Difference between revisions of "SSL certs via ClouDNS"
| (16 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
= Step 1 = | <span style="font-size: 24pt; color: rgb(224, 62, 45);">'''WIP!!!'''</span> | ||
Since moving my external DNS to [https://www.cloudns.net/ ClouDNS], they have added [https://www.cloudns.net/news/article/241/?utm_source=Mail&utm_campaign=2023_06_3_newsletter&utm_medium=freessl_news_link a VERY useful service]. The time has come to put it to use! | |||
= Important Notes = | |||
# This service is only available if your account is '''Premium M''' or better | |||
# You will need to enable an '''API user''' | |||
#* (do that [https://www.cloudns.net/api-settings/ here]') | |||
# These certs are wildcard certs for the whole domain | |||
= Step 1 : Create the cert = | |||
[[file:freesslbutton.png{{!}}300px{{!}}right{{!}}thumb]] | |||
In your ClouDNS dashboard, select '''DNS Hosting''', then select the domain you want to add SSL to. | In your ClouDNS dashboard, select '''DNS Hosting''', then select the domain you want to add SSL to. | ||
Then click the '''Free SSL''' button. | Then click the '''Free SSL''' button. | ||
Select your preferred authority, hit the "'''Activate Free SSL'''" button & then wait for it. | |||
(In this example, I've used the "Let's Encrypt" option. May look into "ZeroSSL" later...) | |||
= Step 2 : Download the cert = | |||
Download the cert via their API: | |||
* <code>curl <nowiki>"https://api.cloudns.net/dns/freessl-get.xml?auth-id=</nowiki>'''AUTHID'''&auth-password='''PASSWORD'''&domain-name='''DOMAIN'''"</code> | |||
= Step 3 : Make the cert useable = | |||
(This is where it's gonna get interesting...) | |||
The certs are available as either an XML or a JSON payload... | |||
Attempt #1: Manually extract the key & the fullchain cert set into separate files. Seems to work... | |||
Attempt #2: Write a script or actual program to extract these... | |||
= Step 4 : put the cert into a useful place = | |||
Looking at the standard '''default-ssl.conf''' file for Apache, the reveals: | |||
<pre> | |||
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem | |||
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key | |||
</pre> | |||
So '''/etc/ssl/certs''' & '''/etc/ssl/private''' looks sensible to me & I've named the files '''ssl-DOMAIN.pem''' & '''ssl-DOMAIN.key''' because there's no snakeoil involved here. | |||
(Also, that script or program above should be able to directly extract the files into those locations.) | |||
= Step 5 : Tell Apache about it = | |||
= Step 6 : Automate the update process = | |||
Latest revision as of 16:17, 21 August 2023
WIP!!!
Since moving my external DNS to ClouDNS, they have added a VERY useful service. The time has come to put it to use!
Important Notes
- This service is only available if your account is Premium M or better
- You will need to enable an API user
- (do that here')
- These certs are wildcard certs for the whole domain
Step 1 : Create the cert
In your ClouDNS dashboard, select DNS Hosting, then select the domain you want to add SSL to.
Then click the Free SSL button.
Select your preferred authority, hit the "Activate Free SSL" button & then wait for it.
(In this example, I've used the "Let's Encrypt" option. May look into "ZeroSSL" later...)
Step 2 : Download the cert
Download the cert via their API:
curl "https://api.cloudns.net/dns/freessl-get.xml?auth-id=AUTHID&auth-password=PASSWORD&domain-name=DOMAIN"
Step 3 : Make the cert useable
(This is where it's gonna get interesting...)
The certs are available as either an XML or a JSON payload...
Attempt #1: Manually extract the key & the fullchain cert set into separate files. Seems to work...
Attempt #2: Write a script or actual program to extract these...
Step 4 : put the cert into a useful place
Looking at the standard default-ssl.conf file for Apache, the reveals:
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
So /etc/ssl/certs & /etc/ssl/private looks sensible to me & I've named the files ssl-DOMAIN.pem & ssl-DOMAIN.key because there's no snakeoil involved here.
(Also, that script or program above should be able to directly extract the files into those locations.)