How to set up letsencrypt on OpenSUSE 13.2 (Tutorial)

hatto · December 4, 2015, 5:29pm

I want to share my experience with setting up letsencrypt on a server with OpenSUSE 13.2 and apache2 to create a kind of tutorial.

I suppose you have a running apache2 web server with a virtual host config file named /etc/apache2/vhosts.d/mydomain.example.com.conf for the domain mydomain.example.com

Log in to your server by ssh, make yourself root. Then:

1. Install required extra packages

cd /root
zypper in git

On OpenSUSE 13.2 you will also need (versions of python > 2.7.8 probably will not require this):
zypper in python-pyOpenSSL

2. Install letsencrypt

git clone https://github.com/letsencrypt/letsencrypt

3.Configure data for letsencrypt

Create a file /etc/letsencrypt/cli.ini with this contents:

    rsa-key-size = 4096
    email = myaddress@example.com
    authenticator = webroot
    webroot-path = /srv/www/vhosts/mydomain.example.com
    domain = mydomain.example.com

Obviously the webroot path must reflect the value of DocumentRoot in your server configfile /etc/apache2/vhosts.d/mydomain.example.com.conf, and email should be your address.

4. Get your certificate

cd /root/letsencrypt
./letsencrypt-auto certonly -c /etc/letsencrypt/cli.ini

5. Configure the https server

If step 4 was successful, you’ll find your certificates in /etc/letsencrypt/live/mydomain.example.com/. Now you need to configure your apache2 to use these certificates. At first copy your http config file to a https config file:

cp -a /etc/apache2/vhosts.de/mydomain.example.com.conf /etc/apache2/vhosts.de/mydomain.example.com-ssl.conf

In that newly created file modify the lines containing “<virtualhost …>” and “ServerName” by appending “:443” to IPs resp. domain name (resp. replacing “:80” by “:443”). After these lines add the following lines:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/mydomain.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.example.com/privkey.pem

If you like, you may adjust the Logfile names (if you have the “combined” parameter in CustomLog, you may substitute that by “ssl_combined”).

Now make sure to have ssl activated in /etc/sysconfig/apache2:

APACHE_MODULES="[...] ssl [...]"
and
APACHE_SERVER_FLAGS="SSL"

Now restart the apache2 server (after a check):

rcapache2 configtest
rcapache2 restart

6. Renewal of the certificate

If all that was successful, you may wait two months (not more than 89 days) to renew your certifcate by repeating step 4. The apache2 server does not need any new configuration, but (possibily?) a restart.

jtolksdo · December 19, 2015, 11:11am

Hi,
I got stuck at Item 4, when executing:

s18366321:~/letsencrypt # ./letsencrypt-auto certonly -c /etc/letsencrypt/cli.ini
Updating letsencrypt and virtual environment dependencies...... Could not find a version that satisfies the requirement letsencrypt (from versions: )
No matching distribution found for letsencrypt

Any ideas for it?
I'm running generally OpenSuSE 13.1, but I've updated python to the latest release.

Osiris · December 19, 2015, 11:32am

Two things:

Does the Apache plugin fail on OpenSUSE 13.2?
Doesn’t OpenSUSE 13.2 have a graceful restart of Apache? That way you won’t have any downtime.

@jtolksdo: Run letsencrypt-auto with the -vv switch(es) for more debug information.

jtolksdo · December 19, 2015, 12:02pm

Hi Osiris,
Thanks for The quick reply. Here’s my output:

s18366321:~/letsencrypt # ./letsencrypt-auto -vvv
-vvv
Updating letsencrypt and virtual environment dependencies…
Requirement already up-to-date: setuptools in /root/.local/share/letsencrypt/lib/python2.7/site-packages
Requirement already up-to-date: pip in /root/.local/share/letsencrypt/lib/python2.7/site-packages
Collecting letsencrypt
Could not find a version that satisfies the requirement letsencrypt (from versions: )
No matching distribution found for letsencrypt

Any ideas?

jtolksdo · December 19, 2015, 12:03pm

PS to your questions:
I’m running 13.1, but I’ve updated Python from a current repository.

I don’t mind a short downtime of Apache.

jtolksdo · December 20, 2015, 11:58am

@Osiris any ideas?
Sorry for bothering …

Osiris · December 20, 2015, 12:11pm

Those error messages are not from letsencrypt-auto itself. They are produced by the pip install command. But I have no clue what pip is, nor any experience with OpenSuse, so I can’t help you with that I’m afraid. It looks like it doesn’t have letsencrypt in its repository.

jtolksdo · December 20, 2015, 12:13pm

@osiris Thanks for your reply. I’ll add some research to it! Again, thanks for the hint the issue comes from pip!

hatto · February 12, 2016, 3:18pm

My answer to Osiris’ questions:

I did not try the Apache plugin since I had some special configurations which I did not want to be touched by this plugin.
As far as I remember a restart may be needed if additional apache plugins (like SSL) are activated. Now I renewed the certificate (as I have described in step 6) and can confirm that after the renewal a “rcapache2 reload” is (needed but) sufficient, which means that a renewal (e.g. by a cron job) does not cause a downtime.

Atarallo_UY · June 13, 2016, 4:23pm

We’ve noticed the behaviour you describe. And traced the reason of the problem. OpenSuSE 13.1 and 13.2 use systemd. The script uses apachectl, that doesn’t behave well under systemd.

fergru · June 15, 2016, 7:54am

Hi,
thank you for this tutorial. I got https over letsencrypt to work on my suseLeap server with apache2. Before I used a snakeoil certificate (selfsigned).

I modificated step 5 of the tutorial and edited the file /etc/apache2/default-server.conf instead of one file in /etc/apache2/vhosts. Now https over letsencryt works only on the default server. The other domains on my server (virtual hosts) still are using my self signed certificate …

Firefox does no more allow an exception rule for this https sites, I don’t know why. Therefore I was forced to find a sulution and I found it in letsencrypt - but until now only for my default server.

Please can you help me that all my virtual hosts can be used over https and using letsencrypt certificates.

I suppose that I have to change beginning with step 3 of your tutorial. What must be changed in /etc/letsecrypt/cli.ini? Please help.

fergru · June 16, 2016, 8:51am

I myself found the simple solution:

Change webroot path to webroot of Virtual Host in /etc/letsecrypt/cli.ini
Change domain name, can also be two or more domain names - aliases, separated by commas in /etc/letsecrypt/cli.ini.
Enter the command ./letsencrypt-auto certonly -c /etc/letsencrypt/cli.ini
Add the paths of the certificates in config file of Virtual Host in folder/etc/apache2/vhosts.d
Restart the webserver

You must do the same steps for each Virtual Host.
This worked for me.

dspaan · October 1, 2017, 12:51pm

Thanks for this guide. When i am at step 4 the command line is simply frozen, no errors, no success. Any suggestions?