[OPEN-ILS-DEV] Let's Encrypt on Evergreen server

Ben Shum ben at evergreener.net
Tue Mar 8 00:00:24 EST 2016 

Hi Kelsey,

This is a paste copy of the vhost definitions in my eg.conf for my
test server:  http://pastie.org/private/3mhgp90ba4a0xrwz48v16q

As indicated in the paste, I have a servername and then also
serveralias because I used two hostnames for this machine.

Everything else in eg.conf matches the stock setup file as far as I
can tell.  I did not encounter any error for my http vhost.

The error I'd focus on from your sample is this part:  "fmall.js:
Error: File not found:
http://evergreentest.stkate.edu/opac/common/js/fmall.js"

That file not found is cause it's trying to use the regular HTTP way
of finding the file instead of the forced secure HTTPS in your system.
If I change that URL to https:// in my browser, and look for the file
path, I can find the file.  So this is a case where if you comment out
the regular http vhost, bad stuff happens.

Normally, trying to force to HTTPS everywhere would be done via the
eg_vhost.conf configuration, at the end of that file.  However, there
is a known bug open where developers are trying to figure out some
remaining issues with forcing HTTPS everywhere:
https://bugs.launchpad.net/evergreen/+bug/1507013

Hope that helps a little.

-- Ben

On Mon, Mar 7, 2016 at 8:28 PM, Kelsey Lied <kalied at stkate.edu> wrote:
> Hi Ben,
>
> Awesome!  I'm excited about your response -- I've got a similar setup with
> Ubuntu 14.04/Apache 2.4.
>
> Here's what I've got today --
>
> - I commented out the HTTP vhost in /etc/apache2/sites-available/eg.conf,
> leaving only the HTTPS vhost, since Let's Encrypt was giving an error about
> only working with one vhost.  Also verified ServerName of that vhost is my
> fqdn.
> - Redid the whole auto-letsencrypt apache thing, got through without errors
> this time.  Server passed ssllabs.com test, too. (Hooray!)
> - Stopped and started opensrf, ran autogen.sh, and restarted apache.
> - Verified no certificate errors when hitting https://fqdn (Hooray!)
> - Attempted to start Evergreen client.  Got following errors:
> fmall.js: TypeError: document.getElementsById("offlineStrings") is null (OK
> button)
> fmall.js: Error: File not found:
> http://evergreentest.stkate.edu/opac/common/js/fmall.js
> - Found a 2013 IRC log about these errors
> (http://irc.evergreen-ils.org/evergreen/2013-08-27). Reran autogen.sh, no
> luck.  Have noted: if I hit the given URL in a browser, I also get a File
> Not Found.  HOWEVER, if I hit the same over HTTPS, I get data back.
>
> Wondering if commenting out the HTTP vhost is causing the fmall.js errors.
> It's also possible that I've got localhost hanging out somewhere in my
> Evergreen setup that needs to be swapped out for the domain name -- I
> originally started without and may have missed a spot when I tried to swap
> in the domain name later.  Thoughts?
>
> Side note: I am somewhat baffled about how the server and hitting the
> browser client is validating over HTTPS, given my eg.conf file still says
> the cert/key are in the apache ssl directory the Evergreen instructions have
> you create, while Let's Encrypt puts the goods elsewhere
> (https://letsencrypt.readthedocs.org/en/latest/using.html#where-certs ).
> I'd be interested in knowing some more about what you changed within
> eg.conf, Ben.
>
> Thanks,
> Kelsey
>
> On Sun, Mar 6, 2016 at 7:58 PM, Ben Shum <ben at evergreener.net> wrote:
>>
>> Hi Kelsey,
>>
>> I've been using Let's Encrypt on my personal Evergreen test server
>> (https://demo.evergreener.net) for this past month or so.  Prior to
>> that, I used Let's Encrypt for some other test systems at my previous
>> place of work.
>>
>> The biggest issue I encountered initially was that my system wasn't
>> resolving the reverse DNS properly for my site (it took a little time
>> for all the DNS to populate properly).  This caused the
>> letsencrypt-auto to fail for me.  I think I ended up installing an
>> additional python package to get that working in addition to giving
>> enough time for DNS to propagate.
>>
>> The test system I used was installed with Ubuntu 14.04 server and
>> apache 2.4, which letsencrypt seemed to have better luck in handling
>> automatically the apache replaces with apache 2.4 vs. 2.2 (which
>> shipped on older Ubuntu distros).  Alternatively, I think I also just
>> eventually figured out how to setup my eg.conf config file with the
>> necessary paths for the SSL cert and chain files.
>>
>> Feel free to ask further questions about your issues.  I think using
>> Let's Encrypt is an awesome solution for SSL certificates.
>>
>> -- Ben
>>
>> On Sun, Mar 6, 2016 at 8:50 PM, Kelsey Lied <kalied at stkate.edu> wrote:
>> > Hi,
>> >
>> > I am wondering if anybody is using Let's Encrypt (letsencrypt.org) for
>> > their
>> > Evergreen install.
>> >
>> > We're spinning up a new install and would like to use it, but so far I
>> > have
>> > had no luck on our test server.  I have tried a number of things,
>> > getting
>> > various errors.  The Let's Encrypt community has generally had an answer
>> > for
>> > each error, but every answer I've tried messes with config settings that
>> > ultimately prevent Evergreen from running properly.  (Happy to provide
>> > errors if folks are interested, but they're errors in another tool, so
>> > don't
>> > want to bog down the initial query.)
>> >
>> > Is anybody using Let's Encrypt successfully?
>> >
>> > Thanks,
>> > Kelsey
>
>

More information about the Open-ils-dev mailing list