Letsencrypt Install
 

Hi there
So I seem to be having issues installing Letsencrypt.. Ging to slackbuilds and then doing all the dependencies has got me lost and overwhelmed. Not sure if there was a more simple way to do it.
On my other machine I used to run 'certboy certonly --standalone -d mail.org' and it would make it...But I do not recall how I installed it then..It was an Ubunutu machine.
I just seem to be having major issues.

There is an official package in Slackware series "n" called "dehydrated" (Let's Encrypt / ACME setup script).
https://letsencrypt.org/docs/challenge-types/
https://github.com/dehydrated-io/dehydrated

I do not know if this is going to be helpful because, if I understand correctly what dehydrated does, you are running your own DNS server...

anyway, since my DNS provider does not provide a DNS API I went with agnos:
https://github.com/krtab/agnos

very easy to setup, and reliable. it comes with precompiled binaries too.

hope this helps.

obviously agnos is meant for dns-01 challenges only, and allows wildcard certificates...

I didn't tried dehydrated. Maybe it's simpler.

I'd second trying to use 'dehydrated'. It was added to Slackware as a stock package during 15.0's development cycle (Jan 5, 2021, according to my changelog copy). With dehydrated you can set everything up for an https apache webserver using letsencrypt, without adding extra packages.

"AlienBob" wrote up an article on how to use dehydrated back in 2019 here: https://alien.slackbook.org/blog/usi...er-with-https/

The only difference now afaik is that dehydrated is included in Slackware 15.0 or later so ignore package installation steps. I followed those instructions last year and managed to set up a few https webservers with letsencrypt without too much hassle. Just make sure you have everything set up and working perfectly using letsencrypt's staging server first because you'll get blocked (temporarily) if you f* it up too many times on the production server. (dont ask how I know ;-)

If you have a registered domain, then the http-01 challenge is the easiest.

I have a dynamic DNS address with freedns.afraid.org, that required some shenanigans to complete the dns-01 challenge. I used dehydrated with dnsmasq for this. I still need to conduct certificate updates manually. My need is not great. I only use it for accessing CalDAV from my iPhone.

Hi all

I apologize I have not responded back, been having health issues blah blah blah. I appreciate all of the well rounded feedback and definitely have some reading to do, but I wanted to mention this before so… I was wanting to do letsecnrypt for my Email Server certificate. No website, currently. Would the feedback I’ve received work also for this? Or just web servers?

It also works for mail, you just have to replace the self-signed certificate.

As already mentioned above it works for mail servers as well.
Last year I wrote an howto here https://notes.sagredo.eu/en/qmail-no...rvers-233.html, inspired by the Eric's article, which shows how to do it with qmail and dovecot.

I remember compiling LetsEncrypt from SBo years ago and wading through the dependencies, but lately I've just been using the acme.sh script (also packaged in .t?z on SBo). Might be worth a shot, although all I'm doing is basic https key issue/renewal for websites and am not too familiar with sendmail/dovecot/postfix/all that.

My quick n' dirty if you use Apache:

1. custom directory to store keys
2. domains you want keys for
3. acme.sh defaults to zerossl, so this overrides to use LetsEncrypt
4. cert file location
5. key file location
6. fullchain file location
7. command to run after key renewal (httpd needs to restart to reprocess keys, I guess)

The parameters passed to this '--issue' command get stored by acme at a path similar to:
Now go into /etc/httpd/httpd.conf and uncomment these lines:

First two lines allow httpd to use ssl
Last line becomes apparent in the next step.

Now go into /etc/httpd/extra/httpd-ssl.conf and change these values:
Notice these are the values specified in the acme.sh --issue command above.

Now restart httpd and give it a shot! Hopefully I didn't botch the commands.
Also recommend running the following to add a cron job to keep the keys fresh.
Sorry for all the extra httpd stuff, but I imagine the main differences for a mail server ultimately come down to giving acme the right file paths to copy keys to, making sure the mail server conf points to those paths, and adjusting the '--reloadcmd' to restart the mail server, if that's required. I imagine you may want to use a mode in the '--issue' command other than '--apache', which is explained on the acme github site linked above. While there is no dovecot or postfix "mode", after a brisk google I've seen that people have done this with dovecot and postfix, at least. So with the acme.sh method you may sacrifice less upfront work (compiling) for more configuration work. Either way, Good luck & Happy slacking :hattip: