Forum OpenACS Development: Trying letsencrypt

Collapse
1: Trying letsencrypt
Posted by Raul Rodriguez on 06/24/18 12:44 AM
I used letsencrypt (https://bitbucket.org/naviserver/letsencrypt) and came across a few things:

I tried it on a fresh install of naviserver and openacs on debian 9.
From the README, it was not clear if it could be used on a fresh install of naviserver/openacs. It was also not clear what directory the make install could be executed and if execution is needed when letencrypt.tcl is directly used in packages/acs-subsite/www/admin/.

I ended up executing it in /usr/local/src/.

I moved letsencrypt.tcl to packages/acs-subsite/www/admin.

The script failed due to permission problems on
/usr/local/ns/config-service0
and
/etc/ssl/openssl.cnf

After fixing this, it ran successfully; however, I was not able to get the server to start until I removed the following that had appeared at the end of the /usr/local/ns/config-service0:

ns_section ns/server/${server}/modules
ns_param nsssl nsssl.so

I also found that setting it to STAGING caused the site to go down since it created and udpated all the files with "staging" data. Please also note that regardless of running in production or staging mode, it backed up and updated /usr/local/ns/config-service0 from the standard oacs certificate path (/var/www/service0/etc/) to /usr/local/ns/modules/nsssl/.

Is it possible to have some suggestions on:
- should the certificate be moved to the standard oacs directory
- what should be done with the files that were generated in the process .csr,.conf,.key
- what to expect when running in Staging mode
- how to renew

Thank you

Collapse
2: Re: Trying letsencrypt (response to 1)
Posted by Gustaf Neumann on 06/24/18 01:31 PM

Some preliminaries: Letsencrypt [1] is a Naviserver module, which obtains for a NaviServer with nsssl configured (running a TLS service) certificates. letsencrypt is a NaviServer module and not an OpenACS package, it works with and without OpenACS.

The letsencrypt module consists of a single file, which is called via browser. The configuration happens in the first part of the script [2]. When the script is executed, it uses the openssl binary and some Tcl packages (which should be available in all OpenACS installations). The script gets configuration values from the NaviServer/OpenACS config-file and from the OpenSSL configuration and writes some files (it produces a backup file of the old config file, produces a new config file, creates automatically a letsencrypt account, creates key pairs, creates certificate requests and obtains finally the requested certificates (potentially multi domain certificates). To write or update these files, nsd (usually running with user_id nsadmin, group_id nsadmin) needs write permissions on the "sslpath" (see [2]) and on the directory, where the OpenACS config file resides.

Note, that one letsencrypt account can be used for obtaining certificates of several (OpenACS) servers, so this information is kept under the matching NaviServer installation.

Concerning your questions:

  • "fresh installation of openacs or not": whatever "fresh" means: as the README file [1] states, it requires NaviServer 4.99.15 or newer. If you have an older version of NaviServer, you have to upgrade.
  • "executing it in /usr/local/src": Not sure, what you mean. "letsencrypt.tcl" is called via browser, "/usr/local/src is normally not in the directory tree served by nsd. As the README [1] suggests under OpenACS it is recommended to copy letsencrypt.tcl to packages/acs-subsite/www/admin/ such that it is reachable for all sub-sites.
  • "until I removed the following that had appeared ...": The script adds a driver section to the end of the config file, when there is no nsssl configuration found. You see this in the reply of the script, when it writes at the end "... adding driver module nsssl.so to your config file". So, my guess us as following: your site is not using native NaviServer nsssl, but you are probably using OpenACS behind some proxy performing the HTTPS unloading.
  • "staging" mode: this is a term from letsencrypt. The obtained certificate works with the limitations noted in [3].
  • "should the certificate be moved to the standard oacs directory": as noted, the module updates the config file, everything related to all letsencrypt certificates and accounts is stored at the same place (as indicated in the reply form the letsencrypt script). You are certainly free to copy the pem files around and/or make links.
  • "what ... be done with the files...": keep this files, these are your account data
  • "how to renew": run the same script again. For an nsd with nsssl, you get expiration date from the nsstats.tcl module

If my guess is right, and you are running behind a proxy, this is not a supported configuration. Maybe a lightweight approach would be to make a "behind proxy" variant, that does not touch the opencs config file.

[1] https://bitbucket.org/naviserver/letsencrypt/src/default/
[2] https://bitbucket.org/naviserver/letsencrypt/src/default/letsencrypt.tcl
[3] https://letsencrypt.org/docs/staging-environment/

Collapse
3: Re: Trying letsencrypt (response to 2)
Posted by Raul Rodriguez on 06/25/18 11:16 PM
The following is a summary of what I did:
- Installed debian 9
- Installed naviserver and openacs using the scripts from git clone https://github.com/gustafn/install-ns
- [ns_info home]/modules/nsssl did not exist
- Downloaded letsencrypt https://bitbucket.org/naviserver/letsencrypt/downloads/
- Performed make install in /usr/local/src/naviserver-letsencrypt-a4c48260f300/
- Copied letsencrypt.tcl to /var/www/service0/packages/acs-subsite/www/admin/
- On my router, opened up ports 80 and 443 and port forward to openacs.
- Left 8443 commented out in my openacs install
- Opened up browser and logged in to openacs as admin
- Went to http://www.myopenacs.com/admin/letsencrypt
- Entered domain names
- Got permission Request Error
- Udpated permission on /etc/ssl/openssl.cnf and /usr/local/ns/config-service0
- Ran again
- Success
- nsssl and related documents were created and config-service0 was updated
- removed newly added 'ns_section ns/server/${server}/modules' and 'ns_param nsssl nsssl.so' from config file and uncommented https port
- restarted openacs
- site came up and was able to log on via https

Thank You for all of your work and help.

Collapse
4: Re: Trying letsencrypt (response to 2)
Posted by Cesar Dominguez on 07/24/20 05:49 AM
HI Gustaf, i followed all the directions for the set up fo the ssl certificate in naviserver. But first of all my server is in Apache so i first followed the steps for cerbot https://certbot.eff.org/lets-encrypt/ubuntubionic-apache my OS is Ubunto 18.04 my domain is innogroove.com and is secure. After following the steps for naviserver i wanted to use the certificate on same domain but different port ex. innogroove.com:8002 i got this error and the site is not secure: NOTE*: 
wrong # args: should be "ns_base64urlencode string"
    while executing
"ns_base64urlencode -binary [binary decode hex $mod]"
    (procedure ":parseAccountKey" line 17)
    invoked from within
":parseAccountKey"
    (procedure "getCertificate" line 50)
    invoked from within
"$c getCertificate"
    ("uplevel" body line 878)
    invoked from within
"uplevel {
    #
# letsencrypt.tcl --
#
#   A small Let's Encrypt client for NaviServer implemented in Tcl,
#   supporting the ACME v2 interface of let..."
    (procedure "code::tcl::/var/www/fd6//packages/acs-subsite/www/admin/lets..." line 2)
    invoked from within
"code::tcl::$__adp_stub"
    ("uplevel" body line 12)
    invoked from within
"uplevel {

        if { [file exists $__adp_stub.tcl] } {

            # ensure that data source preparation procedure exists and is up-to-date
      ..."
    (procedure "adp_prepare" line 2)
    invoked from within
"adp_prepare"
    invoked from within
"template::adp_parse $themed_template {}"
    (procedure "adp_parse_ad_conn_file" line 14)
    invoked from within
"$handler"
    ("uplevel" body line 2)
    invoked from within
"uplevel $code"
    invoked from within
"ad_try {
                $handler
            } ad_script_abort val {
                # do nothing
            }"
    invoked from within
"rp_serve_concrete_file [ad_conn file]"
    (procedure "::nsf::procs::rp_serve_abstract_file" line 60)
    invoked from within
"rp_serve_abstract_file "$root/$extra_url""
    ("uplevel" body line 2)
    invoked from within
"uplevel $code"
    invoked from within
"ad_try {
                rp_serve_abstract_file "$root/$extra_url"
                set ::tcl_url2file([ad_conn url]) [ad_conn file]
                se..."
I will appreciate your support.
Collapse
5: Re: Trying letsencrypt (response to 4)
Posted by Antonio Pisano on 07/24/20 02:47 PM
Dear Cesar,

this seems related with your Naviserver version can you please tell wich one are you using?

Ciao
Antonio

Collapse
6: Re: Trying letsencrypt (response to 5)
Posted by Cesar Dominguez on 07/24/20 07:05 PM
Hi Antonio, Thanks for replying. The Naviserver version i have installed is 4.99.18. Thanks,
Collapse
7: Re: Trying letsencrypt (response to 6)
Posted by Gustaf Neumann on 07/25/20 01:39 PM
Dear Cesar,

you should either use the versions included in the tar file releases from sourceforge [1] or use the tip versions from bitbucket.

There was a binary-reform included in 4.99.19 (provide explicit arguments instead of guessing). From the error message you provided, on can see that the version of letsencrypt you are using assumes a version of NaviServer supporting the "-binary" flag. So either downgrade letsencrypt or upgrade naviserver.

[1] https://sourceforge.net/projects/naviserver/files/naviserver/