Difference between revisions of "Certbot"
Jump to navigation
Jump to search
(Certbot reference; extracted from TLS page) |
|||
Line 13: | Line 13: | ||
== Service == | == Service == | ||
Using our [[Ansible]] role, we can install the certbot client. Then we can install as many certificates as needed; plus setup an automated job which will renew them every 90 days. | Using our [[Ansible]] role, we can install the certbot client. Then we can install as many certificates as needed; plus setup an automated job which will renew them every 90 days. | ||
+ | |||
+ | == With HAProxy == | ||
+ | |||
+ | Like [https://www.lighttpd.net/ Lighttpd], [http://www.apsis.ch/pound/ Pound], [https://www.ejabberd.im/ Ejabberd] and other servers, [http://www.haproxy.org/ HAProxy] expects a single <code>.pem</code> file that has the combined contents of the <code>fullchain.pem</code> and <code>privkey.pem</code>. | ||
+ | |||
+ | Fortunately, certbot offers a --pre-hook, a --post-hook and a --renew-hook that we can use. | ||
+ | |||
+ | There is even an experimental [https://github.com/greenhost/certbot-haproxy plugin] if you want to go that route, but it's not necessary. | ||
+ | |||
+ | == On Amazon == | ||
+ | |||
+ | If you're one of the millions of Amazon Web Services customers, you may be tempted to use their lookalike service called AWS Certificate Manager. | ||
+ | |||
+ | Don't. | ||
+ | |||
+ | AWS certificates can't even be copied between regions. AWS certificates can't be used on your own servers. AWS certificates have annoying limits. They use '''email''' in <code>whois</code> to validate (not going to work if you have domain privacy turned on)!!! Amazon should have just joined the rest of the world in supporting LetsEncrypt. Fortunately, LetsEncrypt '''can''' be used everywhere, including AWS. | ||
+ | |||
+ | == On Cloudflare == | ||
+ | |||
+ | Cloudflare offers "[https://blog.cloudflare.com/announcing-keyless-ssl-all-the-benefits-of-cloudflare-without-having-to-turn-over-your-private-ssl-keys/ Keyless SSL]" and "[https://blog.cloudflare.com/introducing-universal-ssl/ Universal SSL]". Although these are excellent signs that Cloudflare is doing good work, it remains true that '''origin''' traffic may not be encrypted ''at all'' leading to a huge trust problem.<ref>https://scotthelme.co.uk/cloudflares-great-new-features-and-why-i-wont-use-them/</ref> | ||
+ | |||
+ | The best way for Cloudflare customers to encrypt '''fully''', is to use Certbot. Cloudflare support echoes [https://support.cloudflare.com/hc/en-us/articles/214820528-How-to-Validate-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-Cloudflare word-for-word] what Let's Encrypt says in their community forum: [https://community.letsencrypt.org/t/how-to-get-a-lets-encrypt-certificate-while-using-cloudflare/6338 How to get a Let's Encrypt certificate while using CloudFlare] | ||
+ | |||
+ | |||
+ | |||
+ | With the pre-hook and post-hook options, you can script the conditions needed to authenticate and renew. | ||
+ | <code>certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"</code> | ||
+ | |||
+ | The <code>--renew-hook</code> only runs when a certificate has been successfully renewed, so use this script to do things like concatenate the fullchain and | ||
== Resources == | == Resources == |