SecuritySpy and Let's Encrypt - autoload new certificates

jlbrown

I'd like to use our domain name in our HTTPS certificate, so unfortunately that means I can't use SecuritySpy's built-in Let's Encrypt support.

1. Would you consider adding the ability to use LE to get certs for a user's domain?
2. I can download certbot using Homebrew and get certs for my domain that way. When the cert gets auto renewed - is there a way to get SS to reload the web server with the new ones? Eg using certbot's '--renew-hook' option.

Thanks, James.

mark

You can do this by creating links to the LE certs. e.g. running as sudo something like…

define the vars as neccessary…

cd "/opt/local/etc/letsencrypt/live/$theCertName"

/bin/ln -f "fullchain.pem" "$theSecuritySpyFolderPath""fullchain.pem"

/bin/ln -f "privkey.pem" "$theSecuritySpyFolderPath""server.key"

/bin/ln -f "cert.pem" "$theSecuritySpyFolderPath""server.crt"

cd "$theSecuritySpyFolderPath"

/usr/sbin/chown -h "$theUser":staff fullchain.pem

/usr/sbin/chown -h "$theUser":staff server.key

 /usr/sbin/chown -h "$theUser":staff server.crt

I dont use certbot hooks but run from another script. You need to update the links every time you renew the certs and then restart SS. I do this and it seems to work fine.

Hope this is of use.

Ben

This is what our utility Certy is for. It makes it easy to generate LE certificates for SecuritySpy with your own domain name.

Yes, you can do this using certbot or manually from the command line, as mentioned above, but Certy should provide an easier solution.

jlbrown

@Ben, Certy looks good, but we use Cloudflare for DNS, so I don't think it will work for us.

@mark Thanks - I'll give it a go. Why do you have to 'update the links every time' - something to do with being hard links not soft links?

Snoopy28

Hi

I have the same problem with LE

did you solve your problem please?

I created link in /Users/MaBiche/SecuritySpy

sudo ln -s /etc/letsencrypt/archive/site.org/cert.pem server.crt

sudo ln -s /etc/letsencrypt/archive/site.org/fullchain.pem fullchain.pem

sudo ln -s /etc/letsencrypt/archive/site.org/privkey.pem server.key

sudo chown -h MaBiche:staff server.crt

sudo chown -h MaBiche:staff fullchain.pem

sudo chown -h MaBiche:staff server.key

it doesn't work

An idea please

Thanks by advance

Best regards

Snoopy28

Hi

I am making progress in solving the problem.

I saw differents topics

I tried everything, renaming all files to crt, server.crt, etc....

"Once the order has been approved, the certificate authority will provide you with your certificate, along with some other files such as intermediate certificates. Copy these files to your SecuritySpy folder, then do the following:

• For any files with the file extension cer, der or pem, change the extension to crt
• Locate the actual server certificate file and rename it server.crt
• Quit and reopen SecuritySpy.

SecuritySpy will first look for the main server.crt certificate file to identify your server. Then it will look for a ca-bundle file containing intermediate certificates, and finally if no ca-bundle file is found, it will use all other crt files it finds in order to construct the certificate chain."

Now i have copied the file in /Users/MaBiche/SecuritySpy

sudo cp /etc/letsencrypt/live/site.org/cert.pem server.crt

sudo cp /etc/letsencrypt/live/site.org/fullchain.pem fullchain.pem

sudo cp /etc/letsencrypt/live/site.org/chain.pem chain.pem

sudo cp /etc/letsencrypt/live/site.org/privkey.pem server.key

sudo chown -h MaBiche:staff server.crt

sudo chown -h MaBiche:staff chain.pem

sudo chown -h MaBiche:staff fullchain.pem

sudo chown -h MaBiche:staff server.key

I've restarted SecuritySpy and i have an PR_END_OF_FILE_ERROR

Thanks by advance for you response

guykuo

Struggled with this myself a few times, but never got success using my Let's Encrypt certificate files.

I copy the newest, unexpired, actual certificate files from letsencrypt/archive. I am using the ACTUAL certificate files rather than reference via links. I rename to their base names by removing the number letsencrypt appends to end of file name. Incidentally, these very same certificate files are working fine in another web server here.

That gets me four files....

cert.pem

chain.pem

fullchain.pem

privkey.pem

I rename privkey.pem ---> server.key

I rename cert.pem --> server.crt

I rename chain.pem --> chain.crt

I rename fullchain.pem --> fullchain.crt

I did NOT do the sudo chown commands seen earlier in this thread.

Copy those four files into the SecuritySpy folder (with SS not running), Then relaunch SecuritySpy.

Web browsers immediately disconnect if I attempt to connect.

SS Log shows....

Error setting up SSL for secure web access. Failed to set up SSL. Unknown certificate or key format. 6.6,170,-25257

Snoopy28

I use sudo command, because some files haven't the good right

It's possible to change that with the chmod command

But, without the command sudo and if i copy the file in the archive forder to the security spy folder, i have the same problem, with the name server.key and other with crt extension

i don't know why

guykuo

I tried doing the chown to set file permissions. Nope, that didn't fix the problem.

Seems to be a format issue between the files that LetsEncrypt issues and what SS expects.

LetsEncrypt issues certificate files in "printable" text with hexadecimal data.

Maybe SS only accepts binary certificate files?

Snoopy28

Perhaps...

In the logs, i have this message

Error setting up SSL for secure web access. Failed to set up SSL. Unknown certificate or key format. 6.6,170,-25257

Ben

SecuritySpy accepts both .cer/.crt and .pem - this covers most certificates that will be created by such scripts, so I'm not sure what could be going wrong here. If you email us your certificates we'll check them to see if they are in a format that SecuritySpy can understand. If you can also send the key that will be very helpful as we can check the format of this too, and make sure it matches the certificate - I promise that we'll delete this as soon as we have finished looking at it.

Ben

Thanks @Snoopy28 for sending your key/cert files. It seems that the problem is the key type. SecuritySpy accepts RSA keys, but this is a ECDSA key, and this is the reason why it isn't being accepted.

If you are using certbot, you can ask it to create an RSA key by adding the --key-type rsa switch.

If you are using a different method to create the key, consult its documentation to find out how to get it to create an RSA key.

By the way, if you have both "fullchain.pem" and "chain.pem" then you don't need to include the latter, as it's already included in the former.

We'll update our documentation with these subtle points.

guykuo

Thanks, Ben. That is also the problem I'm running into as well.

Looking at my certificate from certbot, it is indeed "Elliptic Curve Public Key"

Apparently Let's Encrypt and certbot switched to issuing ECDSA keys by default in 2022 since they believed there was widespread enough support for ECDSA. Since, my main server app and web browsers didn't have a problem with the ECDSA format, I never realized there had been a change (or more accurately, I never knew there was even a different format certificate.)

I'll have to consider whether getting SecuritySpy under the same certificate is worth the efficiency hit of RSA vs ECDSA.

Snoopy28

This is a big dilemma

However I tried with the RSA key to make SecuritySpy and my apache server coexist, and it does not work.

I sent you a message

Thanks in advance for your help

Ben

Hi @Snoopy28 I've tested the key/cert files you sent me and they work - please see my messages, hopefully this will help you!

Snoopy28

in resume

you must have an RSA key

you can change an ECDSA key generated with letsencrypt to an RSA key with the command "certbot --key-type rsa"

and copy the file in the Security folder

sudo cp /etc/letsencrypt/live/site.org/fullchain.pem /Users/MaBiche/SecuritySpy/.

sudo cp /etc/letsencrypt/live/site.org/privkey.pem /Users/MaBiche/SecuritySpy/server.key

sudo cp /etc/letsencrypt/live/site.org/cert.pem /Users/MaBiche/SecuritySpy/server.crt

sudo chown -h MaBiche:staff /Users/MaBiche/SecuritySpy/fullchain.pem

sudo chown -h MaBiche:staff /Users/MaBiche/SecuritySpy/server*

sudo chmod 644 /Users/Snoopy/SecuritySpy/server.key

thanks for all

guykuo

Although the ideal situation would be SecuritySpy's sockets being able to handle either RSA or ECDSA certificates, I've gone ahead and changed one certificate from ECDSA to RSA using terminal command....

sudo certbot --key-type rsa

LetsEncrypt / certbot then asks for the domain for which a certificate is requested. Then it detects an ECDSA certficate already exists and verifies whether you actually intended to change the type. Once you confirm, a new RSA certificate is created and downloaded to Mac as usual four certificate files in the letsencrypt/archive.

Since, I don't use Apache as my web server, but rather our in-house Cosalient server stack, I ignored all the warnings about failing to install the certificate in Apache. Did my usual work installing the certificates in Cosalient app and that worked without a problem. (Underlying sockets in Cosalient automatically handle either RSA or ECDSA certificates)

To prep the certificates files for SecuritySpy, I copied the three needed files to an intermediate folder using Finder. Then renamed them as...

cert10.pem ----> server.crt

fullchain10.pem ----> chain.crt

privkey10.pem ----> server.key

Those renamed certificate files were then copied over to my SecuritySpy machine.

Quit SecuritySpy and copied the three certificate files into the SecuritySpy folder and relaunched.

This works, but would be neater if both RSA and ECDSA certificates worked in SS.

Ben

Great to hear you've both got this working.

We'll take a look at ECDSA support in the future, but I can't promise if/when this will happen, since most users don't need to supply their own certificates. I agree it would be neater if we can support both.