WebFaction
Community site: login faq

I am a complete newbie here so I apologize if there is an obvious answer to this question.
I have previously used the Let's Encrypt WebFaction utility to request and obtain SSL certificates. I recently received an email from Let's Encrypt informing me that the version of openSSL used to generate my past requests (this would be the system default version) will no longer be supported beginning in November 2016. I was able to install a newer version of openSSL from source, but I am unsure of how to direct the Let's Encrypt utility to use this version instead of the system default.

If more information is needed, I will be happy to provide it.

Edit: seanf's answer marked as accepted because it did give the correct answer to pointing the script toward a custom installed version of openSSL. It should be noted though, that the overall issue of the malformed CSR may possibly be resolved by just updating the utility script, as further explained in the comments of williaminwi's answer.

asked 19 Sep '16, 19:18

unrealcroissant's gravatar image

unrealcroissant
133
accept rate: 0%

edited 05 Oct '16, 19:40


You most likely need to set a couple of environment variables so the utility will know where to find your updated OpenSSL.

Assuming you installed OpenSSL in $HOME/openssl, then try this:

export PATH=$HOME/openssl/bin:$PATH
export LD_LIBRARY_PATH=$HOME/openssl/lib

Then run whatever commands you need to run to request your certificates.

Side note: we'll be making it a lot easier to use Let's Encrypt on our service in the (hopefully near) future :)

permanent link

answered 19 Sep '16, 23:14

seanf's gravatar image

seanf ♦♦
11.5k21333
accept rate: 37%

What version of CentOS are you running as?

If CentOS 5, you can compile a custom OpenSSL and Ruby using these instructions: https://github.com/will-in-wi/letsencrypt-webfaction/wiki/Install-custom-OpenSSL-and-Ruby-on-CentOS-5-host

permanent link

answered 19 Sep '16, 23:10

williaminwi's gravatar image

williaminwi
414
accept rate: 0%

Thanks for the reply!
This is on CentOS 7. Is the tutorial in the wiki still applicable for this situation or is it CentOS 5 specific?

Edit: Also, would I need to do anything with the utility configuration if I set my environment to use the custom installed openSSL version from seanf's answer? I installed the utility using the system Ruby method (not RBEnv) and have it set to run as a cron job.

(20 Sep '16, 00:20) unrealcroissant unrealcroissant's gravatar image

Huh. That CentOS 7 would raise this issue surprises me a lot. Could you open a ticket over at https://github.com/will-in-wi/letsencrypt-webfaction/issues and attach the email you got? I'd like to investigate.

Per seanf's answer, AFAIK Ruby is dynamically linked with a particular OpenSSL, so installing a custom OpenSSL isn't helpful unless you recompile Ruby. With that said, it is possible that setting LD_LIBRARY_PATH might cause Ruby to grab your copy over the system copy on execute, so it might be worth a shot. I'm not experienced with linkers. It probably depends on ABI compatibility, so you might need to pick your custom version of OpenSSL carefully.

I'm presently migrating my personal account over to a CentOS 7 box, so I'll see if I get the same email.

(20 Sep '16, 00:55) williaminwi williaminwi's gravatar image

Sorry for the late reply; I missed the notification of your reply. The reason Let's Encrypt gave for the hard cut off of anything earlier than openSSL 1.0.2 was the existence of a bug that would cause some requests to be rejected by the Let's Encrypt server. The installed system version on the CentOS 7 box my account is on is 1.0.1. Would you still like me to open an issue on github?

Also, I recently ran the script to update my certificates so we'll see if seanf's answer did the trick.

(04 Oct '16, 00:45) unrealcroissant unrealcroissant's gravatar image

I created a ticket to track this in case others report the same issue: https://github.com/will-in-wi/letsencrypt-webfaction/issues/51

Do you know what version of LetsencryptWebfaction/Acme::Client you are using? There was a bug in an older version of the latter which might be what they are complaining about. See https://github.com/will-in-wi/letsencrypt-webfaction/issues/48 which might resolve the issue.

(04 Oct '16, 01:22) williaminwi williaminwi's gravatar image

The email I received is identical to the email posted in the resolved issue linked in your comment.
The Acme Client version that was running when the questionable requests were generated was 0.3.6. Before my most recent set of requests I updated the script and am now running 0.4.1.

Hopefully the problem is solved.

(04 Oct '16, 18:55) unrealcroissant unrealcroissant's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×79
×15
×5

question asked: 19 Sep '16, 19:18

question was seen: 871 times

last updated: 05 Oct '16, 19:40

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2016 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM