Posts: 23
Threads: 3
Joined: Mar 2019
Reputation:
0
Sex: Male
Thanks: 0
Given 1 thank(s) in 1 post(s)
[Module] Let's Encrypt
03-22-2019, 05:47 AM
(This post was last modified: 03-22-2019, 05:54 AM by Bizarrus.
Edit Reason: Fix icons
)
Posts: 208
Threads: 4
Joined: Jun 2018
Reputation:
8
Sex: Male
Thanks: 0
Given 37 thank(s) in 33 post(s)
RE: [Module] Let's Encrypt
03-22-2019, 07:11 AM
Posts: 23
Threads: 3
Joined: Mar 2019
Reputation:
0
Sex: Male
Thanks: 0
Given 1 thank(s) in 1 post(s)
RE: [Module] Let's Encrypt
03-22-2019, 07:14 AM
Only a Helper-Class (ACMECert) is used (Source: https://github.com/skoerfgen/ACMECert), all other is selfwritten.
Posts: 208
Threads: 4
Joined: Jun 2018
Reputation:
8
Sex: Male
Thanks: 0
Given 37 thank(s) in 33 post(s)
RE: [Module] Let's Encrypt
03-22-2019, 11:13 AM
(03-22-2019, 07:14 AM)Bizarrus Wrote: Only a Helper-Class (ACMECert) is used (Source: https://github.com/skoerfgen/ACMECert), all other is selfwritten.
Seems to work exactly as expected!
I have to say, I think the Sentora community will thank you for this...
What about renewals - are these taken care of through a cron job built into the module, or is another mechanism taking care of it? Or will it have to be done manually by the user?
Keith.
Posts: 23
Threads: 3
Joined: Mar 2019
Reputation:
0
Sex: Male
Thanks: 0
Given 1 thank(s) in 1 post(s)
RE: [Module] Let's Encrypt
03-22-2019, 02:40 PM
Normally im using the latest Certbot release from GitHub. But the restrictions of permissions makes it hart to interact with Shell-Scripts, thats why im using an simple (but effective) Web-API.
The renewal process will be added to the default cron, that was my first things.
I hope the module will work on most users with older PHP versions, i had seen, that on CentOS, PHP 5.6 will be installed and on Debian is PHP 5.4 presented. But my code style is a little bit newer (For sample [] as Arrays instead of array()).
On further releases, Wildcards will be implemented with an direct interaction of DNS. The ACME-Challenges will be stored as TXT record and i will try to check out if it possible to interact here with post processesif the DNS records are published.
Im new on Sentora, im not an consumer/user of Sentora, i had written these module for a friend. Sentora seems very old, the template engine is very annoying with only minimal informations and that is, why i had crying two hours with their special and restricted syntax
Posts: 208
Threads: 4
Joined: Jun 2018
Reputation:
8
Sex: Male
Thanks: 0
Given 37 thank(s) in 33 post(s)
RE: [Module] Let's Encrypt
03-22-2019, 03:29 PM
(03-22-2019, 02:40 PM)Bizarrus Wrote: Normally im using the latest Certbot release from GitHub. But the restrictions of permissions makes it hart to interact with Shell-Scripts, thats why im using an simple (but effective) Web-API.
The renewal process will be added to the default cron, that was my first things.
I hope the module will work on most users with older PHP versions, i had seen, that on CentOS, PHP 5.6 will be installed and on Debian is PHP 5.4 presented. But my code style is a little bit newer (For sample [] as Arrays instead of array()).
On further releases, Wildcards will be implemented with an direct interaction of DNS. The ACME-Challenges will be stored as TXT record and i will try to check out if it possible to interact here with post processesif the DNS records are published.
Im new on Sentora, im not an consumer/user of Sentora, i had written these module for a friend. Sentora seems very old, the template engine is very annoying with only minimal informations and that is, why i had crying two hours with their special and restricted syntax
Yes I know, there does not appear to be much of a push to keep Sentora up-to-date but I try to keep the versions I run on my own servers up-to-date. I am running my Sentora servers with PHP 7.3 and can confirm that the module you have created seems perfectly happy with this version of PHP so far.
One thing I noticed is that the certificate chain is incomplete, as reported using services such as https://www.htbridge.com/ssl/ and https://www.ssllabs.com/ssltest/. It looks like the module is setting the SSLCertificateFile and SSLCertificateKeyFile values but is not setting the SSLCertificateChainFile value which might be what is causing this? I see that the SSLCertificateFile points to the "fullchain" file but in my experience it would be better to point this at the "cert" file and add SSLCertificateChainFile and point this at the "chain" file. I believe this would solve the issue? I just tested changing the entries to this:
SSLCertificateFile /var/sentora/hostdata/myuseraccount/letsencrypt/mydomain.com.cert
SSLCertificateChainFile /var/sentora/hostdata/myuseraccount/letsencrypt/mydomain.com.chain
SSLCertificateKeyFile /var/sentora/hostdata/myuseraccount/letsencrypt/mydomain.com.rsa
and it seems to work correctly.
Just to clarify, is the cron renewal something that is already implemented, or something that you have not yet added in?
Keith
Posts: 208
Threads: 4
Joined: Jun 2018
Reputation:
8
Sex: Male
Thanks: 0
Given 37 thank(s) in 33 post(s)
RE: [Module] Let's Encrypt
03-22-2019, 04:43 PM
(03-22-2019, 02:40 PM)Bizarrus Wrote: Normally im using the latest Certbot release from GitHub. But the restrictions of permissions makes it hart to interact with Shell-Scripts, thats why im using an simple (but effective) Web-API.
The renewal process will be added to the default cron, that was my first things.
I hope the module will work on most users with older PHP versions, i had seen, that on CentOS, PHP 5.6 will be installed and on Debian is PHP 5.4 presented. But my code style is a little bit newer (For sample [] as Arrays instead of array()).
On further releases, Wildcards will be implemented with an direct interaction of DNS. The ACME-Challenges will be stored as TXT record and i will try to check out if it possible to interact here with post processesif the DNS records are published.
Im new on Sentora, im not an consumer/user of Sentora, i had written these module for a friend. Sentora seems very old, the template engine is very annoying with only minimal informations and that is, why i had crying two hours with their special and restricted syntax
Looking at the code in LetsEncrypt.php more closely, there seems to be an issue with adding the www to domains.
Sentora always creates a www Alias entry for a vhost for any domain that doesn't begin with www, so for example, if I have:
mydomain.com
on my Sentora server, Sentora will add an Alias entry for:
www.mydomain.com
as well.
The LetsEncrypt.php seems to do something quite bizarre and check how many sections a domain name has to determine whether to include a www version as a Subject Alternative Name entry. This falls down if a domain name has a two-section TLD, such as .co.uk. If I had the domain:
mydomain.co.uk
on my server, your module will see the three sections of the domain name and not include:
www.mydomain.co.uk
in the SSL certificate, even though Sentora listens for this.
I propose simply detecting whether the domain begins with www. or not, so change this section of code:
Code: if(!(count(explode('.', $domain)) > 2)) {
$config['www.' . $domain] = [
'challenge' => 'http-01',
'docroot' => sprintf('%s%s/public_html/%s/', $this->host_path, $this->account, str_replace('.', '_', $domain))
];
}
to this:
Code: if (!(strpos($domain, 'www.') === 0)) {
$config['www.' . $domain] = [
'challenge' => 'http-01',
'docroot' => sprintf('%s%s/public_html/%s/', $this->host_path, $this->account, str_replace('.', '_', $domain))
];
}
Keith
Posts: 23
Threads: 3
Joined: Mar 2019
Reputation:
0
Sex: Male
Thanks: 0
Given 1 thank(s) in 1 post(s)
RE: [Module] Let's Encrypt
03-22-2019, 05:41 PM
(This post was last modified: 03-22-2019, 05:43 PM by Bizarrus.)
Thanks for the response!
I will update the VHost configuration and check the Results later on SSLLabs
The renewal cron is currently not developed, this part will be created today.
The Issue with www. Domains is a mistake, yep! I had only test simple TLDs like de, com and other, but not extended TLDs like co.uk. I will fix that bad behavior in 1 hour. And no, i cant check if the domain has an "www." at the start point. The www. Entry is only for Domain names whithout subdomains like example.com. Here, by default, the www. Entry will appears.
For users which have problems with the Apache's SSL mod, you must comment out the Listen-Entry on Port 443 by the default configuration. Sentora will add here automatically the same Listen-Entry and Apache will see here an conflict about the duplicate Listen-Entry I will try to fix these Problem by an automatical resolver
Posts: 23
Threads: 3
Joined: Mar 2019
Reputation:
0
Sex: Male
Thanks: 0
Given 1 thank(s) in 1 post(s)
RE: [Module] Let's Encrypt
03-22-2019, 08:25 PM
I've written now an TLD-HelperClass for some extended domain names.
Here i'm using the public TLD-List from https://publicsuffix.org/list/public_suffix_list.dat.
Here is the Result:
PHP Code: stdClass Object ( [prefix] => [domain] => example [suffix] => co.uk [original] => example.co.uk ) stdClass Object ( [prefix] => testing.example.somewhere [domain] => example [suffix] => co.uk [original] => testing.example.somewhere.example.co.uk ) stdClass Object ( [prefix] => subdomain [domain] => example [suffix] => co.uk [original] => subdomain.example.co.uk ) stdClass Object ( [prefix] => subdomain [domain] => example [suffix] => de [original] => subdomain.example.de ) stdClass Object ( [prefix] => [domain] => example [suffix] => com [original] => example.com }
I will commit the new version, if i had implemented the renewing process.
Posts: 208
Threads: 4
Joined: Jun 2018
Reputation:
8
Sex: Male
Thanks: 0
Given 37 thank(s) in 33 post(s)
RE: [Module] Let's Encrypt
03-22-2019, 09:09 PM
(03-22-2019, 08:25 PM)Bizarrus Wrote: I've written now an TLD-HelperClass for some extended domain names.
Here i'm using the public TLD-List from https://publicsuffix.org/list/public_suffix_list.dat.
Here is the Result:
PHP Code: stdClass Object ( [prefix] => [domain] => example [suffix] => co.uk [original] => example.co.uk ) stdClass Object ( [prefix] => testing.example.somewhere [domain] => example [suffix] => co.uk [original] => testing.example.somewhere.example.co.uk ) stdClass Object ( [prefix] => subdomain [domain] => example [suffix] => co.uk [original] => subdomain.example.co.uk ) stdClass Object ( [prefix] => subdomain [domain] => example [suffix] => de [original] => subdomain.example.de ) stdClass Object ( [prefix] => [domain] => example [suffix] => com [original] => example.com }
I will commit the new version, if i had implemented the renewing process.
Relying on a third-party list seems a bit unreliable to me - especially as it slowly goes out of date and would need an update...
As Sentora already separates domains from subdomains, surely the above conditional that I suggested could be applied to only domains (and not any subdomains)? Sentora will always add a www alias to any domains added to the system, so why not just follow this behaviour and keep it simple?
Keith.
|