Difference between revisions of "SSL Certs"

From Da Nerd Mage Wiki
Jump to navigation Jump to search
Line 1: Line 1:
== Upcoming fun stuff ==
== Upcoming fun stuff ==
SSL certs via ClouDNS' <span style="color: rgb(132, 63, 161);" >'''"Free SSL Certificates"'''</span>
SSL certs via ClouDNS' <span style="color: rgb(132, 63, 161);">'''"Free SSL Certificates"'''</span>
 
<span style="color: rgb(132, 63, 161);">''''''</span>
== Installing Certbot on your machine ==
Certbot now requires that you install it from SNAP. <pre>sudo apt update
sudo apt upgrade
</pre><p>Install SNAP</p><pre>sudo apt install snapd
sudo snap install core; sudo snap refresh core
</pre><p>Install Certbot</p><pre>sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
</pre>
== Certs for Devices not Actually Accessible on the Internet ==
== Certs for Devices not Actually Accessible on the Internet ==
=== Using HTTP challenge ===
=== Using HTTP challenge ===
(Do this on your primary web/proxy server)
(Do this on your primary web/proxy server)
* <code>sudo apt install certbot</code>
* Then, for each machine
* <code>sudo certbot certonly -d '''MACHINE.DOMAIN.TLD'''</code>
* <code>sudo certbot certonly -d '''MACHINE.DOMAIN.TLD'''</code>
** when it asks... choose option '''1: Apache Web Server plugin'''
** when it asks... choose option '''1: Apache Web Server plugin'''
Line 11: Line 19:


=== Using DNS challenge ===
=== Using DNS challenge ===
* Build a minimal Linux VM
* For each machine
* <code>sudo apt install certbot</code>
* Then, for each machine
* <code>sudo certbot -d '''MACHINE.DOMAIN.TLD''' --manual --preferred-challenges dns certonly</code>
* <code>sudo certbot -d '''MACHINE.DOMAIN.TLD''' --manual --preferred-challenges dns certonly</code>
** Follow the directions about setting up the DNS record & then hit enter
** Follow the directions about setting up the DNS record & then hit enter
Line 40: Line 46:


==== Getting proper certificates onto the machine ====
==== Getting proper certificates onto the machine ====
Sadly...
Using the instructions at the top of the page, Install SNAP, Install Certbot and grab the certs for your machines that need them.<br>
 
Between the time I wrote this up on the [https://wiki.tinkernet.ca/ TinkerNet Wiki] and now, [https://letsencrypt.org/ Let's Encrypt] has drastically changed things and [https://certbot.eff.org/ certbot] is now only supported if you want to deal with snapd...
 
Give me time & I'll work out new instructions.


For now...&nbsp; The old version is still on [[TinkerWiki:NetMan - SSL Certs#Getting proper certificates onto the machine{{!}}the TinkerNet Wiki]].
The old way to do this is still on [[TinkerWiki:NetMan - SSL Certs#Getting proper certificates onto the machine{{!}}the TinkerNet Wiki]].


<span style="color: rgb(255, 0, 0);">'''[[Now Do A Backup!{{!}}Now Do A Backup!]]'''</span>
<span style="color: rgb(255, 0, 0);">'''[[Now Do A Backup!{{!}}Now Do A Backup!]]'''</span>

Revision as of 23:02, 26 November 2023

Upcoming fun stuff

SSL certs via ClouDNS' "Free SSL Certificates"

'

Installing Certbot on your machine

Certbot now requires that you install it from SNAP. 

sudo apt update
sudo apt upgrade

Install SNAP

sudo apt install snapd

sudo snap install core; sudo snap refresh core

Install Certbot

sudo snap install --classic certbot

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Certs for Devices not Actually Accessible on the Internet

Using HTTP challenge

(Do this on your primary web/proxy server)

  • sudo certbot certonly -d MACHINE.DOMAIN.TLD
    • when it asks... choose option 1: Apache Web Server plugin
    • Copy your shiny new cert into place

Using DNS challenge

  • For each machine
  • sudo certbot -d MACHINE.DOMAIN.TLD --manual --preferred-challenges dns certonly
    • Follow the directions about setting up the DNS record & then hit enter
    • Copy your shiny new cert into place

Stuff still being worked out...

  • Problem:  Renewal is potentially problematic
    • Tho... Apparently, renewal of a manual cert involves just running the original command again.
      • (every time you run certbot as above, the TXT Record value changes...)
      • one solution might be to use your DNS providers API calls...
      • ooohhh --reuse-key
  • cron job to manage it all

Certs on an Apache based server

From /usr/share/doc/apache2/README.Debian.gz

Enabling SSL

To enable SSL, type:

  • sudo a2ensite default-ssl
  • sudo a2enmod ssl

If you want to use self-signed certificates, you should install the ssl-cert
package (see below). Otherwise, just adjust the SSLCertificateKeyFile and SSLCertificateFile directives in '/etc/apache2/sites-available/default-ssl.conf' to point to your SSL certificate. Then restart apache:

  • sudo systemctl restart apache2

The SSL key file should only be readable by root; the certificate file may be globally readable. These files are read by the Apache parent process which runs as root, and it is therefore not necessary to make the files readable by the www-data user.

Getting proper certificates onto the machine

Using the instructions at the top of the page, Install SNAP, Install Certbot and grab the certs for your machines that need them.

The old way to do this is still on the TinkerNet Wiki.

Now Do A Backup!

Retrieved from ‘https://wiki.nerdmage.ca/index.php?title=SSL_Certs&oldid=1921