Mailing List CGatePro@mail.stalker.com Message #106583
From: Shaun Gamble listrdr@redco.com.au <CGatePro@mail.stalker.com>
Subject: Re: Lets Encrypt for CGP on WIndows
Date: Wed, 27 Sep 2017 08:03:16 +1000
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>

Thanks Nicolas. I keep having problems with the DNS authentication.

I was trying out a few things. Once I got the command line parameters etc it seems to keep failing for some reason. Run an nslookup against Google's DNS servers and the TXT file is showing the correct entry has been made. Stuffed if I know what is going on.

C:\CGPExt\le64>le64.exe --key account.key --csr mail.csr --csr-key mail.key --crt mail.crt --domains "mail.redco.com.au" --generate-missing --handle-as dns --live
2017/09/26 11:08:09 [ ZeroSSL Crypt::LE client v0.27 started. ]
2017/09/26 11:08:09 Loading an account key from account.key
2017/09/26 11:08:09 Loading a CSR from mail.csr
2017/09/26 11:08:14 Registering the account key
2017/09/26 11:08:15 The key is already registered. ID: 21783437
Challenge for 'mail.redco.com.au' requires the following DNS record to be created:
Host: _acme-challenge.mail.redco.com.au, type: TXT, value: uQXKLuEw0C9YqdLt6BTVqBVbfpi5vaZaBo-6A1uQBNY
Wait for DNS to update by checking it with the command: nslookup -q=TXT _acme-challenge.mail.redco.com.au
When you see a text record returned, press <Enter>

2017/09/27 07:28:39 Processing the 'dns' verification for 'mail.redco.com.au'
2017/09/27 07:28:39 Domain verification results for 'mail.redco.com.au': error.
JWS has invalid anti-replay nonce -FZBxDVWQvfxfSW_WLL7MnZeejZ72_Seb5vcnTU2w8A
2017/09/27 07:28:39 You can now delete '_acme-challenge.mail.redco.com.au' DNS record
2017/09/27 07:28:39 All verifications failed




On 27/09/2017 4:18 AM, Nicolas Hatier nicolas.hatier@niversoft.com wrote:

I'm doing it with getssl, on windows with cygwin.

Using DNS testing, I had to write a script to update the DNS record at my DNS provider, and another one that update CGP certificates using CLI.pm

Took me about an hour to get it right, and now it's been running without issues for almost a year.

Setup on our linux servers was a lot easier since http testing could be used on those machines, and I simply reused the CGP script from the Windows installation.

Not "hard", but far from being plug and play.

Nicolas Hatier, ing. <nicolas.hatier@niversoft.com>
Niversoft idées logicielles - http://www.niversoft.com



On 2017-09-25 22:40, Shaun Gamble listrdr@redco.com.au wrote:
CGP 6.1.16

Windows 2012R2

Has anyone managed to set-up Lets Encrypt keys and certificates for CGP? I'm trying to move away from self signed certificates as it is now becoming too hard with FireFox refusing to create a permanent exception.

I am testing with the le64.exe client. Due to the inability to use http testing, I am trying to use DNS testing. It's driving me nuts as the main ISP in Australia still isn't using IPv6 and doesn't allow us to change CAA records.



-- 

Shaun
Fitzroy Island <http://www.fitzroyisland.com>
Destination Darwin NT <http://www.destinationnt.com>
MOM Backpackers <http://www.momdarwin.com>
Value Inn Hotel <http://www.valueinn.com.au>
Please do not send any unsolicited email. It is not wanted. 
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster