Usare Let’s Encrypt con OS/2

Let’s Encrypt ( ) è un Certificate Authority libero, automatizzato e aperto. Per usufruire di questo servizio, sono disponibili vari client.

Per il mio server di casa su cui ho installato OS/2 e Apache ho scelto di usare il client Si tratta di uno script sh, così l'unica cosa necessaria per utilizzarlo è l'interprete sh, così come fornito da una installazione di default di yum - Python non è richiesto.

The following HowTo was written predating and pages.

1. Install the script

Online installation on my server failed due to missing crontab utility. So, to install download the full package as zip file from, unpack file to a temporary directory and run it:

D:\tmp>sh --install --accountemail "youatyouremailaddress [dot] com" --force
  It is recommended to install crontab first.
  We need to set cron job to renew the certs automatically.
  Otherwise, your certs will not be able to be renewed automatically.
  It is recommended to install nc first, try to install 'nc' or 'netcat'.
  We use nc for standalone server if you use standalone mode.
  If you don't use standalone mode, just ignore this warning.
  Installing to D:/HOME/DEFAULT/
  Installed to D:/HOME/DEFAULT/
  No profile is found, you will need to go into D:/HOME/DEFAULT/ to use
  crontab doesn't exist, so, we can not install cron jobs.
  All your certs will not be renewed automatically.
  You must add your own cron job to call ' --cron' everyday.
  Good, bash is found, so change the shebang to use bash as prefered.

Ignore the errors about cron and nc. We'll setup cron later, while nc is not needed for our purpose. "--accountemail" is the email used to register account to Let's Encrypt and you will receive domain renewal notices here. Default is empty but it is handy. See "sh --help" for a list of all the available options.

2. Issue the certificate

We assume that Apache web server is serving http, not just https, and document root directory is d:/var/www.  The script needs to know where the Apache document root path is as, at issue/renew time, it will create there a temporary directory named /.well-known/acme-challenge/ .

D:\home\default\>sh --issue -d -w /var/www --debug
  config file is empty, can not read CA_KEY_HASH
  Creating account key
  Registering account
  Update success.
  Creating domain key
  Single domain=''
  Getting domain auth token for each domain
  Getting webroot for domain=''
  Getting new-authz for domain=''
  Try new-authz for the 0 time.
  The new-authz request is ok.
    chown: gruppo non valido: "root:UNKNOWN"
  Verify finished, start to sign.
  Cert success.
     ... [here you will see the just created certificate]
  Your cert is in  D:/HOME/DEFAULT/
  Your cert key is in  D:/HOME/DEFAULT/
  The intermediate CA cert is in  D:/HOME/DEFAULT/
  And the full chain certs is there:  D:/HOME/DEFAULT/

The " --debug" parameter helps to see what's happening if something goes wrong. If you should get a "Key divisible by small prime" error while registering the account, just delete the directory and rerun all. In my experience, running the process a second or third time always fixes it. Have a look at account.conf if you want to enable the log file, that in any case will be useful later, to verify that cron works as expected.

3. Install the issued certificate to Apache

Following is an extract from my Apache configuration file:

<VirtualHost _default_:443>
  ServerAdmin youatyouremailaddress [dot] com
  DocumentRoot "d:/var/www/"
  ErrorLog "d:/var/log/apache2/error-ssl.log"
  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCertificateFile "D:/etc/letsencrypt/cert.pem"
  SSLCertificateKeyFile "D:/etc/letsencrypt/key.pem"
  SSLCertificateChainFile "D:/etc/letsencrypt/fullchain.pem"

Please note the three lines starting with "SSLCertificate...". The certificates paths issued in the following command line must correspond:

D:\home\default\>sh --installcert -d --certpath "D:/etc/letsencrypt/cert.pem" --keypath  "D:/etc/letsencrypt/key.pem" --fullchainpath "D:/etc/letsencrypt/fullchain.pem" --reloadcmd  "D:/CMD/apache_restart.cmd"

As you can imagine, D:/CMD/apache_restart.cmd is a simple script that restarts Apache, so the new certificate is loaded. This parameter is optional as you can obviously restart Apache manually, but automating the stuff is quite handy when certificate renewal time comes.

4. How to renew the cert

No, you don't need to renew the certs manually. All the certs will be renewed automatically every 60 days. However, you can also force to renew any cert:

D:\home\default\>sh --renew -d --force

Create an everyday cron job to check and renew the cert when needed:

D:\etc >sh "D:\home\default\\" --cron --home "D:\home\default\"
  Renew: ''
  Skip, Next renewal time is: lun gen  9 08:17:47 UTC 2017
  Add '--force' to force to renew.

5. How to upgrade script is under development, so it's strongly recommended to use the latest code.

I still had no occasion to test it, but the following command should update to the latest code: --upgrade

You can also enable auto upgrade:  --upgrade  --auto-upgrade

If all the above works for you, please consider donating to support the Let's encrypt project:

Aggiungi un commento