[ LEgo ] [ 4.12.1.0 ] Let's Encrypt client and ACME library.5.2

[QNAP_Stephane]

source : https://github.com/go-acme/lego

download :

https://www.myqnap.org/product/lego-let ... d-library/

documentation :

https://go-acme.github.io/lego/

Note :

install lego command line in NAS $PATH as symlink

Feature

ACME v2 RFC 8555
Register with CA
Obtain certificates, both from scratch or with an existing CSR
Renew certificates
Revoke certificates
Robust implementation of all ACME challenges
HTTP (http-01)
DNS (dns-01)
TLS (tls-alpn-01)
SAN certificate support
Comes with multiple optional DNS providers
Custom challenge solvers
Certificate bundling
OCSP helper function
USAGE CLI : https://go-acme.github.io/lego/usage/cli/
Please keep in mind that CLI switches and APIs are still subject to change.

When using the standard --path option, all certificates and account configurations are saved to a folder .lego in the current working directory.

Usage

Code: Select all

NAME:
lego - Let's Encrypt client written in Go

USAGE:
lego [global options] command [command options] [arguments...]

COMMANDS:
run Register an account, then create and install a certificate
revoke Revoke a certificate
renew Renew a certificate
dnshelp Shows additional help for the --dns global option
list Display certificates and accounts information.
help, h Shows a list of commands or help for one command

GLOBAL OPTIONS:
--domains value, -d value Add a domain to the process. Can be specified multiple times.
--server value, -s value CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client. (default: "https://acme-v02.api.letsencrypt.org/directory")
--accept-tos, -a By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.
--email value, -m value Email used for registration and recovery contact.
--csr value, -c value Certificate signing request filename, if an external CSR is to be used.
--eab Use External Account Binding for account registration. Requires --kid and --hmac.
--kid value Key identifier from External CA. Used for External Account Binding.
--hmac value MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding.
--key-type value, -k value Key type to use for private keys. Supported: rsa2048, rsa4096, rsa8192, ec256, ec384. (default: "rsa2048")
--filename value (deprecated) Filename of the generated certificate.
--path value Directory to use for storing the data. (default: "./.lego")
--http Use the HTTP challenge to solve challenges. Can be mixed with other types of challenges.
--http.port value Set the port and interface to use for HTTP based challenges to listen on.Supported: interface:port or :port. (default: ":80")
--http.webroot value Set the webroot folder to use for HTTP based challenges to write directly in a file in .well-known/acme-challenge.
--http.memcached-host value Set the memcached host(s) to use for HTTP based challenges. Challenges will be written to all specified hosts.
--tls Use the TLS challenge to solve challenges. Can be mixed with other types of challenges.
--tls.port value Set the port and interface to use for TLS based challenges to listen on. Supported: interface:port or :port. (default: ":443")
--dns value Solve a DNS challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage.
--dns.disable-cp By setting this flag to true, disables the need to wait the propagation of the TXT record to all authoritative name servers.
--dns.resolvers value Set the resolvers to use for performing recursive DNS queries. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined.
--http-timeout value Set the HTTP timeout value to a specific value in seconds. (default: 0)
--dns-timeout value Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name servers queries. (default: 10)
--pem Generate a .pem file by concatenating the .key and .crt files together.
--cert.timeout value Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30)
--help, -h show help
--version, -v print the version

[deejayexe]

Thanks Qnap_Stephane
Always collaborating with us. I'm going to try it

Enviado desde mi MI Mix mediante Tapatalk

[QNAP_Stephane]

updated

[goodelyfe]

Code: Select all

[~] # lego --email="myemailhere@provider.com" --domains="*.mydomain.here.tv" --dns="route53" run

2019/04/15 18:49:07 [INFO] [*.mydomain.here.tv] acme: Obtaining bundled SAN certificate
2019/04/15 18:49:07 [INFO] [*.mydomain.here.tv] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/[redacted]
2019/04/15 18:49:07 [INFO] [*.mydomain.here.tv] acme: use dns-01 solver
2019/04/15 18:49:07 [INFO] [*.mydomain.here.tv] acme: Preparing to solve DNS-01
2019/04/15 18:49:29 [INFO] [*.mydomain.here.tv] acme: Cleaning DNS-01 challenge
2019/04/15 18:49:50 [WARN] [*.mydomain.here.tv] acme: error cleaning up: failed to determine Route 53 hosted zone ID: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors
2019/04/15 18:49:50 Could not obtain certificates:
        acme: Error -> One or more domains had a problem:
[*.mydomain.here.tv] [*.mydomain.here.tv] acme: error presenting token: route53: failed to determine hosted zone ID: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors

Am I doing something wrong? is it the wildcard?

help please

[QNAP_Stephane]

better post in github issue check to of the topic

[ukez]

Is this Lego still working on older machines? TS239 Pro II+?

I've just installed it but nothing happens when i select the open option on the app..

[QNAP_Stephane]

it is ssh command line.. no webui to manage it

[ukez]

Any idiots guide to setting it up ?

[ukez]

Or are their any other versions that work on an older QNAP.. I want to use Lets Encrypt on an old TS239 Pro II+

[yanuk]

here's how i used it.

I'm using qapache, if you're using the default apache the only difference should be the port number and webroot. Qapache uses port 88 and folder "/share/htdocs"

First make sure your webroot is work by testing with the local server (192.168.1.123:88) and the non-ssl external address (http://my.ext.add)
Lego requires a port to bind to, 88 and 80 are both used, so I randomly chose a port 1234, (i didn't forward port 1234 from my router to nas port 88, but if validation fail, you might want to try this)
then i run the following:

Code: Select all

lego --http.port "1234" --a  --http.webroot "/share/htdocs"  --email="my@email.com" --domains="my.ext.add" --http run

the certs will be found inside the <current directory>/.lego

depending on where you run the command, a new folder .lego will be created in the current directory where you ran the command. So after running the above command just run

Code: Select all

cd .lego

and you'll see the certs in the folders
rename and move the certs as required

if you forgot where the files went, use

Code: Select all

lego list

[yanuk]

additional infomation if you are creating the SSL files for access to QNAP UI you can easily replace the internal ssl files with the following command.
back up the original pem file just in case ( i don't do this usually)

Code: Select all

cp /etc/stunnel/stunnel.pem "~/stunnel.pem.bak.$(date +"%d%m%y%H%M%S")"

change ~ to whichever backup dir you want to use

Assuming you are in the .lego/certificates directory where you see your .crt and .key files

Code: Select all

cat my.domain.com.crt my.domain.com.key > /etc/stunnel/stunnel.pem
/etc/init.d/Qthttpd.sh restart
/etc/init.d/stunnel.sh restart

[Toxic17]

Stephane, do you have any plans to upgrade to 2.7.x ?

[QNAP_Stephane]

updated to 2.7.2

[Toxic17]

updated to 2.7.2

lol your hard work is much appreciated, however v3.0.0 just released - 2019-08-05. its a never ending cycle

[Toxic17]

I managed to get mine working by using this command:

Code: Select all

lego --http --http.webroot "/share/htdocs/weather/" --email="email@address.com" --domains="domain.com" --domains="www.domain.com" run

once the certs have been created you only need to renew every 90 days.

Code: Select all

lego --http --http.webroot "/share/htdocs/weather/" --email="email@address.com" --domains="domain.com" --domains="www.domain.com"  renew --days 90

you can install the certs to anywhere using:

--path value Directory to use for storing the data. (default: "/root/.lego")

if the keys are defaulted to saving to the /root/.lego folder is this removed on a firmware update or not? might need to add the path value to put it elsewhere

once you have the certs created add a script to be used by cron to renew the certs every 3 months.

Since i am using Apache73 (newer Qapache) I stop apache, renew the cert, then start Apache again.

Crontab entry:

Code: Select all

30 0 1 1/3 * /path to/script/renewcert.sh

this runs at 00:30hrs on the 1st day of Jan/Apr/July/Oct

renewcert.sh script:

Code: Select all

#!/bin/bash

cd /to_your_root_folder_where_.lego_ is
/opt/Apache73/bin/httpd -f /opt/Apache73/etc/httpd.conf -k stop
lego  --email="email@address.com" --domains="domain.com" --domains="www.domain.com" -a --http  renew --days 90
/opt/Apache73/bin/httpd -f /opt/Apache73/etc/httpd.conf -k start