How to set up letsencrypt on OpenSUSE 13.2 (Tutorial)


#1

I want to share my experience with setting up letsencrypt on a server with OpenSUSE 13.2 and apache2 to create a kind of tutorial.

I suppose you have a running apache2 web server with a virtual host config file named /etc/apache2/vhosts.d/mydomain.example.com.conf for the domain mydomain.example.com

Log in to your server by ssh, make yourself root. Then:

1. Install required extra packages

cd /root
zypper in git

On OpenSUSE 13.2 you will also need (versions of python > 2.7.8 probably will not require this):
zypper in python-pyOpenSSL

2. Install letsencrypt

git clone https://github.com/letsencrypt/letsencrypt

3.Configure data for letsencrypt

Create a file /etc/letsencrypt/cli.ini with this contents:

    rsa-key-size = 4096
    email = myaddress@example.com
    authenticator = webroot
    webroot-path = /srv/www/vhosts/mydomain.example.com
    domain = mydomain.example.com

Obviously the webroot path must reflect the value of DocumentRoot in your server configfile /etc/apache2/vhosts.d/mydomain.example.com.conf, and email should be your address.

4. Get your certificate

cd /root/letsencrypt
./letsencrypt-auto certonly -c /etc/letsencrypt/cli.ini

5. Configure the https server

If step 4 was successful, you’ll find your certificates in /etc/letsencrypt/live/mydomain.example.com/. Now you need to configure your apache2 to use these certificates. At first copy your http config file to a https config file:

cp -a /etc/apache2/vhosts.de/mydomain.example.com.conf /etc/apache2/vhosts.de/mydomain.example.com-ssl.conf

In that newly created file modify the lines containing “<virtualhost …>” and “ServerName” by appending “:443” to IPs resp. domain name (resp. replacing “:80” by “:443”). After these lines add the following lines:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/mydomain.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.example.com/privkey.pem

If you like, you may adjust the Logfile names (if you have the “combined” parameter in CustomLog, you may substitute that by “ssl_combined”).

Now make sure to have ssl activated in /etc/sysconfig/apache2:

APACHE_MODULES="[...] ssl [...]"
and
APACHE_SERVER_FLAGS="SSL"

Now restart the apache2 server (after a check):

rcapache2 configtest
rcapache2 restart

6. Renewal of the certificate

If all that was successful, you may wait two months (not more than 89 days) to renew your certifcate by repeating step 4. The apache2 server does not need any new configuration, but (possibily?) a restart.


#2

Hi,
I got stuck at Item 4, when executing:

s18366321:~/letsencrypt # ./letsencrypt-auto certonly -c /etc/letsencrypt/cli.ini
Updating letsencrypt and virtual environment dependencies… Could not find a version that satisfies the requirement letsencrypt (from versions: )
No matching distribution found for letsencrypt

Any ideas for it?
I’m running generally OpenSuSE 13.1, but I’ve updated python to the latest release.


#3

Two things:

  1. Does the Apache plugin fail on OpenSUSE 13.2?
  2. Doesn’t OpenSUSE 13.2 have a graceful restart of Apache? That way you won’t have any downtime.

@jtolksdo: Run letsencrypt-auto with the -vv switch(es) for more debug information.


#4

Hi Osiris,
Thanks for The quick reply. Here’s my output:

s18366321:~/letsencrypt # ./letsencrypt-auto -vvv
-vvv
Updating letsencrypt and virtual environment dependencies…
Requirement already up-to-date: setuptools in /root/.local/share/letsencrypt/lib/python2.7/site-packages
Requirement already up-to-date: pip in /root/.local/share/letsencrypt/lib/python2.7/site-packages
Collecting letsencrypt
Could not find a version that satisfies the requirement letsencrypt (from versions: )
No matching distribution found for letsencrypt

Any ideas?


#5

PS to your questions:
I’m running 13.1, but I’ve updated Python from a current repository.

I don’t mind a short downtime of Apache.


#6

@Osiris any ideas?
Sorry for bothering …


#7

Those error messages are not from letsencrypt-auto itself. They are produced by the pip install command. But I have no clue what pip is, nor any experience with OpenSuse, so I can’t help you with that I’m afraid. It looks like it doesn’t have letsencrypt in its repository.


#8

@osiris Thanks for your reply. I’ll add some research to it! Again, thanks for the hint the issue comes from pip!


#9

My answer to Osiris’ questions:

  1. I did not try the Apache plugin since I had some special configurations which I did not want to be touched by this plugin.

  2. As far as I remember a restart may be needed if additional apache plugins (like SSL) are activated. Now I renewed the certificate (as I have described in step 6) and can confirm that after the renewal a “rcapache2 reload” is (needed but) sufficient, which means that a renewal (e.g. by a cron job) does not cause a downtime.


#10

We’ve noticed the behaviour you describe. And traced the reason of the problem. OpenSuSE 13.1 and 13.2 use systemd. The script uses apachectl, that doesn’t behave well under systemd.


#11

Hi,
thank you for this tutorial. I got https over letsencrypt to work on my suseLeap server with apache2. Before I used a snakeoil certificate (selfsigned).

I modificated step 5 of the tutorial and edited the file /etc/apache2/default-server.conf instead of one file in /etc/apache2/vhosts. Now https over letsencryt works only on the default server. The other domains on my server (virtual hosts) still are using my self signed certificate …

Firefox does no more allow an exception rule for this https sites, I don’t know why. Therefore I was forced to find a sulution and I found it in letsencrypt - but until now only for my default server.

Please can you help me that all my virtual hosts can be used over https and using letsencrypt certificates.

I suppose that I have to change beginning with step 3 of your tutorial. What must be changed in /etc/letsecrypt/cli.ini? Please help.


#12

I myself found the simple solution:

  1. Change webroot path to webroot of Virtual Host in /etc/letsecrypt/cli.ini
  2. Change domain name, can also be two or more domain names - aliases, separated by commas in /etc/letsecrypt/cli.ini.
  3. Enter the command ./letsencrypt-auto certonly -c /etc/letsencrypt/cli.ini
  4. Add the paths of the certificates in config file of Virtual Host in folder/etc/apache2/vhosts.d
  5. Restart the webserver

You must do the same steps for each Virtual Host.
This worked for me.


#13

Thanks for this guide. When i am at step 4 the command line is simply frozen, no errors, no success. Any suggestions?