This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

[Module] Let's Encrypt
#1
[Module] Let's Encrypt
Hey There,


today i had written a Let's Encrypt module, because it's currently no others available.


[Image: icon.png] Let's Encrypt for Sentora
Add Let's Encrypt certificates to your domain

[Image: to-do.png] Available Functions
  • [Image: key.png] Automated register with client E-Mail
  • [Image: approval.png] Request new SSL Certificates
  • [Image: close-window.png] Revoke SSL Certificates
  • [Image: environment.png] Renew SSL Certificates (in development)
  • [Image: certificate.png] Wildcard Certificates (in development)
[Image: services.png]Installation

Code:
zppy repo add sentcrypt.tk
zppy update

zppy install letsencrypt
[Image: picture.png]Screenshots
[Image: preview.png]

[Image: github-2.png] GitHub

Quote:https://github.com/Bizarrus/Sentora-LetsEncrypt/
Reply
Thanks given by: Ron-e
#2
RE: [Module] Let's Encrypt
(03-22-2019, 05:47 AM)Bizarrus Wrote: Hey There,


today i had written a Let's Encrypt module, because it's currently no others available.


[Image: icon.png] Let's Encrypt for Sentora
Add Let's Encrypt certificates to your domain

[Image: to-do.png] Available Functions
  • [Image: key.png] Automated register with client E-Mail
  • [Image: approval.png] Request new SSL Certificates
  • [Image: close-window.png] Revoke SSL Certificates
  • [Image: environment.png] Renew SSL Certificates (in development)
  • [Image: certificate.png] Wildcard Certificates (in development)
[Image: services.png]Installation

Code:
zppy repo add sentcrypt.tk
zppy update

zppy install letsencrypt
[Image: picture.png]Screenshots
[Image: preview.png]

[Image: github-2.png] GitHub

Wow - this looks incredible!

I will download and test it out tonight Smile

Did you write this from scratch or is it based on a previous attempt to incorporate Let's Encrypt with Sentora?

Keith.
Reply
Thanks given by:
#3
RE: [Module] Let's Encrypt
Only a Helper-Class (ACMECert) is used (Source: https://github.com/skoerfgen/ACMECert), all other is selfwritten.
Reply
Thanks given by:
#4
RE: [Module] Let's Encrypt
(03-22-2019, 07:14 AM)Bizarrus Wrote: Only a Helper-Class (ACMECert) is used (Source: https://github.com/skoerfgen/ACMECert), all other is selfwritten.

Seems to work exactly as expected!

I have to say, I think the Sentora community will thank you for this... Big Grin

What about renewals - are these taken care of through a cron job built into the module, or is another mechanism taking care of it? Or will it have to be done manually by the user?

Keith.
Reply
Thanks given by:
#5
RE: [Module] Let's Encrypt
Normally im using the latest Certbot release from GitHub. But the restrictions of permissions makes it hart to interact with Shell-Scripts, thats why im using an simple (but effective) Web-API.

The renewal process will be added to the default cron, that was my first things.

I hope the module will work on most users with older PHP versions, i had seen, that on CentOS, PHP 5.6 will be installed and on Debian is PHP 5.4 presented. But my code style is a little bit newer (For sample [] as Arrays instead of array()).

On further releases, Wildcards will be implemented with an direct interaction of DNS. The ACME-Challenges will be stored as TXT record and i will try to check out if it possible to interact here with post processesif the DNS records are published.

Im new on Sentora, im not an consumer/user of Sentora, i had written these module for a friend. Sentora seems very old, the template engine is very annoying with only minimal informations and that is, why i had crying two hours with their special and restricted syntax Big Grin
Reply
Thanks given by:
#6
RE: [Module] Let's Encrypt
(03-22-2019, 02:40 PM)Bizarrus Wrote: Normally im using the latest Certbot release from GitHub. But the restrictions of permissions makes it hart to interact with Shell-Scripts, thats why im using an simple (but effective) Web-API.

The renewal process will be added to the default cron, that was my first things.

I hope the module will work on most users with older PHP versions, i had seen, that on CentOS, PHP 5.6 will be installed and on Debian is PHP 5.4 presented. But my code style is a little bit newer (For sample [] as Arrays instead of array()).

On further releases, Wildcards will be implemented with an direct interaction of DNS. The ACME-Challenges will be stored as TXT record and i will try to check out if it possible to interact here with post processesif the DNS records are published.

Im new on Sentora, im not an consumer/user of Sentora, i had written these module for a friend. Sentora seems very old, the template engine is very annoying with only minimal informations and that is, why i had crying two hours with their special and restricted syntax Big Grin

Yes I know, there does not appear to be much of a push to keep Sentora up-to-date but I try to keep the versions I run on my own servers up-to-date. I am running my Sentora servers with PHP 7.3 and can confirm that the module you have created seems perfectly happy with this version of PHP so far.

One thing I noticed is that the certificate chain is incomplete, as reported using services such as https://www.htbridge.com/ssl/ and https://www.ssllabs.com/ssltest/. It looks like the module is setting the SSLCertificateFile and SSLCertificateKeyFile values but is not setting the SSLCertificateChainFile value which might be what is causing this? I see that the SSLCertificateFile points to the "fullchain" file but in my experience it would be better to point this at the "cert" file and add SSLCertificateChainFile and point this at the "chain" file. I believe this would solve the issue? I just tested changing the entries to this:

SSLCertificateFile /var/sentora/hostdata/myuseraccount/letsencrypt/mydomain.com.cert
SSLCertificateChainFile /var/sentora/hostdata/myuseraccount/letsencrypt/mydomain.com.chain
SSLCertificateKeyFile /var/sentora/hostdata/myuseraccount/letsencrypt/mydomain.com.rsa

and it seems to work correctly.

Just to clarify, is the cron renewal something that is already implemented, or something that you have not yet added in?

Keith
Reply
Thanks given by:
#7
RE: [Module] Let's Encrypt
(03-22-2019, 02:40 PM)Bizarrus Wrote: Normally im using the latest Certbot release from GitHub. But the restrictions of permissions makes it hart to interact with Shell-Scripts, thats why im using an simple (but effective) Web-API.

The renewal process will be added to the default cron, that was my first things.

I hope the module will work on most users with older PHP versions, i had seen, that on CentOS, PHP 5.6 will be installed and on Debian is PHP 5.4 presented. But my code style is a little bit newer (For sample [] as Arrays instead of array()).

On further releases, Wildcards will be implemented with an direct interaction of DNS. The ACME-Challenges will be stored as TXT record and i will try to check out if it possible to interact here with post processesif the DNS records are published.

Im new on Sentora, im not an consumer/user of Sentora, i had written these module for a friend. Sentora seems very old, the template engine is very annoying with only minimal informations and that is, why i had crying two hours with their special and restricted syntax Big Grin

Looking at the code in LetsEncrypt.php more closely, there seems to be an issue with adding the www to domains.

Sentora always creates a www Alias entry for a vhost for any domain that doesn't begin with www, so for example, if I have:

mydomain.com

on my Sentora server, Sentora will add an Alias entry for:

www.mydomain.com

as well.

The LetsEncrypt.php seems to do something quite bizarre and check how many sections a domain name has to determine whether to include a www version as a Subject Alternative Name entry. This falls down if a domain name has a two-section TLD, such as .co.uk. If I had the domain:

mydomain.co.uk

on my server, your module will see the three sections of the domain name and not include:

www.mydomain.co.uk

in the SSL certificate, even though Sentora listens for this.

I propose simply detecting whether the domain begins with www. or not, so change this section of code:

Code:
if(!(count(explode('.', $domain)) > 2)) {
$config['www.' . $domain] = [
'challenge' => 'http-01',
'docroot' => sprintf('%s%s/public_html/%s/', $this->host_path, $this->account, str_replace('.', '_', $domain))
];
}

to this:

Code:
if (!(strpos($domain, 'www.') === 0)) {
$config['www.' . $domain] = [
'challenge' => 'http-01',
'docroot' => sprintf('%s%s/public_html/%s/', $this->host_path, $this->account, str_replace('.', '_', $domain))
];
}

Keith
Reply
Thanks given by:
#8
RE: [Module] Let's Encrypt
Thanks for the response!

I will update the VHost configuration and check the Results later on SSLLabs Smile

The renewal cron is currently not developed, this part will be created today.

The Issue with www. Domains is a mistake, yep! I had only test simple TLDs like de, com and other, but not extended TLDs like co.uk. I will fix that bad behavior in 1 hour. And no, i cant check if the domain has an "www." at the start point. The www. Entry is only for Domain names whithout subdomains like example.com. Here, by default, the www. Entry will appears.

For users which have problems with the Apache's SSL mod, you must comment out the Listen-Entry on Port 443 by the default configuration. Sentora will add here automatically the same Listen-Entry and Apache will see here an conflict about the duplicate Listen-Entry Smile I will try to fix these Problem by an automatical resolver
Reply
Thanks given by:
#9
RE: [Module] Let's Encrypt
I've written now an TLD-HelperClass for some extended domain names.
Here i'm using the public TLD-List from https://publicsuffix.org/list/public_suffix_list.dat.

Here is the Result:
PHP Code:
stdClass Object
(
    [
prefix] => 
    [
domain] => example
    
[suffix] => co.uk
    
[original] => example.co.uk
)
stdClass Object
(
    [
prefix] => testing.example.somewhere
    
[domain] => example
    
[suffix] => co.uk
    
[original] => testing.example.somewhere.example.co.uk
)
stdClass Object
(
    [
prefix] => subdomain
    
[domain] => example
    
[suffix] => co.uk
    
[original] => subdomain.example.co.uk
)
stdClass Object
(
    [
prefix] => subdomain
    
[domain] => example
    
[suffix] => de
    
[original] => subdomain.example.de
)
stdClass Object
(
    [
prefix] => 
    [
domain] => example
    
[suffix] => com
    
[original] => example.com


I will commit the new version, if i had implemented the renewing process.
Reply
Thanks given by:
#10
RE: [Module] Let's Encrypt
(03-22-2019, 08:25 PM)Bizarrus Wrote: I've written now an TLD-HelperClass for some extended domain names.
Here i'm using the public TLD-List from https://publicsuffix.org/list/public_suffix_list.dat.

Here is the Result:
PHP Code:
stdClass Object
(
 
   [prefix] => 
 
   [domain] => example
    
[suffix] => co.uk
    
[original] => example.co.uk
)
stdClass Object
(
 
   [prefix] => testing.example.somewhere
    
[domain] => example
    
[suffix] => co.uk
    
[original] => testing.example.somewhere.example.co.uk
)
stdClass Object
(
 
   [prefix] => subdomain
    
[domain] => example
    
[suffix] => co.uk
    
[original] => subdomain.example.co.uk
)
stdClass Object
(
 
   [prefix] => subdomain
    
[domain] => example
    
[suffix] => de
    
[original] => subdomain.example.de
)
stdClass Object
(
 
   [prefix] => 
 
   [domain] => example
    
[suffix] => com
    
[original] => example.com


I will commit the new version, if i had implemented the renewing process.

Relying on a third-party list seems a bit unreliable to me - especially as it slowly goes out of date and would need an update...

As Sentora already separates domains from subdomains, surely the above conditional that I suggested could be applied to only domains (and not any subdomains)? Sentora will always add a www alias to any domains added to the system, so why not just follow this behaviour and keep it simple?

Keith.
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
[Module] ELFileManager (build on elfinder) Diablo925 94 289 ,074 05-30-2024, 05:25 AM
Last Post: TGates
[MODULE] phpMyAdmin-AU (Auto-Update) TGates 14 44 ,931 06-15-2021, 06:54 AM
Last Post: TGates
[MODULE] SenBrand - Basic Branding module for Sentora TGates 20 49 ,447 06-04-2021, 11:47 AM
Last Post: ccr1969

Forum Jump:


Users browsing this thread: 3 Guest(s)