Usare Let’s Encrypt con OS/2

Let’s Encrypt (https://letsencrypt.org/ ) è un Certificate Authority libero, automatizzato e aperto. Per usufruire di questo servizio, sono disponibili vari client.

Per il mio server di casa su cui ho installato OS/2 e Apache ho scelto di usare il client acme.sh. Si tratta di uno script sh, così l'unica cosa necessaria per utilizzarlo è l'interprete sh, così come fornito da una installazione di default di yum - Python non è richiesto.

The following HowTo was written predating https://github.com/Neilpang/acme.sh and https://commaster.net/posts/how-setup-lets-encrypt-apache-windows/ pages.

1. Install the script

Online installation on my server failed due to missing crontab utility. So, to install acme.sh download the full package as zip file from github.com, unpack acme.sh file to a temporary directory and run it:

D:\tmp>sh acme.sh --install --accountemail "youyouremailaddress [dot] com" --force
  It is recommended to install crontab first.
  We need to set cron job to renew the certs automatically.
  Otherwise, your certs will not be able to be renewed automatically.
  It is recommended to install nc first, try to install 'nc' or 'netcat'.
  We use nc for standalone server if you use standalone mode.
  If you don't use standalone mode, just ignore this warning.
  Installing to D:/HOME/DEFAULT/.acme.sh
  Installed to D:/HOME/DEFAULT/.acme.sh/acme.sh
  No profile is found, you will need to go into D:/HOME/DEFAULT/.acme.sh to use acme.sh
  crontab doesn't exist, so, we can not install cron jobs.
  All your certs will not be renewed automatically.
  You must add your own cron job to call 'acme.sh --cron' everyday.
  Good, bash is found, so change the shebang to use bash as prefered.
  OK

Ignore the errors about cron and nc. We'll setup cron later, while nc is not needed for our purpose. "--accountemail" is the email used to register account to Let's Encrypt and you will receive domain renewal notices here. Default is empty but it is handy. See "sh acme.sh --help" for a list of all the available options.

2. Issue the certificate

We assume that Apache web server is serving http, not just https, and document root directory is d:/var/www.  The script needs to know where the Apache document root path is as, at issue/renew time, it will create there a temporary directory named /.well-known/acme-challenge/ .

D:\home\default\.acme.sh>sh acme.sh --issue -d www.yourdomain.org -w /var/www --debug
  config file is empty, can not read CA_KEY_HASH
  Creating account key
  Registering account
  Registered
  Update success.
  Creating domain key
  Single domain='www.yourdomain.org'
  Getting domain auth token for each domain
  Getting webroot for domain='www.yourdomain.org'
  _w='/var/www'
  Getting new-authz for domain='www.yourdomain.org'
  Try new-authz for the 0 time.
  The new-authz request is ok.
  Verifying:www.yourdomain.org
    chown: gruppo non valido: "root:UNKNOWN"
  Success
  Verify finished, start to sign.
  Cert success.
  -----BEGIN CERTIFICATE-----
     ... [here you will see the just created certificate]
  -----END CERTIFICATE-----
  Your cert is in  D:/HOME/DEFAULT/.acme.sh/www.yourdomain.org/www.yourdomain.org.cer 
  Your cert key is in  D:/HOME/DEFAULT/.acme.sh/www.yourdomain.org/www.yourdomain.org.key 
  The intermediate CA cert is in  D:/HOME/DEFAULT/.acme.sh/www.yourdomain/ca.cer 
  And the full chain certs is there:  D:/HOME/DEFAULT/.acme.sh/www.yourdomain.org/fullchain.cer 

The " --debug" parameter helps to see what's happening if something goes wrong. If you should get a "Key divisible by small prime" error while registering the account, just delete the .acme.sh directory and rerun all. In my experience, running the process a second or third time always fixes it. Have a look at account.conf if you want to enable the log file, that in any case will be useful later, to verify that cron works as expected.

3. Install the issued certificate to Apache

Following is an extract from my Apache configuration file:

<VirtualHost _default_:443>
  ServerName www.yourdomain.org:443
  ServerAdmin youyouremailaddress [dot] com
  DocumentRoot "d:/var/www/"
  ErrorLog "d:/var/log/apache2/error-ssl.log"
  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
  SSLCertificateFile "D:/etc/letsencrypt/cert.pem"
  SSLCertificateKeyFile "D:/etc/letsencrypt/key.pem"
  SSLCertificateChainFile "D:/etc/letsencrypt/fullchain.pem"
...
</VirtualHost

Please note the three lines starting with "SSLCertificate...". The certificates paths issued in the following command line must correspond:

D:\home\default\.acme.sh>sh acme.sh --installcert -d www.yourdomain.org --certpath "D:/etc/letsencrypt/cert.pem" --keypath  "D:/etc/letsencrypt/key.pem" --fullchainpath "D:/etc/letsencrypt/fullchain.pem" --reloadcmd  "D:/CMD/apache_restart.cmd"

As you can imagine, D:/CMD/apache_restart.cmd is a simple script that restarts Apache, so the new certificate is loaded. This parameter is optional as you can obviously restart Apache manually, but automating the stuff is quite handy when certificate renewal time comes.

4. How to renew the cert

No, you don't need to renew the certs manually. All the certs will be renewed automatically every 60 days. However, you can also force to renew any cert:

D:\home\default\.acme.sh>sh acme.sh --renew -d www.yourdomain.org --force

Create an everyday cron job to check and renew the cert when needed:

D:\etc >sh "D:\home\default\.acme.sh\acme.sh" --cron --home "D:\home\default\.acme.sh"
  Renew: 'www.yourdomain.org'
  Skip, Next renewal time is: lun gen  9 08:17:47 UTC 2017
  Add '--force' to force to renew.
  Skipped www.yourdomain.org

5. How to upgrade acme.sh

acme.sh script is under development, so it's strongly recommended to use the latest code.

I still had no occasion to test it, but the following command should update acme.sh to the latest code:

acme.sh --upgrade

You can also enable auto upgrade:

acme.sh  --upgrade  --auto-upgrade

If all the above works for you, please consider donating to support the Let's encrypt project: https://letsencrypt.org/