Difference between revisions of "Certbot"

From Freephile Wiki
Jump to navigation Jump to search
(additional manual steps without certbot role fully ready in meza)
(Adds info about Haproxy and Certbot)
Line 49: Line 49:
  
 
There is even an experimental [https://github.com/greenhost/certbot-haproxy plugin] if you want to go that route, but it's not necessary.
 
There is even an experimental [https://github.com/greenhost/certbot-haproxy plugin] if you want to go that route, but it's not necessary.
 +
 +
Although a cron like <code>certbot renew --quiet --no-self-upgrade</code> will work to renew certs, it's not going to install them. So, a better approach is to modify haproxy and also setup a renewal script.
 +
We have to modify the certbot configuration for (each) certificate. Notice how we specified the port at 54321, which we'll use in Haproxy:
 +
<code>cat /etc/letsencrypt/renewal/demo.qualitybox.us.conf</code>
 +
<pre>
 +
# renew_before_expiry = 30 days
 +
version = 0.25.1
 +
archive_dir = /etc/letsencrypt/archive/demo.qualitybox.us
 +
cert = /etc/letsencrypt/live/demo.qualitybox.us/cert.pem
 +
privkey = /etc/letsencrypt/live/demo.qualitybox.us/privkey.pem
 +
chain = /etc/letsencrypt/live/demo.qualitybox.us/chain.pem
 +
fullchain = /etc/letsencrypt/live/demo.qualitybox.us/fullchain.pem
 +
 +
# Options used in the renewal process
 +
[renewalparams]
 +
account = f47c655802900ba026fb42e0bef8acd7
 +
http01_port = 54321
 +
authenticator = standalone
 +
installer = None
 +
pref_challs = http-01,
 +
</pre>
 +
 +
Important parts of the Haproxy configuration. [https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-centos-7 More detail]
 +
<pre>
 +
frontend www-https
 +
        bind *:443 ssl crt /etc/haproxy/certs
 +
        reqadd X-Forwarded-Proto:\ https
 +
        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
 +
        use_backend letsencrypt-backend if letsencrypt-acl
 +
 +
[snip]
 +
 +
backend letsencrypt-backend
 +
        server letsencrypt 127.0.0.1:54321
 +
</pre>
 +
 +
<source lang="bash">
 +
#!/bin/sh
 +
# instead of manually creating a list like this
 +
# declare -a arr=("demo.qualitybox.us" "freephile.qualitybox.us")
 +
# loop through a dynamic list of directories in 'live'
 +
for SITE in $(ls -D /etc/letsencrypt/live)
 +
do
 +
 +
        # move to correct let's encrypt directory
 +
        cd /etc/letsencrypt/live/$SITE
 +
#      echo -e "working in the /etc/letsencrypt/live/$SITE directory\n"
 +
 +
        # cat files to make combined .pem for haproxy
 +
        cat fullchain.pem privkey.pem > /etc/haproxy/certs/$SITE.pem
 +
#      echo -e "created /etc/haproxy/certs/$SITE.pem\n"
 +
done
 +
 +
# reload haproxy
 +
systemctl reload haproxy
 +
# echo -e "reloaded haproxy\n"
 +
</source>
 +
 +
 +
# use crontab -e as 'root' to setup cron to renew expiring certificates
 +
30 2 * * * /usr/bin/certbot renew --renew-hook "/root/bin/renew.sh" >> /var/log/certbot.log
  
 
== On Amazon ==
 
== On Amazon ==

Revision as of 13:58, 25 July 2018