Difference between revisions of "Certbot"
Jump to navigation
Jump to search
(additional manual steps without certbot role fully ready in meza) |
(Adds info about Haproxy and Certbot) |
||
| Line 49: | Line 49: | ||
There is even an experimental [https://github.com/greenhost/certbot-haproxy plugin] if you want to go that route, but it's not necessary. | There is even an experimental [https://github.com/greenhost/certbot-haproxy plugin] if you want to go that route, but it's not necessary. | ||
| + | |||
| + | Although a cron like <code>certbot renew --quiet --no-self-upgrade</code> will work to renew certs, it's not going to install them. So, a better approach is to modify haproxy and also setup a renewal script. | ||
| + | We have to modify the certbot configuration for (each) certificate. Notice how we specified the port at 54321, which we'll use in Haproxy: | ||
| + | <code>cat /etc/letsencrypt/renewal/demo.qualitybox.us.conf</code> | ||
| + | <pre> | ||
| + | # renew_before_expiry = 30 days | ||
| + | version = 0.25.1 | ||
| + | archive_dir = /etc/letsencrypt/archive/demo.qualitybox.us | ||
| + | cert = /etc/letsencrypt/live/demo.qualitybox.us/cert.pem | ||
| + | privkey = /etc/letsencrypt/live/demo.qualitybox.us/privkey.pem | ||
| + | chain = /etc/letsencrypt/live/demo.qualitybox.us/chain.pem | ||
| + | fullchain = /etc/letsencrypt/live/demo.qualitybox.us/fullchain.pem | ||
| + | |||
| + | # Options used in the renewal process | ||
| + | [renewalparams] | ||
| + | account = f47c655802900ba026fb42e0bef8acd7 | ||
| + | http01_port = 54321 | ||
| + | authenticator = standalone | ||
| + | installer = None | ||
| + | pref_challs = http-01, | ||
| + | </pre> | ||
| + | |||
| + | Important parts of the Haproxy configuration. [https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-centos-7 More detail] | ||
| + | <pre> | ||
| + | frontend www-https | ||
| + | bind *:443 ssl crt /etc/haproxy/certs | ||
| + | reqadd X-Forwarded-Proto:\ https | ||
| + | acl letsencrypt-acl path_beg /.well-known/acme-challenge/ | ||
| + | use_backend letsencrypt-backend if letsencrypt-acl | ||
| + | |||
| + | [snip] | ||
| + | |||
| + | backend letsencrypt-backend | ||
| + | server letsencrypt 127.0.0.1:54321 | ||
| + | </pre> | ||
| + | |||
| + | <source lang="bash"> | ||
| + | #!/bin/sh | ||
| + | # instead of manually creating a list like this | ||
| + | # declare -a arr=("demo.qualitybox.us" "freephile.qualitybox.us") | ||
| + | # loop through a dynamic list of directories in 'live' | ||
| + | for SITE in $(ls -D /etc/letsencrypt/live) | ||
| + | do | ||
| + | |||
| + | # move to correct let's encrypt directory | ||
| + | cd /etc/letsencrypt/live/$SITE | ||
| + | # echo -e "working in the /etc/letsencrypt/live/$SITE directory\n" | ||
| + | |||
| + | # cat files to make combined .pem for haproxy | ||
| + | cat fullchain.pem privkey.pem > /etc/haproxy/certs/$SITE.pem | ||
| + | # echo -e "created /etc/haproxy/certs/$SITE.pem\n" | ||
| + | done | ||
| + | |||
| + | # reload haproxy | ||
| + | systemctl reload haproxy | ||
| + | # echo -e "reloaded haproxy\n" | ||
| + | </source> | ||
| + | |||
| + | |||
| + | # use crontab -e as 'root' to setup cron to renew expiring certificates | ||
| + | 30 2 * * * /usr/bin/certbot renew --renew-hook "/root/bin/renew.sh" >> /var/log/certbot.log | ||
== On Amazon == | == On Amazon == | ||
