Difference between revisions of "SSL Certs"
Line 1: | Line 1: | ||
== Certs for Devices not Actually Accessible on the Internet == | == Certs for Devices not Actually Accessible on the Internet == | ||
=== Using HTTP challenge === | === Using HTTP challenge === | ||
(Do this on your primary web/proxy server) | (Do this on your primary web/proxy server) | ||
* <code>sudo apt install certbot</code> | |||
* Then, for each machine | |||
* <code>sudo certbot certonly -d '''MACHINE.DOMAIN.TLD'''</code> | * <code>sudo certbot certonly -d '''MACHINE.DOMAIN.TLD'''</code> | ||
** when it asks... choose option '''1: Apache Web Server plugin''' | ** when it asks... choose option '''1: Apache Web Server plugin''' | ||
Line 12: | Line 9: | ||
=== Using DNS challenge === | === Using DNS challenge === | ||
* Build a minimal Linux VM | |||
* <code>sudo apt install certbot</code> | |||
* Then, for each machine | |||
* <code>sudo certbot -d '''MACHINE.DOMAIN.TLD''' --manual --preferred-challenges dns certonly</code> | * <code>sudo certbot -d '''MACHINE.DOMAIN.TLD''' --manual --preferred-challenges dns certonly</code> | ||
** Follow the directions about setting up the DNS record & then hit enter | ** Follow the directions about setting up the DNS record & then hit enter |
Revision as of 00:02, 30 January 2023
Certs for Devices not Actually Accessible on the Internet
Using HTTP challenge
(Do this on your primary web/proxy server)
sudo apt install certbot
- Then, for each machine
sudo certbot certonly -d MACHINE.DOMAIN.TLD
- when it asks... choose option 1: Apache Web Server plugin
- Copy your shiny new cert into place
Using DNS challenge
- Build a minimal Linux VM
sudo apt install certbot
- Then, for each machine
sudo certbot -d MACHINE.DOMAIN.TLD --manual --preferred-challenges dns certonly
- Follow the directions about setting up the DNS record & then hit enter
- Copy your shiny new cert into place
Stuff still being worked out...
- Problem: Renewal is potentially problematic
- Tho... Apparently, renewal of a manual cert involves just running the original command again.
- (every time you run certbot as above, the TXT Record value changes...)
- one solution might be to use your DNS providers API calls...
- ooohhh --reuse-key
- Tho... Apparently, renewal of a manual cert involves just running the original command again.
- cron job to manage it all
Certs on an Apache based server
From /usr/share/doc/apache2/README.Debian.gz
Enabling SSL
To enable SSL, type:
sudo a2ensite default-ssl
sudo a2enmod ssl
If you want to use self-signed certificates, you should install the ssl-cert
package (see below). Otherwise, just adjust the SSLCertificateKeyFile and SSLCertificateFile directives in '/etc/apache2/sites-available/default-ssl.conf' to point to your SSL certificate. Then restart apache:
sudo systemctl restart apache2
The SSL key file should only be readable by root; the certificate file may be globally readable. These files are read by the Apache parent process which runs as root, and it is therefore not necessary to make the files readable by the www-data user.
Getting proper certificates onto the machine
Sadly...
Between the time I wrote this up on the TinkerNet Wiki and now, Let's Encrypt has drastically changed things and certbot is now only supported if you want to deal with snapd...
Give me time & I'll work out new instructions.
For now... The old version is still on the TinkerNet Wiki.