First impression from beta / Feedback

cactucs · October 27, 2015, 10:06pm

I was invited today to the beta program and I want to give a feedback.

First it started well… But the guide endend with running ./letsencrypt-auto, but the site wasn’t running on HTTPS. I found that it created new file in sites-available but it did not linked it to sites-enabled. I did it manually. In the file there was missing the paths to certs and SSLCertificateChainFile was missing so the certs weren’t trusted. Then I needed to link a ssl and socache_shmcb mods to mods-enabled. And then it was working…

I needed to add redirect from http to https and HSTS header. Then I got A+ on SSL Labs!

I think lots of these things can be done automatically by the executable (maybe something like HSTS or redirect optional).

I liked it a lot! Thanks!

I am running Ubuntu 14.04 with Apache2.

skip · October 29, 2015, 2:08pm

Yes I got mine today too. I am running Centos 6.7 and had problems with Python that I finally worked out by running python 2.7.10 in a virtualenv. Once I got that beat into shape I missed the .well-known/acme-challenge info, I caught that on the second attempt but had to create the directories and file manually, but then it worked!!! Yay! I updated my ssl.conf file and now when I go on Firefox and all the rest show a secure connection verified by Let’s Encrypt.

I am so happy! This is great.

PS - I only got an A but it beats what I had before!

linuxtech · October 29, 2015, 5:23pm

I foobarred my initial request to participate as a couple domains were appended together so I had something like domain1.us.domain2.net. Attempting to correct the error when submitting the initial list resulted in an error…

After correcting the list and running it again, only one of the domains was actually submitted. Command run:
./letsencrypt-auto --agree-dev-preview --server
https://acme-v01.api.letsencrypt.org/directory auth

So try again… This time with just one domain since I noticed apache was not fully configured.
./letsencrypt-auto -d www.example.com run
It configured apache correctly for Mozilla’s intermediate crypto configuration, but the cert itself was foobarred, essentially a self signed cert.

./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth -d www.example.com run
I surf to example.com and it looks like another foobarred cert, the cert was not valid example.com and is valid for www.example.com. I didn’t expect that!

OK, I’ll try another domain…
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory -d www.example.net -d example.net run
Success… Excellent!

Now how can I configure better crypto and redirect http automatically. ./letsencrypt-auto --help security shows:
security:
Security parameters & server settings

-B N, --rsa-key-size N
Size of the RSA key. (default: 2048)
-r, --redirect Automatically redirect all HTTP traffic to HTTPS for
the newly authenticated vhost. (default: False)
–strict-permissions Require that all configuration files are owned by the
current user; only needed if your config is somewhere
unsafe like /tmp/ (default: False)

The auto configuration sources /etc/letsencrypt/options-ssl-apache.conf, so a little editing and that should be good!

Let’s try another one with the --redirect option.
This run shows another issue, domain configurations are being read from /etc/apache2/sites-available/ rather than /etc/apache2/sites-enabled/ so letsencrypt-auto picked the wrong file and produced an error “Error: should be only one vhost”.

The --redirect doesn’t work: Existing Redirect present on HTTP vhost. Strangely testing another domain “Let’s Encrypt has already enabled redirection” but it did not enable the redirect.