Manual Install on Gentoo without certbot

I have a functional system that was not used for almost seven years due to a non-compete clause, and now, there are no updates available and the sha-1 certificate is, well, it’s sha-1. I was able to generate and obtain a certificate on one of those pricey sites… ($400 to $800 cost), and with a free 30-day trial, I put it on dev (of a different domain).

Then I obtained a free one on AWS, and I cannot “export” it, and must apply it to certain extra cost components (like, a load-balancer).

Now, I am here, and the gentoo emerge facility won’t find anything (and I’ve exercised it extensively, as well as look for manual updates to make… there are 50 required). None available. I cannot install the “certbot” installer on my system, at least, not with emerge.

I am going to browse here this evening, and try to resolve things on my system. If anybody has any ideas as to where I should be looking, I’d appreciate some direction :slight_smile:

Thanks all.
My name is David.

Why not? certbot is present in Portage currently.

emerge -av app-crypt/certbot-apache

  • Last emerge --sync was 7y 61d 14h 23m 21s ago.

These are the packages that would be merged, in order:

Calculating dependencies… done!

emerge: there are no ebuilds to satisfy “app-crypt/certbot-apache”.

Hi David,

I think it is rather risky to use a system that is so old unless Gentoo provides you with an upgrade path that will update other system libraries and servers. The reason is that a very large number of critical-severity bugs will have been discovered and publicized during that time window, which could allow many people to take over your server. If the server has remained connected to the Internet for that time with no software updates, it’s quite plausible that someone has already done so. I would recommend on general security grounds decomissioning this machine and/or reinstalling the operating system. Software updates are really important for maintaining system security, not just nice-to-have.

We do have a Certbot installation method that is a self-bootstrapping shell script

which might work on systems that don’t have a current OS-provided package. However, here also there might turn out to be some unmet library dependencies of some kind when installing on a system that hasn’t received software updates for seven years.

If you don’t want to install software on your system, you can use

in your browser. The big disadvantage is that you can’t automate this process so you would have to repeat it manually at least every 90 days.

The auto version has been DEPRECATED.

I just want a certificate that will function for https on Apache. There are lots of “free” choices, and they all seem to have their caveats. The method that GeoTrust spells out took me less than an hour to manually install, The free one from AWS is not exportable in such a way to allow a manual install. Sounds like yours is not either. You also do not yet support wild card certs, so I would need two. Two, if they were install-able… they do not seem to be :frowning:

You will probably like ZeroSSL, which I mentioned above, except for the trouble of our shorter expiration period.

You can cover multiple names in a single certificate, so you don’t necessarily need two different certificates for two domain names. We allow including up to 100 different names in a single certificate.

Yeah, that’s the problem. You’ve never synced your Portage tree. In that time, Let’s Encrypt didn’t even exist. So no wonder you can’t find the package: your systems Portage tree doesn’t contain any certbot package.

You really should synchronise your Portage tree and update your whole system. It’s very irresponsible to have such an outdated system running connected to the internet like @schoen said. You might even be able to compare it to Windows XP: unsafe to connect to the internet.

Of course it’s my problem. I mean, duh. i did not spell it out because it really isn’t relevant to helping with my request, but the systems, a whole rack of them, where stored in boxes in a shed. The company was sold without, and there was a non-compete clause for five years. With a little effort, it has been revived, and it’s making money, but, it sits out there on the internet, very exposed. How or why anyone stayed is beyond me, but it has a following, so, we will fix it. Today, it is three machines: an app server, a mail relay, and a windows box that does nothing (but, run, and cost money). There are several other pieces to be added back into the previously successful business… right now, the task at hand is getting a certificate on the application. When it boils right down to it, the $800 certificate doesn’t sound like a bad deal. I’m sure there are others available that don’t require these hurdles. Renewing a certificate every three months is equally absurd. I will self-sign it if I have to… the owner of the system has a following, hell, they even listened and used the browser she specified because it didn’t show the error :slight_smile: Obviously, it has to be fixed and 30 people have responded for the Python Django framework programmer job. So yeah, it has got to be fixed, but I didn’t come to a certificate forum to be told that…I came for a solution to my immediate problem. I would love for emerge to pull updates for the past seven years… it will not as far as I’m concerned. None of this negates the fact that I need a certificate. Thanks anyway.

Hi @debrucer,

With automation from cron, renewal every three months hasn’t been a problem for most users. But it would potentially call for a more up-to-date software environment in order to install a Let’s Encrypt client application.

That’s a lot, even for a wildcard certificate. You’re not going to be able to get anything signed with SHA-1 that’ll be trusted, those certificates are not obtainable anymore from any reputable CA and browsers will consider any (non-root) certificate using SHA-1.

If you just want to pay to get certificates, providers like currently sell wildcard certificates with 1 year expiration for just under $100 and single domain certificates for less than $10. Given the age of your system, it might work better than trying to get a client working on such an old system right now. You can always move to Let’s Encrypt once you have your systems update issues squared away.

You can pay for a certificate from a commercial vendor as long as you can validate using one of their methods. That’s always an option. Let’s Encrypt does 90 day issuance because it’s more secure. If the key or certificate leaks, it’s only going to be good for a very short time. With automation in renewals, it works out as a system very well.

Sure, that’s another option. Kinda scary that people are willing to compromise their security that way.

Try using a third party client that isn’t as heavy. Some of them may work on a system that old. Otherwise, you can do the whole process manually every 2-3 months. The other option, of course, is to pay for a commercial certificate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.