Last days i wanted to get started with letsencrypt.org but there are not really good tutorials for “server noobs”. I know how to make websites, but i am not really into the “server things”. However i think the main goal of letsencrypt.org is that everyone will use https. The first step is to make good / step by step tutorials for everyone. Also for people who don’t know that much about servers.
I tried to do: yum install git but it resulted in some errors. After searching on Google i did: yum --disableexcludes=main install git and later on i could install git.
./letsencrypt-auto: line 103: [: too many arguments
./letsencrypt-auto: line 105: [: too many arguments
Updating letsencrypt and virtual environment dependencies…/letsencrypt-auto: line 185: /root/.local/share/letsencrypt/bin/pip: No such file or directory
I tried to solve the problem by searching on Google for this problem, but i did not really find a working solution.
I understand where you are coming from, and agree. This product is not at the point of general public release for everyone though, it's still in "beta", which unfortunately means it isnt' really aimed at "noobs" just yet.
You are running on a relatively old server ( CentOS 5.5 and Python 2.4.3 ). LE won't run on this, you really need to update your system first.
@serverco:
I have almost 100 domains, so till now i did not work with https, because of the costs. I understand that it’s in beta, but i am not too lazy to learn some things or spend some time on it, so i will give it a try anyway.
I have a host who is doing the updates and arranging the things on the server etcetera, but i have root access to made some adjustments. I am not sure yet if it’s wise to update and change “CentOS 5.5”, but i will ask my host. Is it also possible to make it work by only updating Python?
@Licaon_Kter: I am already stuck at the term: “ACME”:
“Here’s an incomplete list of clients and libraries I’m aware of that implement ACME.”
@Licaon_Kter: Ah by reading everything again i already found what ACME is:
“For Let’s Encrypt to issue you a certificate, you must prove to them that you control the domain. If we own the domain, we can do this with a series of challenge-response transactions, which is part of the ACME protocol. Let’s Encrypt explains this process well.”
p.s. Why you need a ACME protocol for that? With some services of Google you also have to prove that the domain belongs to you, but that’s much easier (meta tags, file upload, etc.). Or is this a more secure way of proving the domain is yours?
The only thing is that i don’t know what to do now…
see how it works for detail, but it's essentially the same as you mention for google. A small file is uploaded to a specific location that is then checked, to demonstrate that you have control over the domain.
You could do this with one of the other methods ( as @Licaon_Kter suggested ). Some of those may be better for you.
In answer to your question;
"Is it also possible to make it work by only updating Python?"
I think that should work, but can't be certain. You can have more than one version of python on the server, so worth a try.
Thanks! First i will try to make it work with the official client, because otherwise there is probably even less documentation etc. to make everything work.
I was just checking the client “PHP (via Webroot)”, because i am familiar with php, but they are saying “Warning: This software is under heavy development. Use at your own risk.”. I dont know what i am exactly doing with letsencrypt, so maybe it’s better first to try it the official way.
I will try to contact my host if it’s safe to try to update or put a newer version of Python on the server.
You don’t even need to run anything on the target webserver for the certs.
Have another (newer ahem :)) machine (or VM) and use manual setup with the main client or another client like: https://gethttpsforfree.com (you just need a way to run openssl hence the new machine and setup 2 folders and one file on the target webserver)
I just had contact with my host. I have one ipaddress for the whole server, so i have to run a certificate for multiple domains, but that’s only possible from CentOS 6. So i think i have to update the server first anyway.
Then i see a lot of dots and plus signs, but at the end (after more than an hour) it results in errors:
[root@srv /]# [root@srv /]# openssl dhparam -out dhparam.pem 4096 -bash: [root@srv: command not found [root@srv /]# Generating DH parameters, 4096 bit long safe prime, generator 2 -bash: Generating: command not found [root@srv /]# This is going to take a long time -bash: This: command not found
All the steps before went well till this one. Is this also because of the old server or why that command is not working? Actually the comment is working, because it’s showing the …+… etc. , but something is going wrong during it.
I don’t know what kind of SSH client/connection you have, but it looks like it’s FUBAR Looks like it’s executing the output of the commands… Not good, not good at all…
Also, although generating custom Diffie–Hellman parameters is always good, it’s not necessary for a LE certificate. In what step of gethttpsforfree.com is it mentioned? I haven’t tried it myself. Perhaps you could skip that step.
How is it needed? Some configuration option you can leave out? Let me guess, SSLOpenSSLConfCmd DHParameters /path/to/dhparam.pem for Apache or ssl_dhparam /path/to/dhparam.pem for nginx?
I’m not saying you shouldn’t implement it, you very much should… But if you’re having troubles with your SSH connection, but you want to launch your Let’s Encrypt certificates anyway, you can do it without the DH parameters.
I myself haven’t got any non-ECC DH suites enabled, so I don’t bother Better performance and almost every client has ECDHE support. So why the trouble by leaving those performance eating DHE suits enabled
So you are vulnerable for that attack? But that last part i don’t understand…i am kind of newbie with “server things” as mentioned before, so non-ECC / ECDHE / DHE is like Chinese for me ;).
No I’m not. The attack is at Diffie-Hellman key exchanges. My server doesn’t offer that. It only offers the elliptic curve variant, which isn’t vulnerable. Some older operating systems like XP don’t understand that, but with my user base of like, 10 visitors per what, month? Half a year? I don’t care
In any case, you’ll probably want to do those steps, but I’m hoping you’re not running a beta piece of software on a production server with production critical stuff on it… So… Whether you’ll add those DH parameters now or in 5 minutes or tomorrow… I don’t think the NSA will hack your precious TLS connections that soon
BTW, analyze your server at SSL Labs, perhaps it has even more vulnerabilites you can fix Gives you great insight into your TLS configuration, but you shouldn’t aim for a 100 % score on every bar (of those 4 in the Summary). I myself have 100/95/100/90 b/c of TLS1.0 support (the 95) and 128 bit AES next to the 256 bit variants (the 90). And 128 bit AES GCM is fine. So in my opinion 100/100/100/100 is overrated. Even without it, my server gets an “A+”