Open main menu
Freephile Wiki

Changes

Certbot (view source)

Revision as of 11:49, 15 May 2023

1,588 bytes added ,  11:49, 15 May 2023
Fixed certbot
{{Feature
|image=Electronic Frontier Foundation video conferencing background certbot-logo-1 (28343180089).png
|imgdesc=Certbot
|title=
}}
{{#set:feature title = {{PAGENAME}} }}
{{#set:feature description = Certbot, from the Let's Encrypt project of the EFF, provides free and automated SSL certificates for QualityBox. }}
{{#set:feature notes = For non-public sites, we can still generate certificates using DNS }}
{{#set:feature tests = [https://www.ssllabs.com/ssltest/analyze.html?d={{SERVERNAME}} Test on SSL Labs.com] }}
{{#set:feature examples = See [[:File:Certificate grade.png]] }}
 
Certbot is a tool that allows you to manage the Transport Layer Security ([[TLS]]) of your Webserver.
 
{{ambox|
|type = content
|text = auto renewal stripped some important params from the configuration in <tt>/etc/letsencrypt/renewal/wiki.freephile.org</tt>, so I had to add them back:
<syntaxhighlight lang=diff>
[renewalparams]
-authenticator = webroot
+authenticator = standalone
account = 3b0dcc96ceabfb4cf56597fe14ddee7a
server = https://acme-v02.api.letsencrypt.org/directory
manual_public_ip_logging_ok = None
+http01_port = 54321
+installer = None
+pref_challs = http-01
</syntaxhighlight>
 
The '''real''' solution is to upgrade Certbot, which will happen anyway when we upgrade the host, which will happen anyway when we move to [[Canasta]], so '''get 'er done!'''
 
Then, update this page content to reflect current usage.
 
[[User:Admin|freephile]] ([[User talk:Admin|talk]]) 11:49, 15 May 2023 (EDT)
<br />
}}
== Let's Encrypt ==
We used to run certificates from StartSSL because they offer free one-year certificates. However, today we upgraded to using 'LetsEncrypt' and our certificates are both more secure and easier to manage. Instead of a "B" grade, we now have "A" grade security. <ref>https://www.ssllabs.com/ssltest/analyze.html</ref>
[[File:AGradeCertificate grade.png|left|500px]] [[File:BGrade.png|right|500px]]
'''Certbot''' ([https://github.com/certbot/certbot code]) is a fully-featured, extensible client for the Let's Encrypt CA (or any other CA that speaks the ACME protocol) that can automate the tasks of obtaining certificates and configuring web servers to use them. This client runs on Unix-based operating systems. It '''requires''' root access and is '''beta''' software.
# edit letsencrypt.yml as needed to identify the host for the play
ansible-playbook -i hosts letsencrypt.yml
# or if you need to use a different user for SSH
ansible-playbook -i hosts letsencrypt.yml --user=root
 
# if installing by package (default), then certbot is installed "normally". If by source, it's in /opt/certbot
## on the target host
# see if there are any certificates
certbot certificates
# fix stop HAProxy to make sure Apache the host is accessible, but don't install into Apache, just use webrootstandalonesystemctl stop haproxycertbot certonly --webroot -w /opt/htdocs/ standalone -d demo.qualitybox.us
# then run meza deploy to concatenate the cert files into a .pem file installed into HAproxy
# or if you have to do it manually
rm -f /etc/haproxy/certs/meza.crt
DOMAIN='demo.qualitybox.us' sudo -E bash -c 'cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/haproxy/certs/$DOMAIN.pem'
# edit HAProxy to use the certificate
vim /etc/haproxy/haproxy.cfg
systemctl restart haproxy
systemctl status haproxy
# Now you should be able to access $DOMAIN with a green lock icon
</source>
 
== With HAProxy ==
The best way for Cloudflare customers to encrypt '''fully''', is to use Certbot. Cloudflare support echoes [https://support.cloudflare.com/hc/en-us/articles/214820528-How-to-Validate-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-Cloudflare word-for-word] what Let's Encrypt says in their community forum: [https://community.letsencrypt.org/t/how-to-get-a-lets-encrypt-certificate-while-using-cloudflare/6338 How to get a Let's Encrypt certificate while using CloudFlare]
tldr; Use the <code>--webroot-path </code> option with the <code>certonly<<code>--preferred-challenges="dns"</code>, but you'll need to manually intervene. Optionally, if you just turn off the proxying while you issue the certificate, you can use TLS-SNI and HTTP-01 challenges (and then turn proxying back on.) For more advanced usage, check out the docs where they describe [https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks pre and post validation hooks]
With the pre-hook and post-hook options, you can script the conditions needed to authenticate and renew.
<code>certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"</code>
The <code>--renew-hook</code> only runs when a certificate has been successfully renewed, so use this script to do things like concatenate the fullchain and
== Resources ==
Retrieved from "https://wiki.freephile.org/wiki/Special:MobileDiff/9310...10209"