Difference between revisions of "A Solution for Getting Proper Certs"

From Da Nerd Mage Wiki
Jump to navigation Jump to search
(Created page with "You will need certbot installed on a machine. As of June 2022, it is again possible to simply install it on a Debian machine. * <code>apt install certbot</code> = First Method: Working from the '''machine with certbot''' installed on it = * <code>certbot -d server0.tinkernet.ca,server1.tinkernet.ca,server2.tinkernet.ca,server3.tinkernet.ca --manual --preferred-challenges dns certonly</code> * <code>scp -R /etc/letsencrypt/live/server0.tinkernet.ca/ server0:/etc/letsenc...")
 
 
(33 intermediate revisions by the same user not shown)
Line 2: Line 2:


As of June 2022, it is again possible to simply install it on a Debian machine.
As of June 2022, it is again possible to simply install it on a Debian machine.
* <code>apt install certbot</code>
* <code>sudo apt install certbot</code>


= First Method: Working from the '''machine with certbot''' installed on it =
= Obtaining Certs using HTTP =
* <code>certbot -d server0.tinkernet.ca,server1.tinkernet.ca,server2.tinkernet.ca,server3.tinkernet.ca --manual --preferred-challenges dns certonly</code>
'''Note:''' This requires that the machine be reachable via port 80 from the Internet AND have a legit FQDN that works.
* <code>scp -R /etc/letsencrypt/live/server0.tinkernet.ca/ server0:/etc/letsencrypt/live/</code>
* <code>scp -R /etc/letsencrypt/live/server1.tinkernet.ca/ server1:/etc/letsencrypt/live/</code>
* <code>scp -R /etc/letsencrypt/live/server2.tinkernet.ca/ server2:/etc/letsencrypt/live/</code>
* <code>scp -R /etc/letsencrypt/live/server3.tinkernet.ca/ server3:/etc/letsencrypt/live/</code>


= Second Method: Working from the '''machine being certified''' =
<span style="font-size: 14pt;" >'''<span style="color: rgb(132, 63, 161);" >W.I.P.</span>'''</span>
* <code>ssh <nowiki>root@certifier</nowiki> certbot -d server0.tinkernet.ca</code>
 
* <code>scp -R <nowiki>root@certifier:/etc/letsencrypt/live/server0.tinkernet.ca//etc/letsencrypt/live/</nowiki></code>
= Obtaining Certs using DNS instead of http =
Each machine you're obtaining a cert for will trigger a message like the following from certbot:
 
<pre>
dns-01 challenge for server0.tinkernet.ca
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.server0.tinkernet.ca with the following value:
 
UaealZG5388lSqUWztK_5HnE_ew_GXsMqxyuRfumriY
 
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
</pre>
 
You will need to log into your '''public facing DNS server''' & create the required TXT record, then '''WAIT FOR IT TO PROPEGATE''' before hitting '''Enter'''.
 
Once the certs are obtained, you'll be moving them to their final homes. Note that, in the following 2 examples, the destinations are all <code>/etc/letsencrypt/live/</code>. This will actually be a rare case. More likely, they will need to be in a different location & be renamed. (All depends on the OS & package you're getting them for...)
 
== First Method: Working from the '''machine with certbot''' installed on it ==
* <code>certbot -d server0.mydomain.net --manual --preferred-challenges dns certonly</code>
* <code>scp -R /etc/letsencrypt/live/server0.mydomain.net/ server0:/etc/letsencrypt/live/</code><br>
 
== Second Method: Working from the '''machine being certified''' ==
* <code>ssh <nowiki>root@certifier</nowiki> certbot -d server0.mydomain.ca --manual --preferred-challenges dns certonly</code>
* <code>scp -R <nowiki>root@certifier:/etc/letsencrypt/live/server0.mydomain.net/ /etc/letsencrypt/live/</nowiki></code>
 
== Caveats & other Notes ==
The following '''certbot''' command lines are "manual" runs. Working on how best to make dns challenges work in "automatic"...


= Caveats & other Notes =
Both of these techniques require that machines have SSH enabled for root...
Both of these techniques require that machines have SSH enabled for root...


Every command above is run as '''root'''. (could also be run using sudo)
Every command here is run as '''root'''. (could also be run using [[Linux - sudo{{!}}sudo]])
 
One possible (sort of...) answer would be to just install '''certbot''' under Proxmox since it defaults to having SSH enabled for root anyhow. This might be quite suitable for the Second Method.
 
= Renewing the Certs =
* <code>certbot renew</code>
Will renew all of the installed certificates that are due to be renewed.
 
== First Method: Working from the '''machine with certbot''' installed on it ==
* <code>certbot renew</code>
* <code>scp -R /etc/letsencrypt/live/server0.mydomain.net/ server0:/etc/letsencrypt/live/</code>
 
* '''Option:''' Monthly renewal attempt using cron:
** <code>sudo crontab -e</code>
** & add in the line:
** <code>0 0 2 * * /usr/bin/certbot renew ; scp -R /etc/letsencrypt/live/server0.mydomain.net/ server0:/etc/letsencrypt/live/</code>
** (Passwordless SSH will be required...)
 
== Second Method: Working from the '''machine being certified''' ==
* <code>ssh <nowiki>root@certifier</nowiki> certbot renew</code>
* <code>scp -R <nowiki>root@certifier:/etc/letsencrypt/live/server0.mydomain.net/ /etc/letsencrypt/live/</nowiki></code>
 
= Putting the Certs where they Actually Belong =
== Normal Linux Stuff (Apache in particular...) ==
* Just leave it in '''/etc/letsencrypt/live/'''
* Of course, if you're working on a web server & it's accessible from the Internet, you can run certbot directly on the machine & do the whole --auto thing...
== Proxmox ==
* Using the Web UI:
** Upload '''privkey.pem'''&nbsp;as the '''Private Key''' & '''fullchain.pem''' as the '''Certificate Chain'''.
** You can either just copy the content or SCP them to someplace you can use your graphical file browser to upload from.
* Using SCP:
** Copy '''privkey.pem''' to '''/etc/pve/local/pveproxy-ssl.key'''
** Copy '''fullchain.pem''' to '''/etc/pve/local/pveproxy-ssl.pem'''
 
=== If you're running certbot on the PVE server itself ===
and you want to use cron to do the updates with minimal fuss...
 
* Create a script in roots home directory ('''/root''') called '''certrenew.sh'''
<syntaxhighlight lang="bash">
#!/bin/bash
 
/usr/bin/certbot renew
cp /etc/letsencrypt/live/schizox.tinkernet.ca/privkey.pem /etc/pve/local/pveproxy-ssl.key
cp /etc/letsencrypt/live/schizox.tinkernet.ca/fullchain.pem /etc/pve/local/pveproxy-ssl.pem
 
</syntaxhighlight>
* Replace "''schizox.tinkernet.ca''" with your actual servers FQDN... then call the script from roots crontab
* <code>sudo crontab -e</code>
* <code>0 0 2 * * /root/certrenew.sh</code>
 
== ESXi ==
* Using the Web UI
** Upload by pasting the content of fullchain.pem
* Using SCP
** Copy&nbsp;'''privkey.pem''' to '''/etc/vmware/ssl/rui.key'''
** Copy&nbsp;'''fullchain.pem''' to '''/etc/vmware/ssl/rui.crt'''
** then restart ESXis HTTP:
** <code>/etc/init.d/rhttpproxy restart</code>
== pfSense ==
* ???
== Node-Red ==
* ???
== Grafana ==
* ???
== Shinobi ==
* ???

Latest revision as of 20:59, 1 July 2022

You will need certbot installed on a machine.

As of June 2022, it is again possible to simply install it on a Debian machine.

  • sudo apt install certbot

Obtaining Certs using HTTP

Note: This requires that the machine be reachable via port 80 from the Internet AND have a legit FQDN that works.

W.I.P.

Obtaining Certs using DNS instead of http

Each machine you're obtaining a cert for will trigger a message like the following from certbot:

dns-01 challenge for server0.tinkernet.ca

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.server0.tinkernet.ca with the following value:

UaealZG5388lSqUWztK_5HnE_ew_GXsMqxyuRfumriY

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

You will need to log into your public facing DNS server & create the required TXT record, then WAIT FOR IT TO PROPEGATE before hitting Enter.

Once the certs are obtained, you'll be moving them to their final homes. Note that, in the following 2 examples, the destinations are all /etc/letsencrypt/live/. This will actually be a rare case. More likely, they will need to be in a different location & be renamed. (All depends on the OS & package you're getting them for...)

First Method: Working from the machine with certbot installed on it

  • certbot -d server0.mydomain.net --manual --preferred-challenges dns certonly
  • scp -R /etc/letsencrypt/live/server0.mydomain.net/ server0:/etc/letsencrypt/live/

Second Method: Working from the machine being certified

  • ssh root@certifier certbot -d server0.mydomain.ca --manual --preferred-challenges dns certonly
  • scp -R root@certifier:/etc/letsencrypt/live/server0.mydomain.net/ /etc/letsencrypt/live/

Caveats & other Notes

The following certbot command lines are "manual" runs. Working on how best to make dns challenges work in "automatic"...

Both of these techniques require that machines have SSH enabled for root...

Every command here is run as root. (could also be run using sudo)

One possible (sort of...) answer would be to just install certbot under Proxmox since it defaults to having SSH enabled for root anyhow. This might be quite suitable for the Second Method.

Renewing the Certs

  • certbot renew

Will renew all of the installed certificates that are due to be renewed.

First Method: Working from the machine with certbot installed on it

  • certbot renew
  • scp -R /etc/letsencrypt/live/server0.mydomain.net/ server0:/etc/letsencrypt/live/
  • Option: Monthly renewal attempt using cron:
    • sudo crontab -e
    • & add in the line:
    • 0 0 2 * * /usr/bin/certbot renew ; scp -R /etc/letsencrypt/live/server0.mydomain.net/ server0:/etc/letsencrypt/live/
    • (Passwordless SSH will be required...)

Second Method: Working from the machine being certified

  • ssh root@certifier certbot renew
  • scp -R root@certifier:/etc/letsencrypt/live/server0.mydomain.net/ /etc/letsencrypt/live/

Putting the Certs where they Actually Belong

Normal Linux Stuff (Apache in particular...)

  • Just leave it in /etc/letsencrypt/live/
  • Of course, if you're working on a web server & it's accessible from the Internet, you can run certbot directly on the machine & do the whole --auto thing...

Proxmox

  • Using the Web UI:
    • Upload privkey.pem as the Private Key & fullchain.pem as the Certificate Chain.
    • You can either just copy the content or SCP them to someplace you can use your graphical file browser to upload from.
  • Using SCP:
    • Copy privkey.pem to /etc/pve/local/pveproxy-ssl.key
    • Copy fullchain.pem to /etc/pve/local/pveproxy-ssl.pem

If you're running certbot on the PVE server itself

and you want to use cron to do the updates with minimal fuss...

  • Create a script in roots home directory (/root) called certrenew.sh
#!/bin/bash

/usr/bin/certbot renew
cp /etc/letsencrypt/live/schizox.tinkernet.ca/privkey.pem /etc/pve/local/pveproxy-ssl.key
cp /etc/letsencrypt/live/schizox.tinkernet.ca/fullchain.pem /etc/pve/local/pveproxy-ssl.pem
  • Replace "schizox.tinkernet.ca" with your actual servers FQDN... then call the script from roots crontab
  • sudo crontab -e
  • 0 0 2 * * /root/certrenew.sh

ESXi

  • Using the Web UI
    • Upload by pasting the content of fullchain.pem
  • Using SCP
    • Copy privkey.pem to /etc/vmware/ssl/rui.key
    • Copy fullchain.pem to /etc/vmware/ssl/rui.crt
    • then restart ESXis HTTP:
    • /etc/init.d/rhttpproxy restart

pfSense

  • ???

Node-Red

  • ???

Grafana

  • ???

Shinobi

  • ???