SecuritySpy and Let's Encrypt - autoload new certificates
I'd like to use our domain name in our HTTPS certificate, so unfortunately that means I can't use SecuritySpy's built-in Let's Encrypt support.
- Would you consider adding the ability to use LE to get certs for a user's domain?
- I can download certbot using Homebrew and get certs for my domain that way. When the cert gets auto renewed - is there a way to get SS to reload the web server with the new ones? Eg using certbot's '--renew-hook' option.
Thanks, James.
Comments
-
You can do this by creating links to the LE certs. e.g. running as sudo something like…
define the vars as neccessary…
cd "/opt/local/etc/letsencrypt/live/$theCertName"
/bin/ln -f "fullchain.pem" "$theSecuritySpyFolderPath""fullchain.pem"
/bin/ln -f "privkey.pem" "$theSecuritySpyFolderPath""server.key"
/bin/ln -f "cert.pem" "$theSecuritySpyFolderPath""server.crt"
cd "$theSecuritySpyFolderPath"
/usr/sbin/chown -h "$theUser":staff fullchain.pem
/usr/sbin/chown -h "$theUser":staff server.key
/usr/sbin/chown -h "$theUser":staff server.crt
I dont use certbot hooks but run from another script. You need to update the links every time you renew the certs and then restart SS. I do this and it seems to work fine.
Hope this is of use.
-
Hi
I have the same problem with LE
did you solve your problem please?
I created link in /Users/MaBiche/SecuritySpy
sudo ln -s /etc/letsencrypt/archive/site.org/cert.pem server.crt
sudo ln -s /etc/letsencrypt/archive/site.org/fullchain.pem fullchain.pem
sudo ln -s /etc/letsencrypt/archive/site.org/privkey.pem server.key
sudo chown -h MaBiche:staff server.crt
sudo chown -h MaBiche:staff fullchain.pem
sudo chown -h MaBiche:staff server.key
it doesn't work
An idea please
Thanks by advance
Best regards
-
Hi
I am making progress in solving the problem.
I saw differents topics
I tried everything, renaming all files to crt, server.crt, etc....
"Once the order has been approved, the certificate authority will provide you with your certificate, along with some other files such as intermediate certificates. Copy these files to your SecuritySpy folder, then do the following:
- For any files with the file extension cer, der or pem, change the extension to crt
- Locate the actual server certificate file and rename it server.crt
- Quit and reopen SecuritySpy.
SecuritySpy will first look for the main server.crt certificate file to identify your server. Then it will look for a ca-bundle file containing intermediate certificates, and finally if no ca-bundle file is found, it will use all other crt files it finds in order to construct the certificate chain."
Now i have copied the file in /Users/MaBiche/SecuritySpy
sudo cp /etc/letsencrypt/live/site.org/cert.pem server.crt
sudo cp /etc/letsencrypt/live/site.org/fullchain.pem fullchain.pem
sudo cp /etc/letsencrypt/live/site.org/chain.pem chain.pem
sudo cp /etc/letsencrypt/live/site.org/privkey.pem server.key
sudo chown -h MaBiche:staff server.crt
sudo chown -h MaBiche:staff chain.pem
sudo chown -h MaBiche:staff fullchain.pem
sudo chown -h MaBiche:staff server.key
I've restarted SecuritySpy and i have an PR_END_OF_FILE_ERROR
Thanks by advance for you response
-
Struggled with this myself a few times, but never got success using my Let's Encrypt certificate files.
I copy the newest, unexpired, actual certificate files from letsencrypt/archive. I am using the ACTUAL certificate files rather than reference via links. I rename to their base names by removing the number letsencrypt appends to end of file name. Incidentally, these very same certificate files are working fine in another web server here.
That gets me four files....
cert.pem
chain.pem
fullchain.pem
privkey.pem
I rename privkey.pem ---> server.key
I rename cert.pem --> server.crt
I rename chain.pem --> chain.crt
I rename fullchain.pem --> fullchain.crt
I did NOT do the sudo chown commands seen earlier in this thread.
Copy those four files into the SecuritySpy folder (with SS not running), Then relaunch SecuritySpy.
Web browsers immediately disconnect if I attempt to connect.
SS Log shows....
Error setting up SSL for secure web access. Failed to set up SSL. Unknown certificate or key format. 6.6,170,-25257
-
I use sudo command, because some files haven't the good right
It's possible to change that with the chmod command
But, without the command sudo and if i copy the file in the archive forder to the security spy folder, i have the same problem, with the name server.key and other with crt extension
i don't know why
-
I tried doing the chown to set file permissions. Nope, that didn't fix the problem.
Seems to be a format issue between the files that LetsEncrypt issues and what SS expects.
LetsEncrypt issues certificate files in "printable" text with hexadecimal data.
Maybe SS only accepts binary certificate files?
-
Perhaps...
In the logs, i have this message
Error setting up SSL for secure web access. Failed to set up SSL. Unknown certificate or key format. 6.6,170,-25257
-
SecuritySpy accepts both .cer/.crt and .pem - this covers most certificates that will be created by such scripts, so I'm not sure what could be going wrong here. If you email us your certificates we'll check them to see if they are in a format that SecuritySpy can understand. If you can also send the key that will be very helpful as we can check the format of this too, and make sure it matches the certificate - I promise that we'll delete this as soon as we have finished looking at it.
-
Thanks @Snoopy28 for sending your key/cert files. It seems that the problem is the key type. SecuritySpy accepts RSA keys, but this is a ECDSA key, and this is the reason why it isn't being accepted.
If you are using certbot, you can ask it to create an RSA key by adding the --key-type rsa switch.
If you are using a different method to create the key, consult its documentation to find out how to get it to create an RSA key.
By the way, if you have both "fullchain.pem" and "chain.pem" then you don't need to include the latter, as it's already included in the former.
We'll update our documentation with these subtle points.
-
Thanks, Ben. That is also the problem I'm running into as well.
Looking at my certificate from certbot, it is indeed "Elliptic Curve Public Key"
Apparently Let's Encrypt and certbot switched to issuing ECDSA keys by default in 2022 since they believed there was widespread enough support for ECDSA. Since, my main server app and web browsers didn't have a problem with the ECDSA format, I never realized there had been a change (or more accurately, I never knew there was even a different format certificate.)
I'll have to consider whether getting SecuritySpy under the same certificate is worth the efficiency hit of RSA vs ECDSA.
-
This is a big dilemma
However I tried with the RSA key to make SecuritySpy and my apache server coexist, and it does not work.
I sent you a message
Thanks in advance for your help
-
in resume
you must have an RSA key
you can change an ECDSA key generated with letsencrypt to an RSA key with the command "certbot --key-type rsa"
and copy the file in the Security folder
sudo cp /etc/letsencrypt/live/site.org/fullchain.pem /Users/MaBiche/SecuritySpy/.
sudo cp /etc/letsencrypt/live/site.org/privkey.pem /Users/MaBiche/SecuritySpy/server.key
sudo cp /etc/letsencrypt/live/site.org/cert.pem /Users/MaBiche/SecuritySpy/server.crt
sudo chown -h MaBiche:staff /Users/MaBiche/SecuritySpy/fullchain.pem
sudo chown -h MaBiche:staff /Users/MaBiche/SecuritySpy/server*
sudo chmod 644 /Users/Snoopy/SecuritySpy/server.key
thanks for all
-
Although the ideal situation would be SecuritySpy's sockets being able to handle either RSA or ECDSA certificates, I've gone ahead and changed one certificate from ECDSA to RSA using terminal command....
sudo certbot --key-type rsa
LetsEncrypt / certbot then asks for the domain for which a certificate is requested. Then it detects an ECDSA certficate already exists and verifies whether you actually intended to change the type. Once you confirm, a new RSA certificate is created and downloaded to Mac as usual four certificate files in the letsencrypt/archive.
Since, I don't use Apache as my web server, but rather our in-house Cosalient server stack, I ignored all the warnings about failing to install the certificate in Apache. Did my usual work installing the certificates in Cosalient app and that worked without a problem. (Underlying sockets in Cosalient automatically handle either RSA or ECDSA certificates)
To prep the certificates files for SecuritySpy, I copied the three needed files to an intermediate folder using Finder. Then renamed them as...
cert10.pem ----> server.crt
fullchain10.pem ----> chain.crt
privkey10.pem ----> server.key
Those renamed certificate files were then copied over to my SecuritySpy machine.
Quit SecuritySpy and copied the three certificate files into the SecuritySpy folder and relaunched.
This works, but would be neater if both RSA and ECDSA certificates worked in SS.
-
Great to hear you've both got this working.
We'll take a look at ECDSA support in the future, but I can't promise if/when this will happen, since most users don't need to supply their own certificates. I agree it would be neater if we can support both.
