cockpit-project
Letsencrypt certificate not working
Explain what happens
I copied the key and crt from Letsencrypt acme.sh into the folder /etc/cockpit/ws-certs.d and restarted cockpit by systemctl restart cockpit.socket. But then the website
https://cockpit-url:9090 did not open. Reverting to the 0-self-signed.cert in that folder worked again.
The permissions were:
-rw-r----- 1 root cockpit-ws 1850 Jul 6 20:47 mydomain.com.crt
-rw------- 1 root cockpit-ws 1679 Jul 6 20:46 mydomain.com.key
So I did install a key.
What am I doing wrong ?
Version of Cockpit
215
Where is the problem in Cockpit?
Accounts
Server operating system
No response
Server operating system version
Ubuntu 20.04LTS
What browsers are you using?
Firefox
System log
Jul 07 19:05:01 myserver systemd[1]: Starting Cockpit Web Service...
Jul 07 19:05:01 myserver systemd[1]: Started Cockpit Web Service.
Jul 07 19:05:01 myserver cockpit-tls[3181088]: cockpit-tls: Invalid server certificate+key file /etc/cockpit/ws-certs.d/mydomain.com.crt: Required key not available
Jul 07 19:05:01 myserver systemd[1]: cockpit.service: Main process exited, code=exited, status=1/FAILURE
Jul 07 19:05:01 myserver systemd[1]: cockpit.service: Failed with result 'exit-code'.
In Webmin I found a trick:
cat ~/.acme.sh/webmin.myserver.com/webmin.myserver.com.cer ~/.acme.sh/webmin.myserver.com/webmin.myserver.com.key > /etc/webmin/miniserv.pem
which does work.
It combines the Letsencrypt certificate and the private key in one single file.
So I tried the same trick on Cockpit and it worked !
cat ~/.acme.sh/cockpit.myserver.com/cockpit.myserver.com.cer ~/.acme.sh/cockpit.myserver.com/cockpit.myserver.com.key > /etc/cockpit/ws-cockpit/1-self-signed.cert
Maybe this can be documented.
It seems to be documented already at:
https://cockpit-project.org/external/wiki/Proxying-Cockpit-over-Apache-with-LetsEncrypt#tlsssl-certificate-with-lets-encrypt
Now copy the certificates information into the cockpit certificate folder using the following commands
cat /etc/letsencrypt/live/cockpit.your-domain.com/fullchain.pem >> /etc/cockpit/ws-certs.d/1-my-cert.cert cat /etc/letsencrypt/live/cockpit.your-domain.com/privkey.pem >> /etc/cockpit/ws-certs.d/1-my-cert.certYou will need to do this every time the certificate gets renewed (every 3 months).
However, this is within the context of setting up Cockpit with Apache as a proxy using Letsencrypt certificates, instead of just using Cockpit with Letsencrypt. It should be documented in a more generic sense, with just Letsencrypt without the Apache proxy.
To avoid scripting or manually combining these files every three months, I've found an easier "set it and forget it" method to get around this. I've just created a hard link to the "ssl.everything" file. (Note that I created my LetsEncrypt certificate via Webmin's built-in SSL module. I'm not sure how valid this is for other setups, and this was very automated and hands-off.)
ln /etc/ssl/virtualmin/1660390083109411/ssl.everything /etc/cockpit/ws-certs.d/ssl.cert
Now it's just a link rather than a copied or cat'd file, and whenever Certbot updates my certificate, Cockpit will automatically be updated.
This concatenation hasn't been necessary for some time now, cockpit can read separate .cert and .key files. cockpit 257 now can read certificates with any permissions. So this is fixed.
if you set up a symbolic link cockpit will use the proper certificates with no problem
sudo ln -s /etc/letsencrypt/live/[your domain]/cert.pem /etc/cockpit/ws-certs.d/cert.crt sudo ln -s /etc/letsencrypt/live/[your domain]/privkey.pem /etc/cockpit/ws-certs.d/cert.key
if you set up a symbolic link cockpit will use the proper certificates with no problem
sudo ln -s /etc/letsencrypt/live/[your domain]/cert.pem /etc/cockpit/ws-certs.d/cert.crt sudo ln -s /etc/letsencrypt/live/[your domain]/privkey.pem /etc/cockpit/ws-certs.d/cert.key
I had the same thought and tried this first. It won't work because those files are links themselves and they use relative paths.
[ross@freeman ~]$ sudo ls -lash /etc/letsencrypt/live/$FQDN/
total 4.0K
0 drwxr-xr-x. 2 root root 93 Apr 4 11:23 .
0 drwx------. 3 root root 48 Apr 4 10:52 ..
0 lrwxrwxrwx. 1 root root 44 Apr 4 11:23 cert.pem -> ../../archive/$FQDN/cert.pem
0 lrwxrwxrwx. 1 root root 45 Apr 4 11:23 chain.pem -> ../../archive/$FQDN/chain.pem
0 lrwxrwxrwx. 1 root root 49 Apr 4 11:23 fullchain.pem -> ../../archive/$FQDN/fullchain.pem
0 lrwxrwxrwx. 1 root root 47 Apr 4 11:23 privkey.pem -> ../../archive/$FQDN/privkey.pem
4.0K -rw-r--r--. 1 root root 692 Apr 4 10:52 README
Kind of off topic, but my solution to having cockpit pick up the correct cert was to add a post script in /etc/letsencrypt/renewal-hooks/post/ and have it copy the cert and key at /etc/letsencrypt/live/$FQDN/ to /etc/cockpit/ws-certs.d/, then set 644 permissions on the cert and 600 on the key. Much simpler and you don't have to deal with links. 😉
I don't understand why you say "it won't work". I just tried it and it works fine for me..
I also was able to use symbolic links to my acme.sh folder to use the keypair with cockpit. I ran into a minor problem thats worth mentioning here. The key had to use the same filename as the certificate and the certificate has to end with .crt or .cert. You cannot use a .cer or .pem extension. I think @rosspayn3 was using a .pem extension which is why it didnt work for him. You may also need to configure permissions so that the docker daemon can read the private key.
ln -s ~/.acme.sh/{your_domain}/fullchain.cer /etc/cockpit/ws-certs.d/fullchain.crt
ln -s ~/.acme.sh/{your_domain}/{your_domain}.key /etc/cockpit/ws-certs.d/fullchain.key
That could have been the issue. I may revisit this to verify. I've since done this on a production RHEL server using .crt and .key files, and it works fine.