Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[zybex]

Hi,
Following up on the new Share feature, it would be useful to have a command-line option to load and activate SSL certificates on MC.
This would allow automating the 3-month renewal cycle of LetsEncrypt certificates. Something like this:

MC27 /SSL [path]PublicCert.pem [path]PrivateCert.pem

Thanks!

[zybex]

Alternatively, MC could store the Certificate filepath instead of importing the files (or copy the certificates to %appdata%).
Just updating the files and restarting MC would then work for renewal.

[glynor]

+1

Yes please. This is effectively blocking me from using TLS on my MC server.

I should note: It might also make sense to build the certbot functionality into MC entirely. They could do all that for you and give you just a checkbox and fields to configure MC to automatically work with Let's Encrypt. That would make it more approachable for regular folk, which is (after all) the goal of Let's Encrypt.

But Let's Encrypt and certbot are all open-sourcey and whatnot. JRiver could just hide all that complexity (like they hide the complexity of using LAME). Then MC could serve the port-80/443 domain validation file (just long enough to complete the renew when it needs to do it), and all that and make it easy for everyone.

In any case, I'll set it up with certbot, but not till I have a way to automate MC's ingestion of the renewed Certs. Because doing that manually every 3 months is the stupid.

[zybex]

I should note: It might also make sense to build the certbot functionality into MC entirely.

That would be even better. They support the ACME API which is now widely used, and there are C++ libs out there:
https://letsencrypt.org/docs/client-options/

[mwillems]

Alternatively, MC could store the Certificate filepath instead of importing the files (or copy the certificates to %appdata%).
Just updating the files and restarting MC would then work for renewal.

This would be my preferred solution.  Just storing the path would be by far the easiest thing for users to automate around (unless they go whole hog and build in letsencrypt requests or something, but that seems like a lot of work).  Just reading the file from a set path on disk is what most of the other software I use that relies on certs does.  When I update my certs everything else in my stack just notices there's a new cert file at the file path and uses it, but getting JRiver to update requires manual intervention every time, so I've given up for now and just put JRiver behind a reverse proxy instead which has some limitations in my setup so I'd be glad of a more seamless native ssl experience.

[glynor]

Just reading the file from a set path on disk is what most of the other software I use that relies on certs does.

I agree. This would be my preferred solution as well. If they need to cache/store it somewhere internally for performance (or whatever) reasons, then whatever files you have it set to in the UI should just be re-read on startup each time and updated.

I already script MC to restart itself once per day, and so long as I time my LetsEncrypt automation for around the same middle-of-the-night time, it would "just work".

PS. If you are looking for a way to do the rest of this automatically, and you don't have a good firewall setup, the LetsEncrypt support in Sophos UTM is fantastic, it turns out. I set mine up in about 2 minutes, and it works perfectly. And, I've looked, and it seems to be relatively straightforward to script it to automatically download the Certs.

Sophos UTM is awesome, and free for home use: https://secure2.sophos.com/en-us/products/free-tools/sophos-utm-home-edition/download.aspx

[jmone]

My 90-Days was up so I had to renew my SSL Certificate.  I used "Certify the Web" (had to port forward 80 to my PC & turn off windows firewall for the process... which makes me nervous).... but it seems I did not have to load the certs into MC again.  , eg, this link works for me:

https://mymc.dyndns.info:52200/MCWS/v1/Share/Get?File=csK49RCqIPDwjpv9yjqnbBRMJ%2BpTKSA604sIhcEcq9peENnDtTBX2wPDn3SDEMaVpwvrymOQ52dznKJZz4zE%2FTG3k%2Fl1%2Ft8nAXhLdg%3D%3D

I presumed I would have "new" certs but it all seems to work?

[zybex]

Your current certificate was not changed, it says it was issued on Feb 11 and is valid until May 13. You still need to load the new one into MC.

You can see this by clicking the lock icon to the left of the URL on the browser.

[jmone]

Thanks - Updated to the new CRT and KEY in MC and the details are now correct.