Forums

John
John
Offline
Resolved
0 votes
Hi all,

I successfully created a certificate with Let's Encrypt.
This is for a new domain, so I first had to change the AAAA records by adding the IPv6 value to it.
I generated this with an IPv4 to IPv6 conversion tool.
After this, no errors where reported by Let's Encrypt.

When I view the details of this certificate I see that it is deployed, but not in use (see picture).

I was unable to find how to start using it with the Certificate Manager.
I searched clearos.com for the howto's, but I was unable to find them.
All I found was this link, but that's way too complicated for me.

When I view the Default Certificate in the Certificate Manager, I see that it's deployed (see picture).
I can only add External Certificates, but AFAIK that is something different.
The reason I would like a self signed certificate is, because I want to remove the warning message from my COS box (website & webconfig), including for the mediabrowser for Serviio.

Please assist,

John
Saturday, August 29 2020, 01:20 PM
Share this post:
Responses (22)
  • Accepted Answer

    Saturday, August 29 2020, 02:46 PM - #Permalink
    Resolved
    1 votes
    To deploy a certificate in the webconfig go System > Settings > General Settings and do the change there. For the web server go Server > Web Web Server and deploy it there. If you don't have a default web site, create one.

    Serviio may have its own certificate settings. In that case have a look at this HowTo to get an idea of how you may be able to do it. If you are in luck it will use the certificate from the default website, but I know Plex does not.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    John
    John
    Offline
    Saturday, August 29 2020, 08:29 PM - #Permalink
    Resolved
    0 votes
    Thanks Nick,

    I was able to partially use my new certificate for the webconfig.
    With Tor I have a green lock, but with FireFox I get a grey lock (both report a secure connection).
    This happens when I use https://<domain.com>:81 (see pictures)
    When I type www.<domain.com>;:81" target="_blank">https://www.<domain.com>;:81 I still get a warning from my browser.
    I don't know why this happens, because I have an A & AAAA record for <domain.com>, www.<domain.com>; and for *.<domain.com>

    For unknown reasons I was unable to access the default website at http:// & https://.
    I closed port 80, because it does not seem to work at all.
    Yesterday i was able to access the default web page.

    The Media Browser from Serviio works (not the certificate), but I do not know where to start adding the certificate to it.
    The only place in the webconfig that I could find it is for the Web Flexshare that I use for the Serviio Media Browser, but that does not work.
    I tried reading your HowTo, but that was way too complicated for it to make any sense to me.

    Please advice,

    John
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, August 29 2020, 09:02 PM - #Permalink
    Resolved
    0 votes
    Firefox has not done a green padlock for years. Grey should be fine as long as it doesn't have a red line through it. If you click on it, it should say "connection secure". You will get a warning if the certificate does not cover the domain or subdomain you are using. If you've created a certificate for domain.com and not www.domain.com, you'll get an error for www. When you create a certificate you can have it cover multiple domains and subdomains. The app documentation also covers how to add/remove domains and subdomains to/from your certificate. Otherwise you'll need to delete it and recreate it.

    Have you configured your default website in Server > Web > Web Server and set it to use your Let's Encrypt certificate.

    Whether the firewall is closed or open you should still be able to access the web browser from your LAN.

    Serviio probably carries its own certificate configuration, but I don't know the app.
    The reply is currently minimized Show
  • Accepted Answer

    John
    John
    Offline
    Saturday, August 29 2020, 10:54 PM - #Permalink
    Resolved
    0 votes
    Thanks Nick,

    I will have to delete and recreate the certificate, because I don't know how to edit it.

    Yesterday I was still able to access the default web page from my LAN ... I don't know what changed that could have affected that.

    I am also new to Serviio, so I will ask around on their forum if they can enlighten me about certificates, but I doubt that they know anything about it.

    Greetings,

    John
    Attachments:
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, August 30 2020, 07:42 AM - #Permalink
    Resolved
    0 votes
    No need to edit the certificate. Instructions are in the documentation for how to add/remove domains/subdomains. It is command line work, but fairly basic.

    There is a difference between the default web page and default web site. You get the default web page as soon as you install the web server core (Serviio may do that). The default website is part of the Web Server set up and this allows you to allocate a certificate to it. If you get nothing, have you checked if the web server is running?

    Don't underestimate Fredrik. He wrote the Serviio app and integrated the underlying app.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, August 30 2020, 08:13 AM - #Permalink
    Resolved
    0 votes
    Hmm. I think you're going to have problems with the Serviio certificates. It looks like they are kept in a java keystore. You will need to find some tools for manipulating a java keystore. These must be command line tools as you will need to do it every 2 months when the Let's Encrypt certificate renews. I believe there is a keytool command. The Serviio keystore is in /usr/share/serviio/config/serviio.jks and the password for the keystore is in /usr/share/serviio/lib/serviio.jar according to this thread.

    I'd need to dig out my notes on how I did it with Openfire as they may help, but to automate it on certificate renewal, you'll need to understand the method I outlined in the Let's Encrypt Howto.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, August 30 2020, 09:39 AM - #Permalink
    Resolved
    0 votes
    Be aware - if you close port 80, the LetsEncrypt renew mechanism will fail.

    And regarding serviio .. you might want to read this ...

    https://forum.serviio.org/viewtopic.php?t=24520
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, August 30 2020, 10:58 AM - #Permalink
    Resolved
    0 votes
    Richard George wrote:

    Be aware - if you close port 80, the LetsEncrypt renew mechanism will fail.

    Not so sure. I believe the app manipulates the firewall as necessary.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, August 30 2020, 11:07 AM - #Permalink
    Resolved
    0 votes
    Richard George wrote:
    And regarding serviio .. you might want to read this ...

    https://forum.serviio.org/viewtopic.php?t=24520
    Nice find for a starter, but should be simplified a bit. You should be able to restart serviio with something like "systemctl restart serviio" rathere than all their lines of code. Also I think you need to create the pkcs12 file using the fullchain.pem and not the cert.pem file.

    The resulting script should be put in the same location as specified in the HowTo I linked to earlier. Optionally you can fire the script if only a particular certificate is renewed if you use multiple certificates.
    The reply is currently minimized Show
  • Accepted Answer

    John
    John
    Offline
    Sunday, August 30 2020, 06:29 PM - #Permalink
    Resolved
    0 votes
    Thanks for all your responses guys ... I really appreciate it,

    It seemed that the Web Server was stopped, so after manually starting it, my default website was working again.
    This time with a secure connection as you can see in the picture.

    I still need to recreate the certificate to make sure that when someone types www, it still works.
    Can someone please advice on what other things I need to prepare for when doing this, so I don't have to redo this several times ... ?!?

    I would additionally like to ask how to setup my Web Server so that it always goes to https ... even when not typed by the user.
    Closing port 80 is not enough ... or is that a bad idea ... ?!?

    For the rest I could not really understand the stuff you where talking about ... not sure if it's a good idea to start fooling around with the command line if I don't understand what I am doing.
    Please don't be offended, but especially when you guys contradict each other.

    Please assist,

    John
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, August 30 2020, 07:04 PM - #Permalink
    Resolved
    0 votes
    I don't understand what is up with you. You have made plenty of posts on how to do PXE booting for lots of different distros and years ago you were trying to help people left, right and center. Suddenly you've lost all abilities and can no longer do any command line work. What is up?

    For Let's Encrypt it is quite easy to add extra domains and subdomains at the command line. If you choose to recreate your certificate, you have to remove it from use from the webconfig and web server first before you can delete it. When you recreate it, you just need to remember the additional domains and subdomains you want the certificate to cover and specify them in the Other Domains box. All domains and subdomains you specify need to resolve back to your WAN IP.

    To force a redirect to https you'll need to use a .htaccess file in your each website's web root. In theory you could do it in the /etc/httpd/conf.d/flex-80.conf but this will get overwritten every time up you update the web server or flexshares so it is not a good idea. it would be a great thing to be added to the webconfig and probably quite simple for someone who knew what they were doing.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, September 06 2020, 10:47 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    Not so sure. I believe the app manipulates the firewall as necessary.


    True, but it does also depend on where and how Port 80 is shut .. if it's just on the server, fine - but if it's closed (eg) on a seperate router, there's a problem .. and that's what keeps being forgotten - especially if the server is setup as standalone, with port forwarding carried out in a router!

    There's a BIG difference between a COS system setup as a gateway and directly connected to the 'net, and a standalone with a seperate router and port forwarding! The question just never seems to get asked when someone complains that they can't get something to work from outside the local network. The first questions in these cases really have to be 'is the server configured as standalone or as a gateway? How does it connect to the internet/WAN?'.

    I still need to recreate the certificate to make sure that when someone types www, it still works.
    Can someone please advice on what other things I need to prepare for when doing this, so I don't have to redo this several times ... ?!?

    Read the documentation on certbot .. it actually spells out exactly how to do it - how to add and how to remove a domain from existing certificates.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, November 14 2020, 05:47 PM - #Permalink
    Resolved
    0 votes
    "To deploy a certificate in the webconfig go System > Settings > General Settings and do the change there. For the web server go Server > Web Web Server and deploy it there. If you don't have a default web site, create one."

    This was easy but not at all obvious. It worked too!
    Yes make sure your domain you gave letsencrypt points at your server and ports 80 and 443 lead to your server as that's how letsencrypt pings you.
    The reply is currently minimized Show
  • Accepted Answer

    John
    John
    Offline
    Monday, November 15 2021, 08:30 PM - #Permalink
    Resolved
    0 votes
    Can someone please explain to me what I need to fill in with "Other Domains" ... ?!?
    I searched but I can't find any useful information.

    Thanks in advance
    Attachments:
    The reply is currently minimized Show
  • Accepted Answer

    Monday, November 15 2021, 08:41 PM - #Permalink
    Resolved
    0 votes
    It depends what you want the certificate to cover! If your primary domain is domain.com, you may want to have www.example.com. You may also want your poweredbyclear.com subdomain. You can have anything you like here as long as it resolves back to your WAN IP, but you can't use a wildcard. At the same time you don't need anything in there if you don't want anything.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, November 16 2021, 03:36 PM - #Permalink
    Resolved
    0 votes
    John wrote:
    I searched but I can't find any useful information.
    I've just checked the app documentation. Please can you let me know what you found unclear and I'll see if I can improve it?
    The reply is currently minimized Show
  • Accepted Answer

    John
    John
    Offline
    Tuesday, November 16 2021, 05:24 PM - #Permalink
    Resolved
    0 votes
    Ok thanks, the documentation made it a lot more clear.

    I did it once before, but I am unable to bypass the security warning for the web configuration.
    As you can see in the picture, the certificate is deployed, but I forgot how how I fixed it before.
    I didn't know what services needed to be restarted, so I decided to reboot my Gateway COS box.
    I tested it in another browser, but the connection remains "Not secure".

    Please advice,

    John
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, November 16 2021, 05:42 PM - #Permalink
    Resolved
    0 votes
    John wrote:
    Ok thanks, the documentation made it a lot more clear.
    So where had you searched? Isn't the app documentation the first place to go?

    The next bit is missing from the docs. I'll add it tomorrow. Go System > Settings > General Settings and assign it there. Then on your LAN make sure domain.com resolves to your ClearOS LAN IP then use https://domain.com:81 to access the webconfig and not its IP address
    The reply is currently minimized Show
  • Accepted Answer

    John
    John
    Offline
    Wednesday, November 17 2021, 05:15 AM - #Permalink
    Resolved
    0 votes
    I usually click on "Details" & "Documentation", but that didn't give me any usable results.
    https://domain.com:81 didn't work even when port 81 is opened.
    The only thing that works is https://domain.com with a secure connection.
    https://domain.com:23524/mediabrowser is still not secure.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, November 17 2021, 08:59 AM - #Permalink
    Resolved
    0 votes
    John wrote:
    I usually click on "Details" & "Documentation", but that didn't give me any usable results.
    Click on the sloping book icon on the top right of each webconfig page ....

    I've checked the documentation and it does cover using the certificate in the Webconfig. Please check your steps.

    All ClearOS covers is using the certificate in the Web Server and Webconfig. To use it in other apps see the link near the bottom of the documentation "Using Let's Encrypt Certificates for Mail and other apps".
    The reply is currently minimized Show
  • Accepted Answer

    John
    John
    Offline
    Wednesday, November 17 2021, 03:47 PM - #Permalink
    Resolved
    0 votes
    Thanks for the documentation tip.
    I triple checked my steps and I can't seem to figure out what is going wrong.
    The link "Using Let's Encrypt Certificates for Mail and other apps" doe snot include the steps required for Serviio.
    So before I start making changes to permissions and ownership, I would like some additional feedback.
    I wonder if anyone (who is not a developer) ever got it working.

    Please advice,

    John
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, November 17 2021, 05:55 PM - #Permalink
    Resolved
    0 votes
    John wrote:
    The link "Using Let's Encrypt Certificates for Mail and other apps" does not include the steps required for Serviio.
    No, but if you work them out we can add them to the HowTo. I am not a serviio user. Understand what the guide is doing then look for a serviio configuration file and any certificate parameters in it. If serviio just uses the web server, then you just need to change the webserver certificates, but I suspect it is not going to be that easy. I've googled around ant it looks like serviio uses a java keystore. Have a look at
    https://forum.serviio.org/viewtopic.php?t=24520
    but don't worry about setting up certbot. That has all been done for you. Also for the renewal mechanism do not use their cron solution as that also happens for you, but use something based on our HowTo for the file location and on their method for getting the certificate into the right format and place once the certificate has been renewed.
    The reply is currently minimized Show
Your Reply