How to: Install Let’s Encrypt certificates

Bonjour.
Il me semblait avoir lu dans l’annonce de la version 2.4 que Let’s Encrypt était inclus dans le système. Or sur une install fraiche, je suis en auto-signé.

Salut,

si tu fais référence au « Set up of Let’s Encrypt certificates on all our services. », cela fait référence aux certificats utilisés par le projet Yunohost (tel que ce forum), pas à Yunohost en lui-même. Par contre il est mentionné dans les développements futurs.

Pour ma part, j’ai installé les certificats avec la méthode manuelle et ça marche niquel.
Mais sinon l’appli en 2.4 ne fonctionnait pas non plus chez moi.

Thank you for the guide. I am having some trouble getting things to work though. I’m at this step:

I am getting the “client lacks sufficient authorization” error. You say to check permissions of /tmp/letsencrypt-auto. What exactly do you mean by that? What should the permissions of that directory be? Mine is owned by root with permissions drwxr-xr-x.

Is there anyone else who has had issues on this step and found a solution?

Thanks

My nginx error log contains the following:

stack traceback:
coroutine 0:
        [C]: in function 'assert'
        /usr/share/lua/5.1/json/decode/state.lua:151: in function 'set_value'
        /usr/share/lua/5.1/json/decode.lua:84: in function 'decode'
        /usr/share/ssowat/config.lua:21: in function 'get_config'
        /usr/share/ssowat/access.lua:20: in function </usr/share/ssowat/access.lua:1>, client: [my IP], server: malmseyserv.lndyn.com, reque$
2016/06/19 23:58:46 [error] 562#0: *4 lua entry thread aborted: runtime error: /usr/share/lua/5.1/json/decode/state.lua:151: Value set when one already in slot

Does anyone know what that means?

Hi

For information, I followed those step using the new letsencrypt script, certbot

/etc/ssowat/conf.json.persistent is

{
    "redirected_urls": {},
    "unprotected_urls" : [ 
        "my.domain/.well-known/acme-challenge" 
    ]
}

/etc/nginx/conf.d/my.domain.d/certbot.conf is

location '/.well-known/acme-challenge' {
    default_type "text/plain";
    root        /etc/letsencrypt/webroot;
}

Then rougthly

sudo su
apt-get install certbot -t jessie-backports -y
mkdir /etc/letsencrypt/webroot
service nginx restart
cd /etc/yunohost
cp -r certs certs.backup
certbot certonly -d my.domain
# webroot into /etc/letsencrypt/webroot
cd /etc/yunohost/certs/my.domain
rm crt.pem key.pem
ln -sf /etc/letsencrypt/live/my.domain/privkey.pem key.pem
ln -sf /etc/letsencrypt/live/my.domain/fullchain.pem crt.pem
chown root:metronome /etc/letsencrypt/live /etc/letsencrypt/archive
chmod g+rx /etc/letsencrypt/live /etc/letsencrypt/archive

Last is automatical renewal with /etc/systemd/system/letsencrypt.service

[Unit]
Description=Renews letsencrypt certificates with certbot
After=network.target

[Service]
Type=oneshot
WorkingDirectory=/etc/letsencrypt
ExecStart=/usr/bin/certbot renew

And a timer /etc/systemd/system/letsencrypt.timer

[Unit]
Description=letsencrypt timer

[Timer]
OnCalendar=daily  
Persistent=true  
Unit=letsencrypt.service

[Install]
WantedBy=basic.target  

Last but not least, you need to reload nginx after a certificate renewal

mkdir /etc/systemd/system/letsencrypt.service.d

And /etc/systemd/system/letsencrypt.service.d/nginx.conf

[Service]
ExecStartPost=/bin/systemctl reload nginx

A simple test

date
systemctl restart letsencrypt.service
journalctl -xn

Here’s my result

mercredi 22 juin 2016, 23:00:29 (UTC+0200)
juin 22 23:01:17 yunohost.my.domain certbot[17723]: -------------------------------------------------------------------------------
juin 22 23:01:17 yunohost.my.domain certbot[17723]: Processing /etc/letsencrypt/renewal/my.domain.conf
juin 22 23:01:17 yunohost.my.domain certbot[17723]: -------------------------------------------------------------------------------
juin 22 23:01:17 yunohost.my.domain certbot[17723]: The following certs are not due for renewal yet:
juin 22 23:01:17 yunohost.my.domain certbot[17723]: /etc/letsencrypt/live/my.domain/fullchain.pem (skipped)
juin 22 23:01:17 yunohost.my.domain certbot[17723]: No renewals were attempted.

Thanks @CaptainSqrt2 for the steps, this article for the systemd stuff and letsencrypt

1 Like

I am running Yunohost 2.2 and I installed letsencrypt 3 months ago using the web API.

I received last week a notification telling that my letsencrypt certificates have to be renewed (actually, I created them April 14th, so they are valid until July 13th):

/etc/cron.weekly/certificateRenewer:
Checking myDomain.fr certificate ...
 > Needs to be renewed. Attempting to ...
 > An error occured, an email was sent.

But it didn’t worked:

Here is the log of what happened
Consider also checking /var/log/letsencrypt/

Upgrading certbot-auto 0.7.0 to 0.8.1…
Replacing certbot-auto…
Creating virtual environment…
Installing Python packages…
Installation succeeded.
Requested domain is not a FQDN

Any idea about what occurred? Thanks!

Has anybody succeeded the SSL certificate renewal?

Hi!
I’ve installed Let’s Encrypt with the app on yunohost 2.3, then I’ve moved to 2.4, and my certificates were ok. But now the renewal has failed:

/etc/cron.weekly/certificateRenewer:
Checking domain.tld certificate ...
 > Needs to be renewed. Attempting to ...
rm: impossible de supprimer « /tmp/cron-cert-renewer.log »: Aucun fichier ou dossier de ce type
 > An error occured, an email was sent.
mail: invalid option -- 'r'
usage: mail [-dEIinv] [-a header] [-b bcc-addr] [-c cc-addr] [-s subject] to-addr ...
       mail [-dEIiNnv] -f [name]
       mail [-dEIiNnv] [-u user]

Is there a way to repair this, or is it better to remove Let’s encrypt certificates and re-install manually like @rgarrigue did?

Thanks!

I finally renewed my certs by uninstalling then installing Let’s Encrypt via the web admin interface.

I renewed my certs by uninstalling and installing again too. Let’s Encrypt app worked well on yunohost 2.4 for me.
But when I uninstalled the app, I had problems with the original certs that weren’t set up correctly, and so nginx didn’t start. I just put them back manually using the backup in the folder /etc/yunohost/certs/domain.tld/domain.tld.beforeLetsEncrypt

Thanks for the app, it’s so easy to use! Now I’m just waiting for the next renewal, to see if it works.

Has --something changed recently with updates? I ask because a bunch of us all seem to have had the same issue come up at the same time recently.

My authentication URL’s just give 403’s or refused connection errors.

@aoz / @tomdereub - It sounds like you both solved this by uninstalling the certs manually and then installing the Let’s Encrypt Yunohost app. How did you do these steps? Did you just delete the certificate files?

Not manually.
I used the web admin interface to uninstall then re-install Let’s Encrypt app.

For me, I’ve uninstalled the app via the web admin interface too, but then I had nginx not working anymore, with certificates problems. So I had to copy the saved certificates present here : /etc/yunohost/certs/domain.tld/domain.tld.beforeLetsEncrypt (ca.pem ; crt.pem ; key.pem) to the folder /etc/yunohost/certs/domain.tld.
This made all working again with old certificates. Then I installed the app, and all worked automatically. I’m just waiting for the next certificates renewal to see if it’s working.

I also received the error “Requested domain is not a FQDN”, my domains all being in the form example.com (no subdomain). I ran “/opt/yunohost/letsencrypt/letsencrypt-auto renew” manually and all certificates were renewed.

In the process of the above manual certificate renewal, I also noticed that removing a domain via the admin interface does not remove the domain from the letsencrypt configuration. That needs to be done manually.

Hi guys,

If you encounter this error, please check this fix from @juju : https://github.com/YunoHost-Apps/letsencrypt_ynh/commit/798565d2884bac87407f271864ba9f0181cecc8d to be applied on /etc/cron.weekly/certificateRenewer

2 Likes

I can confirm that it has worked fine for me (yunohost 2.4)

Within the renewal script you are using an option ‘-r’ to specify the From address. This option is not available.

You might want to change it to something like:

-a “From: ${EMAIL_ALERT_FROM}”