Certbot
-
thanks. if i go to https://owncloud.roseradiology.com/owncloud it says the cert isnt trusted and i have to add it to the root authority. Sorry brand new to this.
-
@alex.olynyk What OS/webserver are you using for this?
In CentOS I had to go manually put the correct links to the certs in /etc/httpd/conf.d/ssl.conf.
I changed the following paths/files.
SSLCertificateFile /etc/letsencrypt/live/%DOMAINNAME/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/%DOMAINNAME/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/%DOMAINNAME/fullchain.pemThose are all links to the actual files, so when you use the client to update the cert(s), nothing needs to change settings wise for the web server.
Also, don't forget to check out the server settings at ssllabs.com.
-
@travisdh1 This is super helpful! Thanks!
-
I suggest you put a nginx reserve proxy in front of OwnCloud.
You can change that ugly URL from https://owncloud.roseradiology.com/owncloud to https://owncloud.roseradiology.com.
You can find everything you need here (including SSL setup):
http://mangolassi.it/topic/6905/setting-up-nginx-on-centos-7-as-a-reverse-proxy/
Thanks @JaredBusch!
-
@travisdh1 CentOS7 with Apache, and thank you.
-
@alex.olynyk said in Certbot:
@travisdh1 CentOS7 with Apache, and thank you.
I guessed right for once, plus it's the only one I COULD have helped with
-
@travisdh1 said in Certbot:
@alex.olynyk said in Certbot:
@travisdh1 CentOS7 with Apache, and thank you.
I guessed right for once, plus it's the only one I COULD have helped with
It is ownCloud. Almost certainly what it would be.
-
@aaronstuder I'm going to retry getting it running with PHP7 before doing the reverse proxy thing. One of these days I'll stop messing with it and actually use it.
-
I uncommented ServerName in ssl.conf and replaced example .com with my domain name.
I still get a mismatch. Its finding localhost.localdomain somewhere. I also edited etc/hosts with my domain name. What am i doing wrong? -
@alex.olynyk Did it find your domain name when you ran certbot-auto? Sounds like apache/httpd might not be configured correctly.
-
It did this time. And now I have the green padlock! Yes! Thank you!
-
@alex.olynyk Now all you need to do it get your sub-domain setup
-
I'm using two guides:
JB's 8.2 OwnCloud Guide
CertbotJB's guide worked perfectly and my server is still functioning as intended after my upgrade to 9.0. I'm kind of unsure of how to get this working--Certbot that is. I followed the Certbot guides and it was kicking back errors a few weeks ago. My question is: Is there anything else I should do to prepare for certbot or is this supposed to work out of box essentially? The Digital Ocean guide requires you to do a lot more but I'm not sure if Certbot is taking care of those aspects or not.
-
@wirestyle22 What webserver will you be using?
-
@aaronstuder said in Certbot:
@wirestyle22 What webserver will you be using?
Vultr Hosted -- Apache on CentOS 7
-
@wirestyle22 I've found that certbot updates the configuration files for domains/subdomains, but does not update the ssl.conf file. So you need to make sure the cert files in /etc/httpd/conf.d/ssl.conf point to the correct keys.
SSLCertificateFile /etc/letsencrypt/live/%DOMAINNAME/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/%DOMAINNAME/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/%DOMAINNAME/fullchain.pemThe other thing you can easily do is run out of activations. They give you ~5 per week, so if you have problems and re-issue instead of re-install in the certbot script, you just run out and have to wait a week.
-
@travisdh1 said in Certbot:
@wirestyle22 I've found that certbot updates the configuration files for domains/subdomains, but does not update the ssl.conf file. So you need to make sure the cert files in /etc/httpd/conf.d/ssl.conf point to the correct keys.
SSLCertificateFile /etc/letsencrypt/live/%DOMAINNAME/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/%DOMAINNAME/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/%DOMAINNAME/fullchain.pemThe other thing you can easily do is run out of activations. They give you ~5 per week, so if you have problems and re-issue instead of re-install in the certbot script, you just run out and have to wait a week.
So this should automate everything and its just not editing things 100% properly--meaning I can follow the CertBot guide and just edit what you listed? If I hit the limit what error would it kick back?
-
@wirestyle22 said in Certbot:
@travisdh1 said in Certbot:
@wirestyle22 I've found that certbot updates the configuration files for domains/subdomains, but does not update the ssl.conf file. So you need to make sure the cert files in /etc/httpd/conf.d/ssl.conf point to the correct keys.
SSLCertificateFile /etc/letsencrypt/live/%DOMAINNAME/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/%DOMAINNAME/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/%DOMAINNAME/fullchain.pemThe other thing you can easily do is run out of activations. They give you ~5 per week, so if you have problems and re-issue instead of re-install in the certbot script, you just run out and have to wait a week.
So this should automate everything and its just not editing things 100% properly--meaning I can follow the CertBot guide and just edit what you listed? If I hit the limit what error would it kick back?
I purposely hit the limit a couple weeks back, and I don't remember what it complained about if anything. The ONLY thing it does not do correctly is assign a global certificate for the server. You may be able to comment out those lines in ssl.conf and have everything just work because it does add the configurations in %DOMAINNAME%.conf file(s). I fixed it the other way tho.
-
is there any reason for me to also encrypt my internal URL for ownCloud?
-
@alex.olynyk said in Certbot:
is there any reason for me to also encrypt my internal URL for ownCloud?
why do you have 2 URLS for people to remember?
All my stuff is always on oc.domain.com to make it easy for people to use.
