Installing letsencrypt

Hi,

Before i already made the following post:

The problem was that i was running on CentOS version 5.5, so first i had to update CentOS on my server. Now i did that and i started again with everything.

Because i am pretty much a newbie with server side things, i followed the instructions from:

https://raymii.org/s/articles/Lets_Encrypt_Directadmin.html

I did the following:

• Downloaded putty and made connection with the server as the root user.
• I checked the versions of CentOS and Python:

CentOS release 6.7 (Final)
Python 2.6.6

• Git was already installed on the server, so i did not have to do that.
• I gave to following command with Putty:

git clone GitHub - certbot/certbot: Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

The response was:

git: /usr/local/lib/libz.so.1: no version information available (required by git)
Initialized empty Git repository in /letsencrypt/.git/
git-remote-https: /usr/local/lib/libz.so.1: no version information available (required by git-remote-https)
git: /usr/local/lib/libz.so.1: no version information available (required by git)
remote: Counting objects: 27171, done.
git: /usr/local/lib/libz.so.1: no version information available (required by git)
remote: Total 27171 (delta 0), reused 0 (delta 0), pack-reused 27171
Receiving objects: 100% (27171/27171), 7.08 MiB | 2.76 MiB/s, done.
Resolving deltas: 100% (19116/19116), done.

• I gave the following command with Putty:

cd letsencrypt

• I gave the following command with Putty:

./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly --agree-tos --email 'CONTACT@MYDOMAIN.NL' --webroot --webroot-path '/home/MYUSERNAME/domains/MYDOMAIN.NL/public_html/' -d MYDOMAIN.NL -d www.MYDOMAIN.NL

The end of the response was:

Complete!
WARNING: Python 2.6 support is very experimental at present...
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!

• So i runned it again with the --debug flag:

./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly --agree-tos --email 'CONTACT@MYDOMAIN.NL' --webroot --webroot-path '/home/MYUSERNAME/domains/MYDOMAIN.NL/public_html/' -d MYDOMAIN.NL -d www.MYDOMAIN.NL --debug

The response was:

Bootstrapping dependencies for RedHat-based OSes...
yum is /usr/bin/yum
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile

• base: mirror.denit.net
• extras: mirror.denit.net
• updates: centos.mirror.triple-it.nl
  Package python-2.6.6-64.el6.x86_64 already installed and latest version
  Package python-devel-2.6.6-64.el6.x86_64 already installed and latest version
  No package python-virtualenv available.
  Nothing to do
  Loaded plugins: fastestmirror
  Setting up Install Process
  Loading mirror speeds from cached hostfile
• base: mirror.denit.net
• extras: mirror.denit.net
• updates: centos.mirror.triple-it.nl
  Package gcc-4.4.7-16.el6.x86_64 already installed and latest version
  Package dialog-1.1-9.20080819.1.el6.x86_64 already installed and latest version
  Package augeas-libs-1.0.0-10.el6.x86_64 already installed and latest version
  Package openssl-devel-1.0.1e-42.el6_7.1.x86_64 already installed and latest version
  Package libffi-devel-3.0.5-3.2.el6.x86_64 already installed and latest version
  Package redhat-rpm-config-9.0.3-44.el6.centos.noarch already installed and latest version
  Package ca-certificates-2015.2.4-65.0.1.el6_6.noarch already installed and latest version
  Nothing to do
  Creating virtual environment...
  ./letsencrypt-auto: line 167: virtualenv: command not found

If you take a loot at: https://raymii.org/s/articles/Lets_Encrypt_Directadmin.html

Then they are saying that the response has to be something like:

"Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/certificatemonitor.org/fullchain.pem. Your cert will expire on 2016-03-06. To obtain a new version of the certificate in the future, simply run Let's Encrypt again."

I also checked if the directory /etc/letsencrypt exists, but that's not the case:

[root@srv etc]# cd /
[root@srv /]# cd etc
[root@srv etc]# cd letsencrypt
-bash: cd: letsencrypt: No such file or directory

Now finally the question:

What is going wrong? I followed all the steps exactly...

p.s. Probably the problem is: "No package python-virtualenv available.". And probably i have to install that package? How can i do that and is that indeed the problem?

This is the interesting bit, I think. The docs state that the EPEL repository needs to be enabled on CentOS for letsencrypt to work. EPEL seems to include python-virtualenv. Try running yum install epel-release first and then run the letsencrypt-auto command again.

It’s weird, because i checked:

https://letsencrypt.readthedocs.org/en/latest/intro.html

And i checked the “System Requirements” and there they are saying nothing about EPEL.

But i did what you said, but now the response contains the following:

Creating virtual environment…
Updating letsencrypt and virtual environment dependencies…/root/.local/share/letsencrypt/lib/python2.6/site-packages/pip/vendor/requests/packages/urllib3/util/ssl.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
/root/.local/share/letsencrypt/lib/python2.6/site-packages/pip/vendor/requests/packages/urllib3/util/ssl.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
./root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/init.py:25: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python.
DeprecationWarning
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/init.py:25: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python.
DeprecationWarning

Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --server https://acme-v01.api.letsencrypt.org/directory certonly --agree-tos --email CONTACT@MYDOMAIN.NL --webroot --webroot-path /home/MYUSERNAME/domains/MYDOMAIN.NL/public_html/ -d MYDOMAIN.NL -d www.MYDOMAIN.NL --debug
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/init.py:25: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python.
DeprecationWarning

This will not be a problem later on? And the Python core team is saying that i have to update the Python version (HOW?), but letsencrypt is saying that 2.6 is okay in their “System Requirements”.

And one more question…the mailaddress is from a different domain then the certificate is on, but that’s no problem i think, right?

The documentation is indeed a bit redundant here, and not really in sync with the more detailed installation guide where this is mentioned.

It's fine, CentOS maintains older versions of packages they ship as long as the CentOS version is still supported. I'm not familiar enough with CentOS to say whether upgrading python is a good idea (it's generally a bit of a hassle on debian/ubuntu), but as long as you manage to get your certificates, there shouldn't be any issues in the future (unless letsencrypt drops 2.6 support completely).

That's okay, the email will only be used for renewal reminders (and in the future possibly account recovery if you lose the private key).

The latest Python 2.6 is from 2013 and was officially retired after that (security) update, so upgrading to 2.7 isn't such a bad thing in any case I recon. Two years without any security update, not such a good idea.

I've found a guide online with a warning: "if you install python 2.7 in any way other than the following you will destroy the system and make yum inoperable", but as long as you follow that guide, you should be fine I guess (no guarantees on my end ;))

My point is that CentOS still supports it, which means backporting security patches and such. Sure, it's still a good idea.

They do? Ugh, what a hassle… Even Debian oldstable (wheezy) has Python 2.7

Apparently, CentOS 6.7 comes with Python 2.6 by default. Only since CentOS 7 they provide Python 2.7.

Thank you very much! I think i am almost there. Now i already have https on my domain and i tested it with:

https://www.ssllabs.com/ssltest/analyze.html

I got an “A”, so that’s nice! To be sure i am gonna ask my host if it’s safe to install Python 2.7 on the server.

I still have some last questions:

— 1. Renewal —

On:

https://letsencrypt.org/howitworks/

They are saying:

“To renew a certificate, simply run letsencrypt again providing the same values when prompted. Let’s Encrypt is working hard to fully automate this process and we apologize for the inconvenience until this functionality is ready.”

But on:

https://letsencrypt.readthedocs.org/en/latest/using.html#renewal

There they are already giving some more options, but totally not with a clear explanation for newbies ;).

The thing is that i followed:

https://raymii.org/s/articles/Lets_Encrypt_Directadmin.html

I copy / paste the content of the certificate files in Directadmin. But in the “tutorial” they are saying:

Installing the certificates -> “As we can see they symlinked the files there. If you configure your own webserver manually, you can give these files as the location in your apace or nginx config. When you renew the certificate later on, you don’t have to update the webserver config, just a reload/restart.”

So for easy renawel i think i have to do that, right?

With Directadmin i can change “Custom HTTPD Configurations” for a specific domain. For example i can change:

SSLCertificateFile /usr/local/directadmin/data/users/MYUSERNAME/domains/MYDOMAIN.nl.cert
SSLCertificateKeyFile /usr/local/directadmin/data/users/MYUSERNAME/domains/MYDOMAIN.nl.key
SSLCACertificateFile /usr/local/directadmin/data/users/MYUSERNAME/domains/MYDOMAIN.nl.cacert

But to what i have to change it? Letsencrypt is makeing 4 files: privkey.pem, fullchain.pem, chain.pem, cert.pem, but there are only 3 files: MYDOMAIN.nl.cert, MYDOMAIN.nl.key, MYDOMAIN.nl.cacert

And what else i have to do to arrange that the certificates will renew automatically?

— 2. More domains —
I have a server with one ipaddress. On a couple of domains on the server i want to work with https.

First question: Imagine that i have a website and if a visitor is making an account on that website, they will get their own url, for example: newuser.domain.nl
Now i did:

./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly --agree-tos --email ‘CONTACT@MYDOMAIN.NL’ --webroot --webroot-path ‘/home/MYUSERNAME/domains/MYDOMAIN.NL/public_html/’ -d MYDOMAIN.NL -d www.MYDOMAIN.NL --debug

But actually with subdomains Letsencrypt is saying that i have to put: “-d newuser.MYDOMAIN.NL” for every subdomain, right? But the subdomains are dynamically made, so how i have to deal with that? Is there something like *.mydomain.nl (wildcard)?

Second question:

If i want to install https on other domains on the server (same ip). Can i just do:

./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly --agree-tos --email ‘CONTACT@MYDOMAIN.NL’ --webroot --webroot-path ‘/home/OTHERUSERNAME/domains/OTHERDOMAIN.NL/public_html/’ -d OTHERDOMAIN.NL -d www.OTHERDOMAIN.NL --debug

I changed MYDOMAIN to OTHERDOMAIN.

Is that right or is it not that simple? And if not, how do i have to deal with that?