Skip to content

Confconsole - Let's Encrypt fix
Compare
Choose a tag to compare
@JedMeister JedMeister released this 25 Nov 22:38
· 1 commit to 15.x since this release
v1.1.1
This tag was signed with the committer’s verified signature.
JedMeister Jeremy Davis
GPG key ID: 6D0CA24B0C5CC21B
Learn about vigilant mode.
0902d7e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Please note that there is a newer bugfix release for v15.x - please see here.

This updated confconsole package is intended for installation on TurnKey v15.x appliances (based on Debian 9/Stretch).

It includes fixes for a number of issues related to Let's Encrypt / Dehydrated:

  • Hook script now compatible with (and requires) newer Dehydrated version.
  • Uses Let's Encrypt v2 API endpoint by default (v1 API endpoint no longer works with new users/domains; will continue to work for existing users for a little while yet, but better to upgrade ASAP).
  • A rewrite of add-water (our custom challenge mini-server) - to resolve a race-condition that came to light when used with the updated version of Dehydrated.

The related issues that this release closes are turnkeylinux/tracker#1359 & turnkeylinux/tracker#1360 respectively.

This package will be available from the TurnKey repos at some point (which will make installation that little bit easier), but in the meantime, it's also available here.

Note for non root users: If you are not logged in as the root user, then many (most? perhaps even all?) of these commands will require sudo. Rather than having to do that, the easier path is to first open a root shell like this:

sudo su -

Then you can follow the commands exactly as posted below. Once you are done, exit the root shell via exit.

Assuming that you have not used this before, or you have used defaults (except for the domains you are registering) then please follow the below notes to install:

  1. Remove deprecated files:
rm -rf /etc/dehydrated/confconsole{.config,.hook.sh}
  1. Install newer Dehydrated version from stretch-backports (if you already have Dehydrated from backports you can skip this step):
echo "deb http://http.debian.net/debian stretch-backports main" > /etc/apt/sources.list.d/backports.list
apt update
apt install -t stretch-backports dehydrated
  1. Download and install the updated Confconsole:
wget https://github.com/turnkeylinux/confconsole/releases/download/v1.1.1/confconsole_1.1.1_all.deb
apt install ./confconsole_1.1.1_all.deb

3a. [new step!] Workaround bug turnkeylinux/tracker#1387:

systemctl disable add-water
  1. [Optional] If you have previously used Confconsole (or Dehydrated) to get Let's Encrypt certificates before, you are recommended to move your old Dehydrated data out of the way (alternatively it can be deleted). New users can skip this step:
mv /var/lib/dehydrated /var/lib/dehydrated.bak
mkdir -p /var/lib/dehydrated/acme-challenges
  1. Accept the Let's Encrypt Terms of Service (all users):
/usr/bin/dehydrated --register --accept-terms
  1. Get certs! 😄

You should now be good to go. If you have not used Confconsole to get certificates from Let's Encrypt on this machine previously, it is recommended that you set it up via Confconsole:

confconsole

Then select Advanced >> Lets encrypt and follow the prompts. See the full Confconsole docs for further info.

Alternatively, if you have already been using the Confconsole Let's Encrypt/Dehydrated plugin to get your certificates, but just need to update them, you can launch the dehydrated-wrapper script directly like this:

/usr/lib/confconsole/plugins.d/Lets_Encrypt/dehydrated-wrapper

Furthermore, this will almost certainly be the final release of Confconsole for v15.x (based on Debian 9/Stretch). Please note there is a bugfix release. (And that will almost certainly be the last for v15.x).

Future releases of Confconsole will be Python3 based (work already done) and available only in (the upcoming and as yet unreleased) v16.x.

Assets 3
Loading