Abyss and Let’s Encrypt (a new Certificate Authority)

DavidQ · 2015-09-29T18:02:12+00:00

Hi Aprelium, I have just heard about Let's Encrypt... Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. Arriving Q4 2015 https://...

Lawrence

I'm anxiously waiting for this too. Being able to support the users of my websites with some encryption seems pretty important these days.

Lithorien

Lawrence wrote
I'm anxiously waiting for this too. Being able to support the users of my websites with some encryption seems pretty important these days.

I just re-upped for 2 years of support, I'm hoping that a little bit of money might bring them back here to see there are still some users who are willing to pay and who want to see development continue.

Lithorien

Just popping in with an update request: Been a while since we've heard from Aprelium staff about how development is going. Any updates?

lazna

The version 2 of ACME protocol is adding wildcard certificates for subdomains.

Daevon

I wrote both to contacts and support more than 3 times in the last 14 months, and never got an answer.
Paying users like Lithorien should at least get an answer.. but since none has been given, I fear for the worst...

Lithorien

Daevon wrote
I wrote both to contacts and support more than 3 times in the last 14 months, and never got an answer.
Paying users like Lithorien should at least get an answer.. but since none has been given, I fear for the worst...

I was able to get an answer through email through the priority support account, here's the relevant snippet:

ACME is on our todo list for a future revision. HTTP/2 support is on
that same list too.
We cannot provide you with an exact ETA for that new version but we
think it could be ready before the end of 2017.

Don't give up hope!

pkSML

Hey all. Just wanted to let you know I got Let's Encrypt working with Abyss on Windows! There's a little bit of rig-a-ma-roll to make it happen, but it's not too complicated.
I hope to be posting a better tutorial within a few weeks.
Steps:

Download Crypt-LE --> http://litlurl.net/Crypt-LE
From the latest release, download le32.zip or le64.zip, depending on your operating system (32/64 bit).
Extract the zip file to a folder of your choice on your server. It must be a writable directory.
In your router, forward TCP port 443 to your server (like you've already done for port 80).

For any domain you want to get an SSL certificate, you must create two folders in the web root directory.
Create a directory called:

.well-known

Windows Explorer won't allow you to do this. The workaround is to append a period at the end of the directory name.
For example, type in:

.well-known.

Create a directory inside the .well-known directory named:

acme-challenge

You should be able to navigate to YOUR_WEB_ROOT_FOLDER\.well-known\acme-challenge
Remember: Do this for every domain you want to enable SSL for.

Now build your argument list for le32.exe (or le64.exe).
Here's some code to get started with:
```
le32.exe 
-key account.key 
-email your_email@server.com 
-csr demo.go2.rip.csr 
-csr-key demo.go2.rip.key 
-crt demo.go2.rip.crt 
-domains "demo.go2.rip,www.demo.go2.rip" 
-generate-missing 
-path "c:/web_docs/demo.go2.rip/.well-known/acme-challenge/,c:/web_docs/demo.go2.rip/.well-known/acme-challenge/"
```
*Change to your email address. This is an optional parameter, but it's for "email for expiration notifications".
*The parameters key, csr, csr-key, and crt define files that will be created in the folder where le32.exe resides.
*Note: Every time you create certificates with this program, use the same account.key file.
*Note: You can specify several domains in the domain parameter. Make sure to put the corresponding path in the path parameter.
The first domain corresponds to the first path and the second domain corresponds to the second path, etc.
(In my example, the root domain and www subdomain have the same root.)
Take all the arguments after you've altered them (ideally in notepad), and condense them into one line.
Copy and paste into a command prompt (right-click --> Paste) after you've navigated to the folder with le32.exe.

If you receive the following response on your screen, you've set up the parameters correctly:

2017/08/11 22:08:49 [ ZeroSSL Crypt::LE client v0.24 started. ]
2017/08/11 22:08:49 Loading an account key from account.key
2017/08/11 22:08:49 Loading a CSR from demo.csr
2017/08/11 22:08:51 Registering the account key
2017/08/11 22:08:51 The key is already registered. ID: *******
2017/08/11 22:08:51 Current contact details: *********@gmail.com
2017/08/11 22:08:52 Successfully saved a challenge file 'c:\web_docs\demo.go2.rip\.well-known\acme-challenge/2gsfhMM-KekeTxKp373hgOj93mjh3FT7JufPQBmL4VA' for domain 'demo.go2.rip'
2017/08/11 22:08:52 Successfully saved a challenge file 'c:\web_docs\demo.go2.rip\.well-known\acme-challenge/7KFbbpCFhU5MveHdr60x83yWv3XcfdHYUbhqtsNavKY' for domain 'www.demo.go2.rip'
2017/08/11 22:08:55 Domain verification results for 'demo.go2.rip': success.
2017/08/11 22:08:55 You can now delete the 'c:\web_docs\demo.go2.rip\.well-known\acme-challenge/2gsfhMM-KekeTxKp373hgOj93mjh3FT7JufPQBmL4VA' file.
2017/08/11 22:08:57 Domain verification results for 'www.demo.go2.rip': success.
2017/08/11 22:08:57 You can now delete the 'c:\web_docs\demo.go2.rip\.well-known\acme-challenge/7KFbbpCFhU5MveHdr60x83yWv3XcfdHYUbhqtsNavKY' file.
2017/08/11 22:08:57 Requesting domain certificate.
2017/08/11 22:08:58 Requesting issuer's certificate.
2017/08/11 22:08:58 Saving the full certificate chain to demo.go2.rip.crt.
2017/08/11 22:08:58 ===> NOTE: You have been using the test server for this certificate. To issue a valid trusted certificate add --live option.
2017/08/11 22:08:58 The job is done, enjoy your certificate! For feedback and bug reports contact us at [ https://ZeroSSL.com | https://Do-Know.com ]

Important note: This certificate is not the one you want to use!!! The second to last log entry tells us what to do next:
To issue a valid trusted certificate add --live option.

So tack on -live to the argument list (only a single dash as the double dash is for Linux use). Adding -live will alter the .crt file.
The command prompt should now show similar output:

2017/08/11 22:25:47 [ ZeroSSL Crypt::LE client v0.24 started. ]
2017/08/11 22:25:47 Loading an account key from account.key
2017/08/11 22:25:47 Loading a CSR from demo.go2.rip.csr
2017/08/11 22:25:49 Registering the account key
2017/08/11 22:25:49 The key is already registered. ID: ********
2017/08/11 22:25:50 Successfully saved a challenge file 'c:\web_docs\demo.go2.rip\.well-known\acme-challenge/merGFw9B7azpn72vKNNJqMHh4LpS49vduhhU252vaHM' for domain 'demo.go2.rip'
2017/08/11 22:25:50 Successfully saved a challenge file 'c:\web_docs\demo.go2.rip\.well-known\acme-challenge/1VSyuELTt10xdcYKF5l2Dp-XPY2677XaxTy-mhTyoNI' for domain 'www.demo.go2.rip'
2017/08/11 22:25:52 Domain verification results for 'demo.go2.rip': success.
2017/08/11 22:25:52 You can now delete the 'c:\web_docs\demo.go2.rip\.well-known\acme-challenge/merGFw9B7azpn72vKNNJqMHh4LpS49vduhhU252vaHM' file.
2017/08/11 22:25:55 Domain verification results for 'www.demo.go2.rip': success.
2017/08/11 22:25:55 You can now delete the 'c:\web_docs\demo.go2.rip\.well-known\acme-challenge/1VSyuELTt10xdcYKF5l2Dp-XPY2677XaxTy-mhTyoNI' file.
2017/08/11 22:25:55 Requesting domain certificate.
2017/08/11 22:25:55 Requesting issuer's certificate.
2017/08/11 22:25:55 Saving the full certificate chain to demo.go2.rip.crt.
2017/08/11 22:25:55 The job is done, enjoy your certificate! For feedback and bug reports contact us at [ https://ZeroSSL.com | https://Do-Know.com ]

Now that we have a full-fledged certificate file, we will now import the SSL certificate into Abyss.
Load up the Abyss console in your browser.
Go to SSL/TLS Certificates.
In the Private Keys table, click Add.
Create a name for this private key.
Let's call it 'Abyss-LE' for this example.
Set action to 'Import'.
Under key contents, insert the contents of demo.go2.rip.key file (the one created with the -csr-key parameter).
Click OK.
Under Certificates, click Add.
Give it a name. Again, for example, let's use 'Abyss-LE'.
Choose your 'Abyss-LE' private key.
Set 'Type' to 'Signed by a Certification Authority (CA)'.
Under Main Certificate, open up demo.go2.rip.crt (the file specified in the -crt parameter).
You'll notice there are two certificates here. Select only the first one and paste it into Main Certificate.
The second certificate should be pasted in 'Intermediate Certificate'.
The CA Root Certificate can be blank.
Click OK.
EDIT: You can just copy the ENTIRE file and dump it in the Main Certificate textbox. The result is the same and this way is easier :)
Now navigate to your host and click 'General'.
Under Protocol, select HTTP+HTTPS.
Select the certificate you created.
Click OK.
(If you specified other domains when you created your SSL certificate, repeat this same procedure and use the same certificate for those hosts.)
Restart Abyss. Now you're serving HTTP & HTTPS. Congrats!

Note: I made some minor edits with the parameters when running the LE32.exe file (forward/back slashes and trailing slashes) so that the program will function correctly.

pkSML

Here's another website I've secured with HTTPS in Abyss.

These certificates are good for three months, but you can't renew before 60 days. So I'll have to give an update on how to renew properly when the time comes.
One more thing: To help with debugging, you can test your SSL setup here --> https://www.ssllabs.com/ssltest/.
I highly recommend this before asking, "What did I do wrong?" on the forums :)
And my demo scored an A rating.
(An A+ rating may create compatibility problems for more users.)

Daevon

Thanks for the guide pkSML!
It has been really helpful.
Let's hope native ACME support comes to Abyss.. the problem with Let's Encrypt is the very short certificate life.
Sure, your procedure can be turned into a scheduled task, but things are complicated..
I'm eagerly awaiting for the next revision btw :)
Again, many thanks!

DavidQ

Thanks pkSML, you must have spent quite some time digging around and preparing that information. I too am still hoping Abyss will include easy to use auto-updating ACME / Let's Encrypt support in a future update.

pkSML

Just a little update to this thread...
I have also secured domains on a Linux box with Let's Encrypt + Abyss. On that installation, I symlinked/soft-linked the certificate & private key files in Abyss' kcstore folder to the files that are saved by the Let's Encrypt client software. (The Linux client auto-renews, so Abyss' kcstore folder stays up to date.)
The only caveat is that Abyss has to be restarted to make use of the updated certificate, as it seems to store the contents of the kcstore folder in RAM when the server is started/restarted. (In other words: Simply restarting the server will refresh ALL the certs and keys to the current directory contents.)
In about a month, I hope to share some info on how to set up an auto-renew script for Let's Encrypt certs on Windows.

admin

A new version of Abyss Web Server is in the works and nearing the Beta stage.
It will add native ACME/Let's Encrypt support (among other new capabilities)
Since this is a huge new feature, we'll welcome any help testing it. If you are interested to get the new Beta version when available, please let us know (a reply to this message or an email with a reference to this thread would suffice).
Thanks.

Lithorien

admin wrote
A new version of Abyss Web Server is in the works and nearing the Beta stage.
It will add native ACME/Let's Encrypt support (among other new capabilities)
Since this is a huge new feature, we'll welcome any help testing it. If you are interested to get the new Beta version when available, please let us know (a reply to this message or an email with a reference to this thread would suffice).
Thanks.

I am absolutely interested in beta testing this feature.

admin

Lithorien wrote
I am absolutely interested in beta testing this feature.

Thank you for your offer to help. We will contact you as soon as the Beta will be ready.

richardyork

I'm also extremely interested in becoming a beta tester if possible please :)

jxxaxxy

I am interested in this as well!!!!

DavidQ

admin wrote
A new version of Abyss Web Server is in the works and nearing the Beta stage.
It will add native ACME/Let's Encrypt support (among other new capabilities)
Since this is a huge new feature, we'll welcome any help testing it. If you are interested to get the new Beta version when available, please let us know (a reply to this message or an email with a reference to this thread would suffice).
Thanks.

That sounds great. I'd definitely be interested in exploring the possibility of testing the Beta version.

TRUSTAbyss

I'd like to test the ACME/Let's Encrypt support as well. ;)

pkSML

I'd be happy to beta test LE also. Thanks!

sands

admin wrote
A new version of Abyss Web Server is in the works and nearing the Beta stage.
It will add native ACME/Let's Encrypt support (among other new capabilities)
Since this is a huge new feature, we'll welcome any help testing it. If you are interested to get the new Beta version when available, please let us know (a reply to this message or an email with a reference to this thread would suffice).
Thanks.

i would like to test beta version.. thank you.

« Previous Page Next Page »