Difference between revisions of "SSL Certs"
(8 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
== Upcoming fun stuff == | |||
SSL certs via ClouDNS' <span style="color: rgb(132, 63, 161);">'''"Free SSL Certificates"'''</span> | |||
<span style="color: rgb(132, 63, 161);">''''''</span> | |||
== Installing Certbot on your machine == | |||
Certbot now requires that you install it from SNAP.<pre>sudo apt update | |||
sudo apt upgrade | |||
</pre><p>Install SNAP</p> | |||
<pre>sudo apt install snapd | |||
sudo snap install core; sudo snap refresh core | |||
</pre><p>Install Certbot</p> | |||
<pre>sudo snap install --classic certbot | |||
sudo ln -s /snap/bin/certbot /usr/bin/certbot | |||
</pre> | |||
== Certs for Devices not Actually Accessible on the Internet == | == Certs for Devices not Actually Accessible on the Internet == | ||
=== Using HTTP challenge === | === Using HTTP challenge === | ||
* <code>sudo certbot certonly -d '''MACHINE.DOMAIN.TLD'''</code | (Do this on your primary web/proxy server) | ||
** when it asks... | * <code>sudo certbot certonly -d '''MACHINE.DOMAIN.TLD'''</code> | ||
** when it asks... choose option '''1: Apache Web Server plugin''' | |||
** Copy your shiny new cert into place<br> | |||
=== Using DNS challenge === | === Using DNS challenge === | ||
* For each machine | |||
* <code>sudo certbot -d '''MACHINE.DOMAIN.TLD''' --manual --preferred-challenges dns certonly</code> | * <code>sudo certbot -d '''MACHINE.DOMAIN.TLD''' --manual --preferred-challenges dns certonly</code> | ||
** Follow the directions about setting up the DNS record & then hit enter | ** Follow the directions about setting up the DNS record & then hit enter | ||
** Copy your shiny new cert into place | ** Copy your shiny new cert into place | ||
=== Stuff still being worked out... === | ==== Stuff still being worked out... ==== | ||
* Problem: Renewal is potentially problematic | * Problem: Renewal is potentially problematic | ||
** Tho... Apparently, renewal of a manual cert involves [https://community.letsencrypt.org/t/certbot-manual-renew/17789/2 just running the original command again]. | ** Tho... Apparently, renewal of a manual cert involves [https://community.letsencrypt.org/t/certbot-manual-renew/17789/2 just running the original command again]. | ||
Line 22: | Line 34: | ||
* cron job to manage it all | * cron job to manage it all | ||
==== If getting certs for a proxied site... ==== | |||
You will need to copy the cert files that you acquired over to the proxied site. You do not need Certbot installed on the proxy VM as it isn't required but you will need to create the appropriate folders to copy the certs into. '''SSH into the proxy machine - '''<br><pre>cd /etc | |||
sudo mkdir letsencrypt | |||
cd /letsencrypt | |||
sudo mkdir live | |||
cd /etc<br></pre><p class="mwt-heading" >Now exit back out to your web server and SCP your cert files from /etc/letsencrypt/live to the folder you created on the proxy machine.</p> | |||
== Certs on an Apache based server == | == Certs on an Apache based server == | ||
From /usr/share/doc/apache2/README.Debian.gz | From /usr/share/doc/apache2/README.Debian.gz | ||
Line 36: | Line 54: | ||
==== Getting proper certificates onto the machine ==== | ==== Getting proper certificates onto the machine ==== | ||
Using the instructions at the top of the page, Install SNAP, Install Certbot and grab the certs for your machines that need them.<br>The old way to do this is still on [[TinkerWiki:NetMan - SSL Certs#Getting proper certificates onto the machine{{!}}the TinkerNet Wiki]]. | |||
<span style="color: rgb(255, 0, 0);">'''[[Now Do A Backup!{{!}}Now Do A Backup!]]'''</span> | <span style="color: rgb(255, 0, 0);">'''[[Now Do A Backup!{{!}}Now Do A Backup!]]'''</span> |
Latest revision as of 22:23, 26 November 2023
Upcoming fun stuff
SSL certs via ClouDNS' "Free SSL Certificates"
'
Installing Certbot on your machine
Certbot now requires that you install it from SNAP.
sudo apt update sudo apt upgrade
Install SNAP
sudo apt install snapd sudo snap install core; sudo snap refresh core
Install Certbot
sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot
Certs for Devices not Actually Accessible on the Internet
Using HTTP challenge
(Do this on your primary web/proxy server)
sudo certbot certonly -d MACHINE.DOMAIN.TLD
- when it asks... choose option 1: Apache Web Server plugin
- Copy your shiny new cert into place
Using DNS challenge
- For each machine
sudo certbot -d MACHINE.DOMAIN.TLD --manual --preferred-challenges dns certonly
- Follow the directions about setting up the DNS record & then hit enter
- Copy your shiny new cert into place
Stuff still being worked out...
- Problem: Renewal is potentially problematic
- Tho... Apparently, renewal of a manual cert involves just running the original command again.
- (every time you run certbot as above, the TXT Record value changes...)
- one solution might be to use your DNS providers API calls...
- ooohhh --reuse-key
- Tho... Apparently, renewal of a manual cert involves just running the original command again.
- cron job to manage it all
If getting certs for a proxied site...
You will need to copy the cert files that you acquired over to the proxied site. You do not need Certbot installed on the proxy VM as it isn't required but you will need to create the appropriate folders to copy the certs into. SSH into the proxy machine -
cd /etc sudo mkdir letsencrypt cd /letsencrypt sudo mkdir live cd /etc<br>
Now exit back out to your web server and SCP your cert files from /etc/letsencrypt/live to the folder you created on the proxy machine.
Certs on an Apache based server
From /usr/share/doc/apache2/README.Debian.gz
Enabling SSL
To enable SSL, type:
sudo a2ensite default-ssl
sudo a2enmod ssl
If you want to use self-signed certificates, you should install the ssl-cert
package (see below). Otherwise, just adjust the SSLCertificateKeyFile and SSLCertificateFile directives in '/etc/apache2/sites-available/default-ssl.conf' to point to your SSL certificate. Then restart apache:
sudo systemctl restart apache2
The SSL key file should only be readable by root; the certificate file may be globally readable. These files are read by the Apache parent process which runs as root, and it is therefore not necessary to make the files readable by the www-data user.
Getting proper certificates onto the machine
Using the instructions at the top of the page, Install SNAP, Install Certbot and grab the certs for your machines that need them.
The old way to do this is still on the TinkerNet Wiki.