[Triumf-linux-users] [Triumf-linux-managers] FYI - certbot (was letsencrypt) for CertOS 7, 6

Thu Dec 1 13:38:34 PST 2016

Hi Andrew, I got certbot-auto via #wget https://dl.eff.org/certbot-auto 
and ran it on my spare SL6.x system (testing there before on the running 
server).  It seemed to do the installation properly, but at the end I 
got a blue scree of death and the message

The apache plugin is not working; there may be problems with your 
existing configuration.
The error was: NoInstallationError('Cannot find Apache control command 
apache2ctl',)

There is no apache2ctl on my system, only /usr/sbin/apachectl -- should 
I go into /usr/sbin/ and symlink apachectl to apache2ctl, or is that 
'way too simpleminded?  I thought my SL6.x was TRIUMF-standard.

Cheers -- Jess

On 11/30/2016 07:10 PM, Andrew Daviel wrote:
>
> FYI
>
> As Konstantin reported to DAQ users in August, the EFF project
> "letsencrypt" is now available as RPM packages from EPEL.
>
> This provides a way for people to get free SSL certificates chained to a
> recognized certificate authority, meaning they won't cause security
> pop-ups in a browser.
>
> The LetsEncrypt project is now called "Certbot". The website is
> https://certbot.eff.org/
>
> The relevant packages for CentOS 7 are certbot and python2-certbot-apache.
>
> The application is intended to run unattended, as root, and be capable
> of automatically renewing relatively short-lived certificates (a few
> months), writing them into the browser configuration.
> I have not personally tried automatic mode.
>
> Certbot is not available as as package for earlier CentOS/SL releases.
> However, it is available to download directly from
> https://dl.eff.org/certbot-auto
>
> That can be made to work on CentOS 6. Probably not 5. Certbot is written
> in Python and requires certain other packages such as tix, tkinter,
> openssl-devel. Currently, it works with Python 2.6 but will not in future.
>
> It is possible to run certbot in manual mode, and obtain certificates
> for webservers other than the one where the script is run. E.g.
> # /root/.local/share/letsencrypt/bin/certbot certonly --manual
>
> To verify ownership of a (sub)domain, it is necessary to place a text
> cookie on a webserver running on that domain, in a public URL such as
> http://example.com/.well-known/acme-challenge/<random string>
> The certbot authenticator then retrieves the cookie before issuing a
> certificate, which the user can then place in the website configuration.
>
> If there is no webserver running, certbot gives a recipe to run a simple
> Python one. The certificate could be used for non-web protocols such as
> LDAP, IMAP, SMTP etc.
>
>
> Certbot thus offers a viable alternative to the TRIUMF certificate
> authority for regular (non-enhanced validation) SSL certificates. But
> you get certificates for 90 days, not 3-5 years. You would probably need
> to set up the automated renewal process.
>
>
> Certificates from certbot (or any external CA) are unsuitable for
> document signing, code signing, or email signing/encryption, since they
> identify a webserver, not a person or company.
>