From: "Massimo S." Received: from [192.168.100.201] (HELO mail.2rosenthals.com) by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10) with ESMTP id 10610544 for ecs-isp@2rosenthals.com; Fri, 16 Aug 2024 14:52:10 -0400 Received: from secmgr-va.2rosenthals.com ([50.73.8.217]:39750 helo=mail2.2rosenthals.com) by mail.2rosenthals.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.97.1) (envelope-from ) id 1sf23U-000000007dj-21cQ for ecs-isp@2rosenthals.com; Fri, 16 Aug 2024 14:52:09 -0400 Received: from mail2.quasarbbs.net ([80.86.52.115]:10188) by mail2.2rosenthals.com with esmtp (Exim 4.97.1) (envelope-from ) id 1sf23R-000000003wR-0XDX for ecs-isp@2rosenthals.com; Fri, 16 Aug 2024 14:52:06 -0400 X-SASI-Hits: BODY_SIZE_8000_8999 0.000000, CS_SUSP_TLD_BODY 0.000000, CTE_8BIT 0.000000, HTML_00_01 0.050000, HTML_00_10 0.050000, INT_PROD_DOM_OBFU 0.100000, IN_REP_TO 0.000000, LEGITIMATE_SIGNS 0.000000, LINK_TLD 0.100000, MSGID_SAMEAS_FROM_HEX_844412 0.100000, MSG_THREAD 0.000000, REFERENCES 0.000000, REPLYTO_SAMEAS_FROM 0.000000, SENDER_NO_AUTH 0.000000, SUSP_DH_NEG 0.000000, TO_IN_SUBJECT 0.500000, USER_AGENT 0.000000, __ANY_URI 0.000000, __BODY_NO_MAILTO 0.000000, __BODY_VOICEMAIL 0.000000, __BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000, __CP_URI_IN_BODY 0.000000, __CT 0.000000, __CTE 0.000000, __CT_TEXT_PLAIN 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000, __FORWARDED_MSG 0.000000, __FRAUD_BEC 0.000000, __FRAUD_MONEY_CURRENCY 0.000000, __FRAUD_MONEY_CURRENCY_DOLLAR 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000, __FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000, __HAS_REPLYTO 0.000000, __HEADER_ORDER_FROM 0.000000, __HIGHBIT_ASCII_MIX 0.000000, __HTTPS_URI 0.000000, __INVOICE_MULTILINGUAL 0.000000, __IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000, __MIME_BOUND_CHARSET 0.000000, __MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000, __MOZILLA_USER_AGENT 0.000000, __MSGID_HEX_844412 0.000000, __MULTIPLE_URI_TEXT 0.000000, __NO_HTML_TAG_RAW 0.000000, __PHISH_PHRASE1_A 0.000000, __REFERENCES 0.000000, __REPLYTO_SAMEAS_FROM_ACC 0.000000, __REPLYTO_SAMEAS_FROM_ADDY 0.000000, __REPLYTO_SAMEAS_FROM_DOMAIN 0.000000, __RUS_OBFU_PHONE 0.000000, __SANE_MSGID 0.000000, __SCAN_D_NEG 0.000000, __SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000, __SCAN_D_NEG_HEUR2 0.000000, __STOCK_PHRASE_7 0.000000, __SUBJ_ALPHA_END 0.000000, __SUBJ_ALPHA_NEGATE 0.000000, __SUBJ_REPLY 0.000000, __TOLL_FREE_PHONE_US 0.000000, __TO_IN_SUBJECT 0.000000, __TO_MALFORMED_2 0.000000, __TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000, __TO_REAL_NAMES 0.000000, __URI_ENDS_IN_SLASH 0.000000, __URI_HAS_HYPHEN_USC 0.000000, __URI_IN_BODY 0.000000, __URI_MAILTO 0.000000, __URI_NOT_IMG 0.000000, __URI_NS 0.000000, __URI_WITHOUT_PATH 0.000000, __URI_WITH_PATH 0.000000, __USER_AGENT 0.000000 X-SASI-Probability: 11% X-SASI-RCODE: 200 X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2024.8.16.181816 X-SASI-Hits: BODY_SIZE_8000_8999 0.000000, CS_SUSP_TLD_BODY 0.000000, CTE_8BIT 0.000000, HTML_00_01 0.050000, HTML_00_10 0.050000, INT_PROD_DOM_OBFU 0.100000, IN_REP_TO 0.000000, LEGITIMATE_SIGNS 0.000000, LINK_TLD 0.100000, MSGID_SAMEAS_FROM_HEX_844412 0.100000, MSG_THREAD 0.000000, REFERENCES 0.000000, REPLYTO_SAMEAS_FROM 0.000000, SUSP_DH_NEG 0.000000, TO_IN_SUBJECT 0.500000, USER_AGENT 0.000000, __ANY_URI 0.000000, __AUTH_RES_PASS 0.000000, __BODY_NO_MAILTO 0.000000, __BODY_VOICEMAIL 0.000000, __BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000, __CP_URI_IN_BODY 0.000000, __CT 0.000000, __CTE 0.000000, __CT_TEXT_PLAIN 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000, __FORWARDED_MSG 0.000000, __FRAUD_BEC 0.000000, __FRAUD_MONEY_CURRENCY 0.000000, __FRAUD_MONEY_CURRENCY_DOLLAR 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000, __FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000, __HAS_REPLYTO 0.000000, __HEADER_ORDER_FROM 0.000000, __HIGHBIT_ASCII_MIX 0.000000, __HTTPS_URI 0.000000, __INVOICE_MULTILINGUAL 0.000000, __IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000, __MIME_BOUND_CHARSET 0.000000, __MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000, __MOZILLA_USER_AGENT 0.000000, __MSGID_HEX_844412 0.000000, __MULTIPLE_URI_TEXT 0.000000, __NO_HTML_TAG_RAW 0.000000, __PHISH_PHRASE1_A 0.000000, __REFERENCES 0.000000, __REPLYTO_SAMEAS_FROM_ACC 0.000000, __REPLYTO_SAMEAS_FROM_ADDY 0.000000, __REPLYTO_SAMEAS_FROM_DOMAIN 0.000000, __RUS_OBFU_PHONE 0.000000, __SANE_MSGID 0.000000, __SCAN_D_NEG 0.000000, __SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000, __SCAN_D_NEG_HEUR2 0.000000, __STOCK_PHRASE_7 0.000000, __SUBJ_ALPHA_END 0.000000, __SUBJ_ALPHA_NEGATE 0.000000, __SUBJ_REPLY 0.000000, __TOLL_FREE_PHONE_US 0.000000, __TO_IN_SUBJECT 0.000000, __TO_MALFORMED_2 0.000000, __TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000, __TO_REAL_NAMES 0.000000, __URI_ENDS_IN_SLASH 0.000000, __URI_HAS_HYPHEN_USC 0.000000, __URI_IN_BODY 0.000000, __URI_MAILTO 0.000000, __URI_NOT_IMG 0.000000, __URI_NS 0.000000, __URI_WITHOUT_PATH 0.000000, __URI_WITH_PATH 0.000000, __USER_AGENT 0.000000 X-SASI-Probability: 11% X-SASI-RCODE: 200 X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2024.8.16.181816 Received: from [192.168.10.199] (dtp [192.168.10.199]) by srv2 (Weasel v2.9-0001 ) for ; Fri, 16 Aug 2024 20:34:56 -0000 Reply-To: ml@ecomstation.it Subject: Re: [eCS-ISP] Apache HTTPS To: eCS ISP Mailing List References: Organization: Massimo S. Message-ID: Date: Fri, 16 Aug 2024 20:52:00 +0200 User-Agent: Mozilla/5.0 (OS/2; U; Warp 4.5; it-IT; rv:1.7.13) Gecko/20060424 Thunderbird/1.0.8 Mnenhy/0.7.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: it-IT Content-Transfer-Encoding: 8bit Hi, no, you don't need any entry in the DNS zone to issue the LE SSL certificate. The process it's just an http request (port 80) on the website under the root of the virtual host you must have this path: eg. htdocs\yourwebsite\.well-known\acme-challenge massimo Il 16/08/2024 19:59, Dan Napier, MS, CIH, CAC ha scritto: > Steven > > Here is as far as I get,  I is asking for a TXT line in the dns server? > > uacme.exe: challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/38943333 > 6946/-1Wx1w failed with status invalid > uacme.exe: the server reported the following error: > { > "type": "urn:ietf:params:acme:error:dns", > "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.ns1.dnac > ih.com - check that a DNS record exists for this domain", > "status": 400 > } > uacme.exe: failed to authorize order at https://acme-v02.api.letsencrypt.org/acm > e/order/1887586636/295703974986 > > > > > > On Tuesday, July 23, 2024 04:30 PDT, "Massimo S." wrote: >> Now the apache httpd.conf part: >> >> >> this rewrite http requests to the https vhost: >> >> >> ServerAdmin webmaster@yourwebsite.com >> ServerName www.yourwebsite.com >> ServerAlias yourwebsite.com >> RewriteEngine on >> RewriteCond %{HTTP_HOST} ^(www\.)?yourwebsite\.com [NC] >> RewriteCond %{HTTPS} off >> RewriteRule ^/(.*)$ https://www.yourwebsite.com/$1 [R,L] >> >> >> >> now the https vhost: >> >> >> ServerAdmin webmaster@yourwebsite.com >> DocumentRoot d:/apache/htdocs/yourwebsite >> ServerName www.yourwebsite.com >> ServerAlias yourwebsite.com >> >> SSLEngine on >> SSLCertificateFile c:/mptn/etc/ssl/uacme/www.yourwebsite.com/cert.pem >> SSLCertificateKeyFile c:/mptn/etc/ssl/uacme/private/www.yourwebsite.com/key.pem >> >> >> >> >> you don't need the chain certificate since UACME create automatically a certificate with also the chain >> certificate inside it >> >> >> to verify your certificate you can use this web tool: >> >> https://decoder.link/sslchecker/www.yourwebsite.com/443 >> >> that's all >> >> massimo >> >> >> Il 23/07/2024 12:20, Massimo S. ha scritto: >> > I use Paul's port of UACME, it can renew the www.yourwebsite.com (3rd level) cert and both the 2nd level >> > yourwebsite.com at the same time too. >> > >> > >> > This is a simple reissue of just www.yourwebsite.. certificate. >> > I run uacme in a separate tree, not under the apache tree, i don't suggest >> > you to run it under \apache tree. >> > You need port 80 (HTTP) open on your webserver for this operation. >> > You need to create all these paths you can see down here. >> > You don't need Let's Encrypt chain certificates files, since uacme already by it's own >> > create a certificate with the chain certificate inside of the .cert, so >> > you have always the latest chain certificate from Let's Encrypt automatically. >> > >> > I run the scripts scheduled once each 2 months (LE Certs only last 3 months), >> > so in case of issues i still have 1 month to fix them. >> > **don't forget** to add a Call SysSleep of about 10 seconds between a reissue >> > and another (if you runs tenths of renewals like me) or you can get problems, >> > i mean renewal that fails. >> > In your script after the renewal/s you can place the code to restart apache. >> > >> > >> > >> > renewal (issue) script: >> > >> > @attrib c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key.pem -R >> > @copy c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key_old.pem >> > c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key_old2.pem >> > @copy c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key.pem >> > c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key_old.pem >> > @del c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key.pem /N >> > @attrib c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert.pem -R >> > @copy c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert_old.pem >> > c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert_old2.pem >> > @copy c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert.pem c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert_old.pem >> > @del c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert.pem /N >> > uacme issue www.youwebsite.com -h hook_yourwebsite_com.cmd 2>>d:\services\uacme\re.log >> > >> > >> > >> > hook script: >> > >> > parse arg var1 var2 var3 var4 var5 >> > myfile = 'X:\apache\htdocs\yourwebsite\.well-known\acme-challenge\'||var4 >> > call SysFileDelete 'X:\apache\htdocs\yourwebsite\.well-known\acme-challenge\'||var4 >> > rc= LINEOUT(myfile,var5) >> > >> > >> > >> > i'm keeping 2 bkup of private keys + certs (you can see all those copies) >> > hope it's all explained well >> > >> > massimo >> > >> > >> > Il 22/07/2024 15:33, Dan Napier ha scritto: >> >> Has anyone installed let’s Encrypt Certbot on OS2 .  What did you use ? >> >> >> >> HTTPS is needed.  Or how are you installing the certs? >> >> >> >> Dan Napier, MS, CIH >> >> >> >> DNA Industrial Hygiene >> >> >> >> 2520 Artesia Boulevard >> >> >> >> Redondo Beach, CA 90278-3210 >> >> >> >> 310-644-1924 X 103 >> >> >> >> CSLB #773462 >> >> >> >> DNA Industrial Hygiene 800-644-1924 >> >> >> > >> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >> > This message is sent to you because you are subscribed to >> >  the mailing list . >> > To unsubscribe, E-mail to: >> > To switch to the DIGEST mode, E-mail to >> > To switch to the INDEX mode, E-mail to >> > Send administrative queries to  >> > To subscribe (new addresses), E-mail to: and reply to the confirmation email. >> > Web archives are publicly available at: http://lists.2rosenthals.com >> > >> > This list is hosted by Rosenthal & Rosenthal, LLC >> > P.O. Box 281, Deer Park, NY 11729-0281. Non- >> > electronic communications related to content >> > contained in these messages should be directed >> > to the above address. (CAN-SPAM Act of 2003) >> > >> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >> > >> >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to >> To switch to the INDEX mode, E-mail to >> Send administrative queries to >> To subscribe (new addresses), E-mail to: and reply to the confirmation email. >> Web archives are publicly available at: http://lists.2rosenthals.com >> >> This list is hosted by Rosenthal & Rosenthal, LLC >> P.O. Box 281, Deer Park, NY 11729-0281. Non- >> electronic communications related to content >> contained in these messages should be directed >> to the above address. (CAN-SPAM Act of 2003) >> >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > > -- > Certified Industrial Hygienist > Certified Asbestos Consultant > > Dan Napier, MS, CIH, CAC > 92-0614 8/24/24 > 2520 Artesia Boulevard > Redondo Beach, CA 90278-3210 > 310-644-1924 x 103 > CSLB 773462 > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > To switch to the INDEX mode, E-mail to > Send administrative queries to > To subscribe (new addresses), E-mail to: and reply to the confirmation email. > Web archives are publicly available at: http://lists.2rosenthals.com > > This list is hosted by Rosenthal & Rosenthal, LLC > P.O. Box 281, Deer Park, NY 11729-0281. Non- > electronic communications related to content > contained in these messages should be directed > to the above address. (CAN-SPAM Act of 2003) > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >