[ LEgo ] [ 3.1.0 ] Let's Encrypt client and ACME library

This is the best place for community developers to publish their genius work. Your Apps enrich the QNAP Turbo NAS.
User avatar
QNAP_Stephane
Experience counts
Posts: 3288
Joined: Wed Mar 27, 2013 1:00 am

[ LEgo ] [ 3.1.0 ] Let's Encrypt client and ACME library

Post by QNAP_Stephane » Wed May 24, 2017 12:01 am

Image

source : https://github.com/xenolf/lego

download :

https://www.qnapclub.eu/fr/qpkg/456

Note :

install lego command line in NAS $PATH as symlink

Feature

Register with CA
Obtain certificates, both from scratch or with an existing CSR
Renew certificates
Revoke certificates
Robust implementation of all ACME challenges
HTTP (http-01)
DNS (dns-01)
TLS (tls-alpn-01)
SAN certificate support
Comes with multiple optional DNS providers
Custom challenge solvers
Certificate bundling
OCSP helper function
Please keep in mind that CLI switches and APIs are still subject to change.

When using the standard --path option, all certificates and account configurations are saved to a folder .lego in the current working directory.

Usage

Code: Select all

NAME:
lego - Let's Encrypt client written in Go

USAGE:
lego [global options] command [command options] [arguments...]

COMMANDS:
run Register an account, then create and install a certificate
revoke Revoke a certificate
renew Renew a certificate
dnshelp Shows additional help for the --dns global option
list Display certificates and accounts information.
help, h Shows a list of commands or help for one command

GLOBAL OPTIONS:
--domains value, -d value Add a domain to the process. Can be specified multiple times.
--server value, -s value CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client. (default: "https://acme-v02.api.letsencrypt.org/directory")
--accept-tos, -a By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.
--email value, -m value Email used for registration and recovery contact.
--csr value, -c value Certificate signing request filename, if an external CSR is to be used.
--eab Use External Account Binding for account registration. Requires --kid and --hmac.
--kid value Key identifier from External CA. Used for External Account Binding.
--hmac value MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding.
--key-type value, -k value Key type to use for private keys. Supported: rsa2048, rsa4096, rsa8192, ec256, ec384. (default: "rsa2048")
--filename value (deprecated) Filename of the generated certificate.
--path value Directory to use for storing the data. (default: "./.lego")
--http Use the HTTP challenge to solve challenges. Can be mixed with other types of challenges.
--http.port value Set the port and interface to use for HTTP based challenges to listen on.Supported: interface:port or :port. (default: ":80")
--http.webroot value Set the webroot folder to use for HTTP based challenges to write directly in a file in .well-known/acme-challenge.
--http.memcached-host value Set the memcached host(s) to use for HTTP based challenges. Challenges will be written to all specified hosts.
--tls Use the TLS challenge to solve challenges. Can be mixed with other types of challenges.
--tls.port value Set the port and interface to use for TLS based challenges to listen on. Supported: interface:port or :port. (default: ":443")
--dns value Solve a DNS challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage.
--dns.disable-cp By setting this flag to true, disables the need to wait the propagation of the TXT record to all authoritative name servers.
--dns.resolvers value Set the resolvers to use for performing recursive DNS queries. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined.
--http-timeout value Set the HTTP timeout value to a specific value in seconds. (default: 0)
--dns-timeout value Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name servers queries. (default: 10)
--pem Generate a .pem file by concatenating the .key and .crt files together.
--cert.timeout value Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30)
--help, -h show help
--version, -v print the version
Last edited by QNAP_Stephane on Fri Oct 18, 2019 11:59 pm, edited 6 times in total.
--------------------------------------------------------------------------
QnapClub AppCenter - https://www.qnapclub.eu
--------------------------------------------------------------------------

deejayexe
Starting out
Posts: 27
Joined: Tue Apr 29, 2014 10:19 pm

Re: [ LEgo ] [ 0.3.1 ] Let's Encrypt client and ACME library written in Go

Post by deejayexe » Wed May 24, 2017 3:55 am

Thanks Qnap_Stephane
Always collaborating with us. I'm going to try it

Enviado desde mi MI Mix mediante Tapatalk

User avatar
QNAP_Stephane
Experience counts
Posts: 3288
Joined: Wed Mar 27, 2013 1:00 am

Re: [ LEgo ] [ 2.2.0 ] Let's Encrypt client and ACME library

Post by QNAP_Stephane » Sun Feb 10, 2019 2:24 am

updated
--------------------------------------------------------------------------
QnapClub AppCenter - https://www.qnapclub.eu
--------------------------------------------------------------------------

goodelyfe
Know my way around
Posts: 121
Joined: Tue Jul 01, 2014 5:50 pm

Re: [ LEgo ] [ 2.2.0 ] Let's Encrypt client and ACME library

Post by goodelyfe » Tue Apr 16, 2019 6:57 am

Code: Select all

[~] # lego --email="myemailhere@provider.com" --domains="*.mydomain.here.tv" --dns="route53" run

2019/04/15 18:49:07 [INFO] [*.mydomain.here.tv] acme: Obtaining bundled SAN certificate
2019/04/15 18:49:07 [INFO] [*.mydomain.here.tv] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/[redacted]
2019/04/15 18:49:07 [INFO] [*.mydomain.here.tv] acme: use dns-01 solver
2019/04/15 18:49:07 [INFO] [*.mydomain.here.tv] acme: Preparing to solve DNS-01
2019/04/15 18:49:29 [INFO] [*.mydomain.here.tv] acme: Cleaning DNS-01 challenge
2019/04/15 18:49:50 [WARN] [*.mydomain.here.tv] acme: error cleaning up: failed to determine Route 53 hosted zone ID: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors
2019/04/15 18:49:50 Could not obtain certificates:
        acme: Error -> One or more domains had a problem:
[*.mydomain.here.tv] [*.mydomain.here.tv] acme: error presenting token: route53: failed to determine hosted zone ID: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors

Am I doing something wrong? is it the wildcard?

help please

User avatar
QNAP_Stephane
Experience counts
Posts: 3288
Joined: Wed Mar 27, 2013 1:00 am

Re: [ LEgo ] [ 2.2.0 ] Let's Encrypt client and ACME library

Post by QNAP_Stephane » Wed Apr 17, 2019 2:35 pm

better post in github issue check to of the topic
--------------------------------------------------------------------------
QnapClub AppCenter - https://www.qnapclub.eu
--------------------------------------------------------------------------

User avatar
ukez
Know my way around
Posts: 210
Joined: Sat Jul 19, 2008 5:08 am
Location: Some Really Seedy Brothel

Re: [ LEgo ] [ 2.2.0 ] Let's Encrypt client and ACME library

Post by ukez » Mon May 06, 2019 6:30 pm

Is this Lego still working on older machines? TS239 Pro II+?

I've just installed it but nothing happens when i select the open option on the app..
Before you criticise a man walk a mile in his shoe's, that way if he's angry he's a mile away and barefoot.

User avatar
QNAP_Stephane
Experience counts
Posts: 3288
Joined: Wed Mar 27, 2013 1:00 am

Re: [ LEgo ] [ 2.2.0 ] Let's Encrypt client and ACME library

Post by QNAP_Stephane » Mon May 06, 2019 8:15 pm

it is ssh command line.. no webui to manage it
--------------------------------------------------------------------------
QnapClub AppCenter - https://www.qnapclub.eu
--------------------------------------------------------------------------

User avatar
ukez
Know my way around
Posts: 210
Joined: Sat Jul 19, 2008 5:08 am
Location: Some Really Seedy Brothel

Re: [ LEgo ] [ 2.2.0 ] Let's Encrypt client and ACME library

Post by ukez » Mon Jul 08, 2019 2:09 am

Any idiots guide to setting it up ?
Before you criticise a man walk a mile in his shoe's, that way if he's angry he's a mile away and barefoot.

User avatar
ukez
Know my way around
Posts: 210
Joined: Sat Jul 19, 2008 5:08 am
Location: Some Really Seedy Brothel

Re: [ LEgo ] [ 2.2.0 ] Let's Encrypt client and ACME library

Post by ukez » Mon Jul 08, 2019 2:10 am

Or are their any other versions that work on an older QNAP.. I want to use Lets Encrypt on an old TS239 Pro II+
Before you criticise a man walk a mile in his shoe's, that way if he's angry he's a mile away and barefoot.

yanuk
Know my way around
Posts: 101
Joined: Mon Feb 08, 2016 9:45 am

Re: [ LEgo ] [ 2.2.0 ] Let's Encrypt client and ACME library

Post by yanuk » Sun Jul 21, 2019 4:48 pm

here's how i used it.

I'm using qapache, if you're using the default apache the only difference should be the port number and webroot. Qapache uses port 88 and folder "/share/htdocs"

First make sure your webroot is work by testing with the local server (192.168.1.123:88) and the non-ssl external address (http://my.ext.add)
Lego requires a port to bind to, 88 and 80 are both used, so I randomly chose a port 1234, (i didn't forward port 1234 from my router to nas port 88, but if validation fail, you might want to try this)
then i run the following:

Code: Select all

lego --http.port "1234" --a  --http.webroot "/share/htdocs"  --email="my@email.com" --domains="my.ext.add" --http run
the certs will be found inside the <current directory>/.lego

depending on where you run the command, a new folder .lego will be created in the current directory where you ran the command. So after running the above command just run

Code: Select all

cd .lego
and you'll see the certs in the folders
rename and move the certs as required

if you forgot where the files went, use

Code: Select all

lego list
TS451
TS453

yanuk
Know my way around
Posts: 101
Joined: Mon Feb 08, 2016 9:45 am

Re: [ LEgo ] [ 2.2.0 ] Let's Encrypt client and ACME library

Post by yanuk » Mon Jul 22, 2019 11:27 am

additional infomation if you are creating the SSL files for access to QNAP UI you can easily replace the internal ssl files with the following command.
back up the original pem file just in case ( i don't do this usually)

Code: Select all

cp /etc/stunnel/stunnel.pem "~/stunnel.pem.bak.$(date +"%d%m%y%H%M%S")"
change ~ to whichever backup dir you want to use

Assuming you are in the .lego/certificates directory where you see your .crt and .key files

Code: Select all

cat my.domain.com.crt my.domain.com.key > /etc/stunnel/stunnel.pem
/etc/init.d/Qthttpd.sh restart
/etc/init.d/stunnel.sh restart
TS451
TS453

User avatar
Toxic17
Ask me anything
Posts: 5230
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [ LEgo ] [ 2.2.0 ] Let's Encrypt client and ACME library

Post by Toxic17 » Wed Jul 31, 2019 9:09 pm

Stephane, do you have any plans to upgrade to 2.7.x ?
Regards Simon

QTS 4.x User Guidex

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.4.1.1086 • TVS-463-16GB 4.4.1.1086 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.1051 • APC Back-UPS ES 700G •
QPKG's: TwonkyServer 8.51 • Apache73 v2441.7310 • QSonarr 3.0.3.645 • QNBZGet 21.0 • phpMyAdmin 4.9.0.1 • Qmono 5.20.1.19 • McAfee 3.0.1 • Lychee 3.2.16 • HBS 3.0.191016 • LEgo v3.1.0
Network: VM Hub 3.0 <500/35> • UniFi USG Pro 4 • UniFi USW-16-150W • UniFi USW-8-60W • UniFi CloudKey Gen2+• UniFi G3-Flex • UAP AC Pro • UAP AC Lite • SLM2008 • Dell 7050 MFF •

User avatar
QNAP_Stephane
Experience counts
Posts: 3288
Joined: Wed Mar 27, 2013 1:00 am

Re: [ LEgo ] [ 2.7.2 ] Let's Encrypt client and ACME library

Post by QNAP_Stephane » Wed Aug 07, 2019 7:16 pm

updated to 2.7.2
--------------------------------------------------------------------------
QnapClub AppCenter - https://www.qnapclub.eu
--------------------------------------------------------------------------

User avatar
Toxic17
Ask me anything
Posts: 5230
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [ LEgo ] [ 2.7.2 ] Let's Encrypt client and ACME library

Post by Toxic17 » Sat Aug 10, 2019 2:38 pm

QNAP_Stephane wrote:
Wed Aug 07, 2019 7:16 pm
updated to 2.7.2

lol your hard work is much appreciated, however v3.0.0 just released - 2019-08-05. its a never ending cycle :)
Regards Simon

QTS 4.x User Guidex

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.4.1.1086 • TVS-463-16GB 4.4.1.1086 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.1051 • APC Back-UPS ES 700G •
QPKG's: TwonkyServer 8.51 • Apache73 v2441.7310 • QSonarr 3.0.3.645 • QNBZGet 21.0 • phpMyAdmin 4.9.0.1 • Qmono 5.20.1.19 • McAfee 3.0.1 • Lychee 3.2.16 • HBS 3.0.191016 • LEgo v3.1.0
Network: VM Hub 3.0 <500/35> • UniFi USG Pro 4 • UniFi USW-16-150W • UniFi USW-8-60W • UniFi CloudKey Gen2+• UniFi G3-Flex • UAP AC Pro • UAP AC Lite • SLM2008 • Dell 7050 MFF •

User avatar
Toxic17
Ask me anything
Posts: 5230
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [ LEgo ] [ 2.7.2 ] Let's Encrypt client and ACME library

Post by Toxic17 » Sat Aug 10, 2019 5:11 pm

I managed to get mine working by using this command:

Code: Select all

lego --http --http.webroot "/share/htdocs/weather/" --email="email@address.com" --domains="domain.com" --domains="www.domain.com" run
once the certs have been created you only need to renew every 90 days.

Code: Select all

lego --http --http.webroot "/share/htdocs/weather/" --email="email@address.com" --domains="domain.com" --domains="www.domain.com"  renew --days 90
you can install the certs to anywhere using:

--path value Directory to use for storing the data. (default: "/root/.lego")

if the keys are defaulted to saving to the /root/.lego folder is this removed on a firmware update or not? might need to add the path value to put it elsewhere

once you have the certs created add a script to be used by cron to renew the certs every 3 months.

Since i am using Apache73 (newer Qapache) I stop apache, renew the cert, then start Apache again.

Crontab entry:

Code: Select all

30 0 1 1/3 * /path to/script/renewcert.sh
this runs at 00:30hrs on the 1st day of Jan/Apr/July/Oct

renewcert.sh script:

Code: Select all

#!/bin/bash

cd /to_your_root_folder_where_.lego_ is
/opt/Apache73/bin/httpd -f /opt/Apache73/etc/httpd.conf -k stop
lego  --email="email@address.com" --domains="domain.com" --domains="www.domain.com" -a --http  renew --days 90
/opt/Apache73/bin/httpd -f /opt/Apache73/etc/httpd.conf -k start
Regards Simon

QTS 4.x User Guidex

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.4.1.1086 • TVS-463-16GB 4.4.1.1086 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.1051 • APC Back-UPS ES 700G •
QPKG's: TwonkyServer 8.51 • Apache73 v2441.7310 • QSonarr 3.0.3.645 • QNBZGet 21.0 • phpMyAdmin 4.9.0.1 • Qmono 5.20.1.19 • McAfee 3.0.1 • Lychee 3.2.16 • HBS 3.0.191016 • LEgo v3.1.0
Network: VM Hub 3.0 <500/35> • UniFi USG Pro 4 • UniFi USW-16-150W • UniFi USW-8-60W • UniFi CloudKey Gen2+• UniFi G3-Flex • UAP AC Pro • UAP AC Lite • SLM2008 • Dell 7050 MFF •

Post Reply

Return to “Community Apps”