Certbot
-
@alex.olynyk Did it find your domain name when you ran certbot-auto? Sounds like apache/httpd might not be configured correctly.
-
It did this time. And now I have the green padlock! Yes! Thank you!
-
@alex.olynyk Now all you need to do it get your sub-domain setup
-
I'm using two guides:
JB's 8.2 OwnCloud Guide
CertbotJB's guide worked perfectly and my server is still functioning as intended after my upgrade to 9.0. I'm kind of unsure of how to get this working--Certbot that is. I followed the Certbot guides and it was kicking back errors a few weeks ago. My question is: Is there anything else I should do to prepare for certbot or is this supposed to work out of box essentially? The Digital Ocean guide requires you to do a lot more but I'm not sure if Certbot is taking care of those aspects or not.
-
@wirestyle22 What webserver will you be using?
-
@aaronstuder said in Certbot:
@wirestyle22 What webserver will you be using?
Vultr Hosted -- Apache on CentOS 7
-
@wirestyle22 I've found that certbot updates the configuration files for domains/subdomains, but does not update the ssl.conf file. So you need to make sure the cert files in /etc/httpd/conf.d/ssl.conf point to the correct keys.
SSLCertificateFile /etc/letsencrypt/live/%DOMAINNAME/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/%DOMAINNAME/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/%DOMAINNAME/fullchain.pem
The other thing you can easily do is run out of activations. They give you ~5 per week, so if you have problems and re-issue instead of re-install in the certbot script, you just run out and have to wait a week.
-
@travisdh1 said in Certbot:
@wirestyle22 I've found that certbot updates the configuration files for domains/subdomains, but does not update the ssl.conf file. So you need to make sure the cert files in /etc/httpd/conf.d/ssl.conf point to the correct keys.
SSLCertificateFile /etc/letsencrypt/live/%DOMAINNAME/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/%DOMAINNAME/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/%DOMAINNAME/fullchain.pem
The other thing you can easily do is run out of activations. They give you ~5 per week, so if you have problems and re-issue instead of re-install in the certbot script, you just run out and have to wait a week.
So this should automate everything and its just not editing things 100% properly--meaning I can follow the CertBot guide and just edit what you listed? If I hit the limit what error would it kick back?
-
@wirestyle22 said in Certbot:
@travisdh1 said in Certbot:
@wirestyle22 I've found that certbot updates the configuration files for domains/subdomains, but does not update the ssl.conf file. So you need to make sure the cert files in /etc/httpd/conf.d/ssl.conf point to the correct keys.
SSLCertificateFile /etc/letsencrypt/live/%DOMAINNAME/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/%DOMAINNAME/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/%DOMAINNAME/fullchain.pem
The other thing you can easily do is run out of activations. They give you ~5 per week, so if you have problems and re-issue instead of re-install in the certbot script, you just run out and have to wait a week.
So this should automate everything and its just not editing things 100% properly--meaning I can follow the CertBot guide and just edit what you listed? If I hit the limit what error would it kick back?
I purposely hit the limit a couple weeks back, and I don't remember what it complained about if anything. The ONLY thing it does not do correctly is assign a global certificate for the server. You may be able to comment out those lines in ssl.conf and have everything just work because it does add the configurations in %DOMAINNAME%.conf file(s). I fixed it the other way tho.
-
is there any reason for me to also encrypt my internal URL for ownCloud?
-
@alex.olynyk said in Certbot:
is there any reason for me to also encrypt my internal URL for ownCloud?
why do you have 2 URLS for people to remember?
All my stuff is always on oc.domain.com to make it easy for people to use.
-
@alex.olynyk said in Certbot:
is there any reason for me to also encrypt my internal URL for ownCloud?
Why bother would be what I'd say. If someone's tapping your internal network, you have more problems. Using OwnCloud is a way to get moving to a LANLess "network".
-
because owncloud.roseradiology.com does not work from inside the network
-
@alex.olynyk said in Certbot:
because owncloud.roseradiology.com does not work from inside the network
I know, I have told you how to fix it before.
-
Yes, I know. I have gone through my earlier threads and notes and am checking everything again.
-
@alex.olynyk said in Certbot:
because owncloud.roseradiology.com does not work from inside the network
I am confused. If it works outside the network, why doesn't it work from inside the network? Does your internal DNS server forward requests to public DNS servers? I have to assume the pubic DNS servers are correct, since it works. Did you setup a record for owncloud.roseradiology.com internally? I would just let it forward the request to the public DNS servers, and resolve it there.
-
Is this correct apart from the failed authorization?
-
I setup a CNAME internally because i gave owncloud a different name internally. owncloud.rose.internal
-
@alex.olynyk said in Certbot:
I setup a CNAME internally because i gave owncloud a different name internally. owncloud.rose.internal
Won't that cause issues? ownCloud requires DNS to be consistent between internal and external, doesn't it?
-
@alex.olynyk Why? Why can't everyone just use the .com? Am I missing something?