Difference between revisions of "A Solution for Getting Proper Certs"
Line 40: | Line 40: | ||
== Second Method: Working from the '''machine being certified''' == | == Second Method: Working from the '''machine being certified''' == | ||
* <code>ssh <nowiki>root@certifier</nowiki> certbot -d server0.tinkernet.ca --manual --preferred-challenges dns certonly</code> | * <code>ssh <nowiki>root@certifier</nowiki> certbot -d server0.tinkernet.ca --manual --preferred-challenges dns certonly</code> | ||
* <code>scp -R <nowiki>root@certifier:/etc/letsencrypt/live/server0.tinkernet.ca//etc/letsencrypt/live/</nowiki></code> | * <code>scp -R <nowiki>root@certifier:/etc/letsencrypt/live/server0.tinkernet.ca/ /etc/letsencrypt/live/</nowiki></code> |
Revision as of 14:41, 29 June 2022
You will need certbot installed on a machine.
As of June 2022, it is again possible to simply install it on a Debian machine.
sudo apt install certbot
Caveats & other Notes
The following certbot command lines are "manual" runs. Working on how best to make dns challenges work in "automatic"... Both of these techniques require that machines have SSH enabled for root...
Every command above is run as root. (could also be run using sudo)
One possible (sort of...) answer would be to just install certbot under Proxmox since it defaults to having SSH enabled for root anyhow. This might be quite suitable for the Second Method.
Obtaining Certs using DNS instead of http
Each machine you're obtaining a cert for will trigger a message like the following from certbot:
dns-01 challenge for server0.tinkernet.ca - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.server0.tinkernet.ca with the following value: UaealZG5388lSqUWztK_5HnE_ew_GXsMqxyuRfumriY Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
You will need to log into your DNS server & create the required TXT record, then WAIT FOR IT TO PROPEGATE before hitting Enter.
First Method: Working from the machine with certbot installed on it
certbot -d server0.tinkernet.ca,server1.tinkernet.ca,server2.tinkernet.ca,server3.tinkernet.ca --manual --preferred-challenges dns certonly
scp -R /etc/letsencrypt/live/server0.tinkernet.ca/ server0:/etc/letsencrypt/live/
scp -R /etc/letsencrypt/live/server1.tinkernet.ca/ server1:/etc/letsencrypt/live/
scp -R /etc/letsencrypt/live/server2.tinkernet.ca/ server2:/etc/letsencrypt/live/
scp -R /etc/letsencrypt/live/server3.tinkernet.ca/ server3:/etc/letsencrypt/live/
Second Method: Working from the machine being certified
ssh root@certifier certbot -d server0.tinkernet.ca --manual --preferred-challenges dns certonly
scp -R root@certifier:/etc/letsencrypt/live/server0.tinkernet.ca/ /etc/letsencrypt/live/