From: "Lewis G Rosenthal" Received: from [50.73.8.217] (account lgrosenthal@2rosenthals.com HELO [192.168.200.30]) by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10) with ESMTPSA id 10570090 for ecs-isp@2rosenthals.com; Sun, 11 Aug 2024 17:02:54 -0400 Subject: Re: [eCS-ISP] Apache HTTPS To: eCS ISP Mailing List References: Organization: Rosenthal & Rosenthal, LLC Message-ID: <66B926F8.6060600@2rosenthals.com> Date: Sun, 11 Aug 2024 17:02:48 -0400 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 SeaMonkey/2.35 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit PMFJI... On 08/11/24 04:47 pm, Dan Napier, MS, CIH, CAC wrote: > massimo, > > More questions than answers. I guess that you installed the uacme under > c:\mpts\etc\ssl. > How do you make all the directories under that ? > How do you get the certificates the first time? > where does the example code you sent go? > How do you elicite the cmd file that would be called by rsync? > what needs to be added to the PATH? > > Thanks for any help, What is a second level or third level? > > > -- > Certified Industrial Hygienist > Certified Asbestos Consultant > > Dan Napier, MS, CIH, CAC > 92-0614 8/24/24 > 2520 Artesia Boulevard > Redondo Beach, CA 90278-3210 > 310-644-1924 x 103 > CSLB 773462 > > > > On Tuesday, July 23, 2024 03:20 PDT, "Massimo S." > wrote: >> I use Paul's port of UACME, it can renew the www.yourwebsite.com (3rd >> level) cert and both the 2nd level >> yourwebsite.com at the same time too. >> >> >> This is a simple reissue of just www.yourwebsite.. certificate. >> I run uacme in a separate tree, not under the apache tree, i don't suggest >> you to run it under \apache tree. >> You need port 80 (HTTP) open on your webserver for this operation. >> You need to create all these paths you can see down here. >> You don't need Let's Encrypt chain certificates files, since uacme >> already by it's own >> create a certificate with the chain certificate inside of the .cert, so >> you have always the latest chain certificate from Let's Encrypt >> automatically. >> >> I run the scripts scheduled once each 2 months (LE Certs only last 3 months), >> so in case of issues i still have 1 month to fix them. >> **don't forget** to add a Call SysSleep of about 10 seconds between a reissue >> and another (if you runs tenths of renewals like me) or you can get problems, >> i mean renewal that fails. >> In your script after the renewal/s you can place the code to restart apache. >> >> >> >> renewal (issue) script: >> >> @attrib c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key.pem -R >> @copy c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key_old.pem >> c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key_old2.pem >> @copy c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key.pem >> c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key_old.pem >> @del c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key.pem /N >> @attrib c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert.pem -R >> @copy c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert_old.pem >> c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert_old2.pem >> @copy c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert.pem >> c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert_old.pem >> >> @del c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert.pem /N >> uacme issue www.youwebsite.com -h hook_yourwebsite_com.cmd >> 2>>d:\services\uacme\re.log >> >> >> >> hook script: >> >> parse arg var1 var2 var3 var4 var5 >> myfile = 'X:\apache\htdocs\yourwebsite\.well-known\acme-challenge\'||var4 >> call SysFileDelete >> 'X:\apache\htdocs\yourwebsite\.well-known\acme-challenge\'||var4 >> rc= LINEOUT(myfile,var5) >> >> >> >> i'm keeping 2 bkup of private keys + certs (you can see all those copies) >> hope it's all explained well >> >> massimo >> >> >> Il 22/07/2024 15:33, Dan Napier ha scritto: >> > Has anyone installed let’s Encrypt Certbot on OS2 . What did you use ? >> > >> > HTTPS is needed. Or how are you installing the certs? >> > Egad... ...or you can get a real cert good for a reasonable amount of time (398 days), and only swap out your cert once a year or so. Geez, these free certs are such a pain for such little cost for a real cert. Disclaimer: Rosenthal & Rosenthal resells SSL certs for GoDaddy (http://domains.2rosenthals.com), so yes, I do have a profit motive for disliking free short-lived certs. Also, they make my SVN and GIT update script stall waiting on me to accept a new cert, so the fewer new certs, the better from my POV. -- Lewis ------------------------------------------------------------- Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA Rosenthal & Rosenthal, LLC www.2rosenthals.com visit my IT blog www.2rosenthals.net/wordpress -------------------------------------------------------------