Let’s Encrypt Support #797

Open
smccloud opened this Issue Oct 5, 2015 · 37 comments

Projects

None yet
@smccloud
smccloud commented Oct 5, 2015

I am planning on switching to Ajenti shortly but I would also like it if it supports Let's Encrypt when it rolls out. This would make it a lot easier for me to utilize SSL for my sites.

@bbbenji
bbbenji commented Oct 23, 2015

I would also like to see this.

@dschense

Was already looking for the plan of adding let's encrypt to ajenti. This would be really great to get this supported. Hope to see this soon.

@swiesend

+1

@genna87
genna87 commented Dec 4, 2015

+1

@brianjking

I'm running an Ubuntu droplet w/ Ajenti-V and have added letsencrypt successfully. You just have to use the manual configuration options. However, +1 for any sort of automation or other improvements.

@dschense
dschense commented Dec 5, 2015

How to do? Just create certs and add them to the certs in the settings? And add to the website ssl settings?

@brianjking

@dschense I'm only pulling a B rating right now, however, I haven't spent really any time trying to configure anything as of yet. You need to generate the certificate in certonly mode and then apply it manually.

screenshot12-6-1500 18-1

screenshot12-6-1500 18

@genna87
genna87 commented Dec 6, 2015

My problem isn't with the websites SSL options.
I'd like to change the certs used to access the Ajenti dashboard with the Let's Encrypt certificates.

I've successfully generated the certs for my domain and created the symlinks in "/etc/ajenti"

-r-------- 1 root root 2,8K ajenti.pem
-rwx------ 1 root root 4,3K config.json
lrwxrwxrwx 1 root root   53 letsencrypt_cert.pem -> /etc/letsencrypt/live/MYDOMAIN/cert.pem
lrwxrwxrwx 1 root root   54 letsencrypt_chain.pem -> /etc/letsencrypt/live/MYDOMAIN/chain.pem
lrwxrwxrwx 1 root root   58 letsencrypt_fullchain.pem -> /etc/letsencrypt/live/MYDOMAIN/fullchain.pem
lrwxrwxrwx 1 root root   56 letsencrypt_privkey.pem -> /etc/letsencrypt/live/MYDOMAIN/privkey.pem

But after updating the certificate_path in config.json and restarting the Ajenti service, the dashboard it's unreachable

@computerwizjared

@genna87 I just did this yesterday and had to manually create a new .pem file with the cert on top and the privkey on bottom... there may be an openssl command to automate this but I just did it with a text editor.

@genna87
genna87 commented Dec 6, 2015

Ok, but which pem should I concatenate with privkey?

cert.pem, chain.pem or fullchain.pem?

@computerwizjared

@genna87 you need to combine the cert.pem and privkey.pem, and then point Ajenti (in config.json) to the combined file.

@genna87
genna87 commented Dec 6, 2015

Thank you very much!

@bbbenji
bbbenji commented Dec 6, 2015

While attempting to generate certs with the certonly option, letsencrypt states that nginx is running and I need to temporarily end the processes. Is it possible to generate keys without doing that? Also will this overwrite any Ajenti>nginx configuration?

@brianjking

You should backup your config for that particular domain. Also, I believe you need to run

service nginx stop prior and then restart once the cert is applied.

@computerwizjared

If you don't wish to stop the service, you can use the webroot feature as instructed here: https://letsencrypt.readthedocs.org/en/latest/using.html#webroot

@bbbenji
bbbenji commented Dec 6, 2015

Makes sense brianjking

That's exactly what I was looking for. Thanks computerwizjared.

@dschense
dschense commented Dec 7, 2015

@brianjking thanks for the hint

@wrapper
wrapper commented Dec 19, 2015

@computerwizjared thanks for the hint on combining the files. Any thoughts on how to automate this for the 90 day renewals?

Also, I used this lightweight version of letsencrypt on my ajenti setup and got it working fine: https://github.com/lukas2511/letsencrypt.sh

@computerwizjared

@wrapper No, sorry :/ You'll have to go and manually do it unless someone makes a solution... I'm not experienced enough to do that.

@brianjking

@wrapper

When I took a look at your guide at https://www.usayd.com/2015/12/20/ngnix-vps-using-ajenti-with-full-https-encryption/ I have a few questions:

  • Do you actually use the 4096 keysize as pre-configured in https://github.com/lukas2511/letsencrypt.sh? Based on my reading 2048 is actually a better option based on processing power & browser support.
  • Under step 3 on your site you're showing the edits made to the wellknown section of config.sh
  • By default this is #WELLKNOWN="${BASEDIR}/.acme-challenges" are you saying that I would remove the # and replace this with /srv/domainname
  • What about for additional sites? How will the WELLKNOWN configuration above influence this?
@landsman

What about plugin to Anjeti? :)

@dschense

anybody used these certs with the mail ? TLS support?

tried with Courier and exim4.
put the fullchain.pem and the privkey.pem into the TLS config in the Ajenti panel.

I can sent and recive Mails, but not from GoogleMail. I think the problem is, google does not trust the Cert. anybody tried this as well and has a solution for this ?

@simsketch

What's the alternative to using let's encrypt?

@davidoster

Newest tutorial from Sean McNamara 👍
Let's Encrypt in Ajenti-V

Question: Is mail support going to be affected in any way?

@landsman
landsman commented May 15, 2016 edited

@davidoster easy, but we need solve every 3. month auto re-generation certificates too. What about new domains? For anjeti will be good some global plugin which solve all theese things.

@davidoster

Another way, manually though,
https://gethttpsforfree.com/
All code is on github!!!

@boredland
boredland commented Oct 15, 2016 edited

For the ajenti-Panel the problem is Ajenti requiring a combined keychain (privkey.pem+fullchain.pem). The easiest way to get letsencrypt to work with ajenti is:

  • setup ssl for your domain (under which you use ajenti)
  • add the cronjob for your cert renewal
  • add a second one for the creation of the combined keychain like that:

for dir in $(ls -d /etc/letsencrypt/live/*); do cat $dir/privkey.pem $dir/fullchain.pem > $dir/fullkeychain.pem; done

And finally point the key in config.json to that "fullkeychain.pem".

@davidoster

Well I did a write up, that can be fully automated under a cron job.
It's called LetsEncryptFast.
All the details are here: https://github.com/davidoster/letsencrypt-fast
It is based on the excellent work of the people behind : https://zerossl.com/

@JoorgeFerrari

@computerwizjared how did you figure the certificate concatenation? you're a genius!

@computerwizjared

@JoorgeFerrari only about an hour of experimentation ;)

@JoorgeFerrari

@computerwizjared any idea on how to use letsencrypt to use TLS on mailboxes?

@computerwizjared

@JoorgeFerrari I'm not entirely sure, sorry. I haven't worked with Ajenti or Let's Encrypt for a few months.

@JoorgeFerrari

@JoorgeFerrari have you gone to cPanel or are you using another solution? Can you point me any other option than ajenti?

@computerwizjared
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment