certificate saved in .getssl/domain.com/domain.com.crt
The intermediate CA cert is in .getssl/domain.com/chain.crt
reloading SSL services
Writing certificate for ddomain.com to object REF_uEztNJUMGUypRE
Updating certificate meta to object None
Done!
getssl: domain.com - certificate obtained but certificate on server is different from the new certificate

Any pointers towards troubleshooting this? I double checked the reference, used the original certificate and created a dummy one to be overwritten.

Thank you very much for your feedback.

With best regards,

ShadowHunter

Fixed it... It turned out I was copy/pasting all the time "getssl -c", didn't even pay attention to it... when running it normally, all is updated smoothly.

Until Sophos implements it... this is a great way to go!

Again thank you René for your script.

With best regards,

ShadowHunter

Just wanted to update that the certificate chain issue is resolved. a couple of days ago the certificate was renewed, now that chain is ok.
Thx for your support.

Someone know if this method works for generating SAN certificate?

Or do we need to generate for each URL?

It seems like let's encrypt does support SAN certificate (https://letsencrypt.org/docs/faq/)

Yes you can. Use the SANS configuration parameter for this.