[BlueOnyx:18754] Re: SSL Certificates (via Let's Encrypt) - > available for 5209R

[Neil Watson]

Hi Michael,

Thanks very much for the instructions! (Sorry for the 3x messages - the 
list manager sent me messages implying that it had rejected the posts!)

The instructions worked brilliantly for my first site and seemed to work 
fine for site 2...

I've processed my 2 sites separately (so www.site1.com + site1.com in 
the first request and www.site2.com and site2.com in the second)

Site1 is responding fine to https (I particularly want to be able to use 
Roundcube over and encrypted service :) ), but site2 is reporting that 
its certificate is from site1...

(Chrome and Firefox report: "This server could not prove that it is 
www.site2.com; its security certificate is from www.site1.com. This may 
be caused by a misconfiguration or an attacker intercepting your 
connection.")

I've checked certificate in /home/sites/<site2>/certs and it decodes 
correctly to site2.com and www.site2.com so it looks like the import 
worked correctly...

(on what started as 5107R-SL-6.3, of course....)

Any ideas?

Thanks
Neil.

> Hi Neil,
> 
>> However, I can't (at the moment!) figure out how to make something 
>> that
>> Apache likes (in the /home/sites/..../certs directory) - so any clues 
>> as
>> to get openssl/whatever to do it welcome (pretty please!)
> 
> Here is the entire "on foot" procedure how to generate Apache SSL certs
> with the Let's Encrypt client from the CLI:
> 
> My starting point: BlueOnyx with Vsite www.domain.com. According to CCE
> this is "site2" and the DocumentRoot is /home/.sites/143/site2/web
> 
> You will need to know the "siteX"-number and the DocumentRoot for this.
> You can see both if you got to the /web directory of the Vsite and do 
> an
> "ls -als" and a "pwd". The site-number is the GID of the Vsite and the
> path you need is the full path to the public /web directory.
> 
> 1.) Make request:
> 
> ./letsencrypt-auto certonly -a webroot --webroot-path
> /home/.sites/143/site2/web -d www.domain.com -d domain.com --email
> user at domain.com --agree-tos --renew-by-default
> 
> 2.) Check result:
> 
> Take note where the client stores the certs. In the above case it'll
> probably be something like this:
> 
> /etc/letsencrypt/live/www.domain.com/
> 
> It actually has only the symlinks to the certs in it, but that's good
> enough for this procedure.
> 
> 3.) Import Intermediate:
> 
> /usr/sausalito/sbin/ssl_import.pl -group site2 -type caCert
> /etc/letsencrypt/live/www.domain.com/chain.pem -ca-ident "LetsEncrypt"
> 
> Note the "group2" in there. You will need to change that to the group #
> your Vsite has.
> 
> 4.) Convert private key from PKCS#8 key to PKCS#1:
> 
> cd /etc/letsencrypt/live/www.domain.com/
> openssl rsa -in privkey.pem -out key_pcs1.pem
> 
> 5.) Create combined key + cert for import:
> 
> cd /etc/letsencrypt/live/www.domain.com/
> cat key_pcs1.pem cert.pem > site2.cert
> 
> 6.) Import it:
> 
> cd /etc/letsencrypt/live/www.domain.com/
> /usr/sausalito/sbin/ssl_import.pl -group site2 -type server site2.cert
> 
> 7.) Go to the GUI of that VSite and check the "SSL" menu entry for it.
> It should show the "Let's Encrypt" cert there as active and should have
> the "LetsEncrypt" Intermediate under "Cert Authorities".
> 
> So what you were missing was the step #4 where I converted the key to
> PKCS#1 format.
>