Open main menu

Changes

2,298 bytes added ,  12:58, 25 July 2018
Adds info about Haproxy and Certbot
There is even an experimental [https://github.com/greenhost/certbot-haproxy plugin] if you want to go that route, but it's not necessary.
 
Although a cron like <code>certbot renew --quiet --no-self-upgrade</code> will work to renew certs, it's not going to install them. So, a better approach is to modify haproxy and also setup a renewal script.
We have to modify the certbot configuration for (each) certificate. Notice how we specified the port at 54321, which we'll use in Haproxy:
<code>cat /etc/letsencrypt/renewal/demo.qualitybox.us.conf</code>
<pre>
# renew_before_expiry = 30 days
version = 0.25.1
archive_dir = /etc/letsencrypt/archive/demo.qualitybox.us
cert = /etc/letsencrypt/live/demo.qualitybox.us/cert.pem
privkey = /etc/letsencrypt/live/demo.qualitybox.us/privkey.pem
chain = /etc/letsencrypt/live/demo.qualitybox.us/chain.pem
fullchain = /etc/letsencrypt/live/demo.qualitybox.us/fullchain.pem
 
# Options used in the renewal process
[renewalparams]
account = f47c655802900ba026fb42e0bef8acd7
http01_port = 54321
authenticator = standalone
installer = None
pref_challs = http-01,
</pre>
 
Important parts of the Haproxy configuration. [https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-centos-7 More detail]
<pre>
frontend www-https
bind *:443 ssl crt /etc/haproxy/certs
reqadd X-Forwarded-Proto:\ https
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl
 
[snip]
 
backend letsencrypt-backend
server letsencrypt 127.0.0.1:54321
</pre>
 
<source lang="bash">
#!/bin/sh
# instead of manually creating a list like this
# declare -a arr=("demo.qualitybox.us" "freephile.qualitybox.us")
# loop through a dynamic list of directories in 'live'
for SITE in $(ls -D /etc/letsencrypt/live)
do
 
# move to correct let's encrypt directory
cd /etc/letsencrypt/live/$SITE
# echo -e "working in the /etc/letsencrypt/live/$SITE directory\n"
 
# cat files to make combined .pem for haproxy
cat fullchain.pem privkey.pem > /etc/haproxy/certs/$SITE.pem
# echo -e "created /etc/haproxy/certs/$SITE.pem\n"
done
 
# reload haproxy
systemctl reload haproxy
# echo -e "reloaded haproxy\n"
</source>
 
 
# use crontab -e as 'root' to setup cron to renew expiring certificates
30 2 * * * /usr/bin/certbot renew --renew-hook "/root/bin/renew.sh" >> /var/log/certbot.log
== On Amazon ==
4,558

edits