Weblog

Hi Hugo,

Your script is a power tool. In a matter of minutes, I have registered
an account, requested and deployed a Let's Encrypt certificate. Even
without basic knowledge off SSL certificates, anyone can install and
request an SSL certificate from Let’s Encrypt. I was also amazed that
it provides a feature to first request a test certificate, before
switching it to production state. And in case of expiration i can easy renew it with
a single command.
There was nothing more to do than to only run three commands via your
script.

Thank you very much for everything.

Hi Hugo,

It works as expect. Please include this good script in the Hiawatha package.

Thanks a lot.

Hey Hugo,
very nice job, but why php?
I don't have installed PHP on my server. IMHO shell would be better solution.
Here is another good tool to create SSL certificates https://github.com/lukas2511/letsencrypt.sh
Take a look, maybe you can optimize it quickly for Hiawatha

Thank you.

PHP, because I know it well. Shell, Perl, PHP, Python, they're all just interpreters. Don't be afraid of an interpreter, it's just a tool. I used it because it's the language, besides C, I know best. So, for me it's the right tool to deliver a proper application. Just install it, let my script use it, and ignore it for the rest.

Hi,
can you confirm if this scrip will work when running Hiawatha as reverse proxy?

The intention is to terminate SSL on loadbalancer (=reverse proxy) and work with non-encrypted connection in backend.

THX

Use the script at the final webserver and place the retrieved certificate at the reverse proxy.

Finally got around to trying this - what a great tool! Works perfectly for me. Thanks Hugo!

When i request the certificate from the testing server it works fine, but when i change to the Production i get the following messages, and no certificate. Tried a lot of things here, but no luck yet.

Authorizing slas.se.
- Retrieving HTTP authentication challenge.
- No registration exists matching provided key.
- Authentication token for HTTP challenge not found.

Hi hugo,

How to use the script to apply public-key-in feature?

@Dan Larsson: Did you register your key at the production server? I realize I didn't mention that step in the README. Will add it.

@Samiux: What do you mean with public-key-in?

Hi Hugo,

Sorry for the typo. It should be header Public-Key-Pin.

Uhm, that's something for a browser to do. Not this script.

Hi Hugo,

It is quote from your How-to :
http://dotbalm.org/hiawatha-public-key-pinning-hpkp/

Hi hugo,

The script do not have the fringerprint of the cert that cannot be used in the customheader for public-key-pin.

First, that website is not my HOWTO. Second, you can create the fingerprint of a certificate yourself as described at that webpage.

Hi Hugo,

Thanks for the hints. The Public-Key-Pin header is applied successfully.

May I know how to renew the certificate with the script?

Yes, you may know. It's described in the readme...

@Hugo Sometime it´s to simple, thanks for the answer. All i had to do was to rename the account.key and run the register option again.

Thank you for the very nice webserver and usefull script.

Hi Hugo,

Would you mind to consider to change the script to handle "Include" keyword?

It already handles the include statement. Doesn't it work for you?

Hi Hugo,

My previous download version doesn't work for "include" keyword. But not sure about the current version. Any harm if I re-run the script?

No, specially if you run against the test server.

Hi Hugo,
This is probably a silly question but do I need to change the code below:

LE_ISSUERS = Let's Encrypt Authority X1 \
             Let's Encrypt Authority X2 \
             Let's Encrypt Authority X3 \
             Fake LE Intermediate X1 \
             happy hacker fake CA

If I'm suppose to edit that bits, what would it be?

Hi,
I decided the give it a go by leaving the code previously mentioned as they are and I got the following error when runing php ./letsencrypt register:

HTTP error while registering account

What I have do wrong?

You can ignore the LE_ISSUERS setting for now.
I'll look at the registering issue. I can reproduce it here. It looks like the API has changed... again.

Update:
I've made some changes. Redownload the letsencrypt package and please try again.

Hi hugo,

I downloaded the latest update and gone further but now having another issue

 php ./letsencrypt request mydomain.co.uk
Generating account key.
Hostname mydomain.co.uk not found in Hiawatha configuration.

I do have a virtual host {} with mydomain.co.uk.
Could you please advise on what to do next?

Thank you

Can you send me your complete configuration? Send it to hugo@hiawatha-webserver.org.

Sent you an email

I've just tried this out and it seems to be an extremely easy and convenient way of registering (and automatically renewing!) certificates. Thanks, Hugo!

I found that a VirtualHost needs to be in the main Hiawatha config file as opposed to in a file which has been included with, for example, 'Include /etc/hiawath/websites.conf'. That's easily sorted, of course, and I'll move all my vhosts back to the main file.

I'll probably add some code to send Pushover alerts on failed renew requests.

I included support for the include option. But apparently that doesn't work properly. I'll take a look at it.

Update:
I've solved this issue. Redownload the package and it should work now.

The download is going 404 now.

I downloaded from github and it is working great, still waiting for the 3 months expiration to see if the renew cron job works as expected, but so far this is a dream come true , thanks for developing and sharing this!

To make the tool work after August, 2016. Change "LE_CA_TERMS = https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" to "LE_CA_TERMS = https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" in the "letsencrypt.conf" file.

I got stuck with the fact that the letsencrypt cript could not find the hostname in my config files. This was due to the fact that I did not include a space after the VirtualHost (so VirtualHost{ instead of VirtualHost {). Hiawatha is able to read these config files without a problem, however the letsencrypt script could not recognize.
However, it is a very useful tool.

In Ubuntu I found that when running the script to renew certs as root (sudo crontab -e) Hiawatha was not restarting because the start-stop-daemon program could not be found; cron's PATH env var does not include /sbin, which is where start-stop-daemon is. Adding the appropriate path to PATH for the cron task gets round this.

52 03 * * * PATH=$PATH:/sbin /path/to/letsencrypt renew restart >> /var/log/letsencrypt-hiawatha.log 2>&1

the process seemed to work fine (writing private key, certificate and CA certificate) but eventually the certificate is not recognized in the browser.
"The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER"
I managed to get a certificate working using another script and havent spent too much time debugging this one, is it still supposed to work or are there some parameters to be adjusted?

More precisely the browser says:
issuer : "Fake LE Intermediate X1"
Looking into my pem file I see the same certificate as this one https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

eventually got it right, it was because the account key used had been created with the test LE_CA_HOSTNAME. It is working now.
Thanks for this great tool!

Question for Hugo: I had to remove all the IPs like 127.0.0.1 from the Hostname list because it was making it fail. Could you pass on IP addresses instead of failing or what is the config I should adopt instead of having IP addresses in the list?
Note my VirtualHost does not necessarily require TLS and i access the IP addresses with http, the certificate is used for the other hostnames in the list accessed via https.

Looks like you use an older version of the letsencrypt script. Or, at least an older version of its configuration file. Use the lastest version and try again. And its not my script, but the Let's Encrypt CA that doesn't allow IP addresses in the CN.

thanks very much Hugo I used this version https://www.hiawatha-webserver.org/files/letsencrypt.tar.gz I downloaded yesterday, is there a more recent one?

Indeed Let's Encrypt does not allow IPs, but if I want to have IPs in my list of hostnames and at the same time I want to get certificates (not for the IPs but for the names in the list), the LE script will go through all the hostnames of the list and fail when it encounters an IP I believe.
Does it mean I need to create one VirtualHost for the IPs and one different VirtualHost for the certification with domain names only?

*** I have been a very happy user of Hiawatha for the past 10 years on Windows and I recently moved to Arch Linux ***

The one you mentioned is the latest one. The next version of Hiawatha (soon to be released) will ignore IP addresses in the hostname list.

It sounds great, thanks Hugo [CLOSED]

Hi Hugo sorry to come back on this but from my tests it has not been implemented in 10.6, is it for the next version or should I try again?

to clarify my config I would like to use

VirtualHost {
Hostname = www.mysite.org,127.0.0.1
...
}

and run 'letsencrypt renew restart' on this config

Actually I think it is working now you have implemented a filtering out of IP Addresses in letsencrypt php scripts. My mistake. Thanks Hugo.

Hi Hugo

It appears that 'EnforceFirstHostname = yes' breaks the tool?

Watching the webroot whilst the tool is running I see the .well-known directory appear for the first hostname, and then the folder disappears and fails to reappear whilst the tool tries to authorize the second hostname.

Does the second hostname actually need to be included on the certificate if the above setting is on?

@Hugo do you expect to maintain the tool in 2018 and port it to ACMEv2?
btw find here the list of client scripts including yours [https://letsencrypt.org/docs/client-options/]

Of course!

great news , no need to look for another LetsEncrypt client then I will stick with it!

When installing in FreeBSD, there were two problems:
The shebang: /usr/local/bin/php
In libraries/letsencrypt.php used:
$dir = HIAWATHA_CERT_DIR."/" ;
instead of
$dir = (posix_getuid() == 0) ? HIAWATHA_CERT_DIR."/" : "";

If a check for FreeBSD could be made would be great!
Very nice tool, thanks Hugo!

Don't know how to solve the shebang issue.
The posix_getuid() can be replaced with getmyuid().