centos7 with Apache happy hacker fake CA /whitelisted


#1

Hello
comunity.

On centos 7
the command ./letsencrypt-auto does not work

No
installers are available on your OS yet; try running “letsencrypt-auto
certonly” to get a cert you can install manually

So I used
the command letsencrypt-auto certonly and got 3 pem files. I convertet two pem
files using the following commands

openssl x509 -outform der -in your-cert.pem -out your-cert.crt

openssl rsa
-outform der -in privkey.pem -out private.key

and got my
crt and key file. I Put the config in

/etc/httpd/conf.d/ssl.conf and thougt that’s it.

But the result is a certificate from happy hacker fake ca.Yes, the domain is whitlistet?

In an other thread there was written “use the server option”?

How do I do that?What am I doing wrong?


#2

The email inviting you to the email showed you the --server option (highlighted in yellow even – at least mine was); it’s also here in the Beta Announcements post.


#3

Additionally, you don’t need (and shouldn’t use) any openssl commands or move any files.


#4

Hello
kelunik and Kromey, thx for help. I am now one step further.
I reinstalled centos 7 and started from scratch.
(Yes with the reinstall, I deleted the /etc/letsencrypt/accounts folder)
I stoped apache (service httpd stop)
I ran the command

./letsencrypt-auto certonly -a standalone -d myserver.de
-d www.myserver.de --server https://acme-v01.api.letsencrypt.org/directory
–agree-dev-preview
At least there
was a message “IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/myserver.de/fullchain.pem. Your cert will
expire
on 2016-02-12. To obtain a new version of the certificate in
the
future, simply run Let’s Encrypt again.”
After starting the apache (service httpd start).
There is still no https available, just http.

Using
nmap
localhost from the machine. I get the following results
Starting
Nmap 6.40 ( http://nmap.org ) at 2015-11-14 11:24 MET
Nmap scan
report for localhost (127.0.0.1)
Host is up
(0.000014s latency).
Other
addresses for localhost (not scanned): 127.0.0.1
rDNS record
for 127.0.0.1: localhost.localdomain
Not shown:
997 closed ports
PORT STATE SERVICE
22/tcp open
ssh
25/tcp open
smtp
80/tcp open
http
There is no port 443 open!
service iptables status
Redirecting to /bin/systemctl status iptables.service
iptables.service - IPv4 firewall with iptables
Loaded:
loaded (/usr/lib/systemd/system/iptables.service; disabled)
Active: inactive (dead) since Sat 2015-11-14 11:12:42 MET; 13min ago
Process:
1167 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited,
status=0/SUCCESS)

Process:
1133 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited,
status=0/SUCCESS)

Main PID:
1133 (code=exited, status=0/SUCCESS)

There are
some logfiles in /var/log/letsencrypt.

I guess it
doesn’t work with centos 7 with a single command.

If yes, I am happy for any link/useful information


#5

The standalone version doesn’t automatically configure your webserver IIRC. You can find an example configuration in the Mozilla Wiki: https://wiki.mozilla.org/Security/Server_Side_TLS#Apache

Your paths will look like:

SSLCertificateFile      /etc/letsencrypt/live/myserver.de/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/myserver.de/chain.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/myserver.de/privkey.pem
SSLCACertificateFile    /etc/letsencrypt/live/myserver.de/fullchain.pem

#6

Thx for your help
kelunix,

The standalone version doesn’t
automatically configure your webserver IIRC

Will this work
in the future?

But wasn`t that the aim of letsencrypt? An automatic tool which installs https
automatic?

Following the guide on digitalocean https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-apache-for-centos-7
I created allready several self signed certificates within 10 minutes or even
less.

In the meantime, I found a syntax error. In the email regarding the betaprogram there was written

./letsencrypt-auto certonly -a webroot --webroot-path /var/www/example \ -d example.com -d www.example.com \ -server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview It should be ./letsencrypt-auto certonly -a webroot --webroot-path /var/www/example \ -d example.com -d www.example.com \ **–**server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview

Using two “–“ before the word server instead of one single “-“

but your example is still not clear for me.

Should I use the example you linked and put the information starting with <VirtualHost *:443>in my /etc/conf/httpd.conf file?


#7

Usually you create another file for each vhost. The LE client supports only Debian based configurations currently for automatic configuration.

Email has been right with --server for me 10 days ago, has that changed @jsha?


#8

Ok, I created a single vhost. I tried starting apache
and it tells me
AH00526: Syntax error
on line 7 of /etc/httpd/sites-enabled/myserver.de.conf:
The command in line 7 is SSLEngine on

Invalid command ‘SSLEngine’, perhaps misspelled
or defined by a module not included in the server configuration

Is there am apache/ssl
modul on centos 7 which needs to be enable in addition to letsencrypt?

I got the
email regarding the beta program on November the 10th.


#9

yes, mod_ssl needs to be enabled.


#10

OK, now it works. Thx for your great help!!! I hope this thread will help any other centos 7 users as well.


#11

Thanks for pointing out the typo. That was introduced in a recent revision of the invite email, and it’s now fixed.

Yes, the Let’s Encrypt client supports automated configuration of your web server: that’s the first example command (the “Apache plugin”) under “How to use the client” in your beta invite email. The command line you ran is for the standalone mode, which doesn’t do automated configuration.


#12

Hello Jsha,
should the automatic configuration work in centos 7 as well? This thread is
about centos 7, not debian.


#13

Thanks for the reminder @marspa, I missed that. Automatic configuration isn’t yet supported in CentOS.


#14

No Problem
jsha. Im glad to participate as a Centos7 Beta tester.