Draft - How-to use let's encrypt
For linux use the cerbot application to help automate the creation of the certificates and the configuration of the virtuak hosts
Check the official documentation on how to install certbot
sudo certbot --apache
This command read all the virtualhosts configurations and presents a list of possible subdomains to create and configure the subdomain. Follow the instructions on the screen
Wildcard certificates must be created manualy, also theres currently no way to auto renew a manual created certificate so to renew a certificate you must run the same comand, and change the certificate path on any configuration file that uses the certificate
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d 'domain.pt,*.domains.pt'the --preferred-challenges dns means that letsencrypt will validate the domain using DNS TXT records. During the execution it will ask to create 2 TXT records with must be added on the DNS management.
Only continue after the second TXT record if the records are already published.
On linux you can check by using the comand host -t txt <name of the txt record>
Example: host -t txt _acme-challenge.domain.pt
You need a token in linode to have read and write permission on domains. Token should be put in /root/linode_credentials
certbot-auto certonly --dns-linode --dns-linode-credentials /etc/linode/certbot --dns-linode-propagation-seconds 120 -d 'leg.wemake.pt,*.leg.wemake.pt,leg-back.wemake.pt,*.leg-back.wemake.pt'This will automatically create the TXT records on Linode
New systems using snap
sudo snap set certbot trust-plugin-with-root=ok sudo snap install certbot-dns-linode
Old systems - probably no longer works
Had to install most recent certbot-auto
wget https://raw.githubusercontent.com/certbot/certbot/master/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
sudo /opt/eff.org/certbot/venv/bin/pip install certbot-dns-linode
Also you need an API token from Linode with Domain Read/Write Access
sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d 'leg.wemake.pt,*.leg.wemake.pt,leg-back.wemake.pt,*.leg-back.wemake.pt'
...
Please deploy a DNS TXT record under the name
_acme-challenge.leg-back.wemake.pt with the following value:
eADa9ktQZNA1spNWAW0_raCD5wg0HwVbkMe_okocX4o
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.leg.wemake.pt with the following value:
3YvirZwf_WKEPexdMvbBukMx-oJpj53E-LYU8Xff3nU
Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to ContinueThis will give you 4 TXT records, add them with the linode DNS management tools and only press «enter» when this records are publicly available.
Check with host -t txt _acme-challenge.leg-back.wemake.pt and host -t txt _acme-challenge.leg.wemake.pt until it show the currect values for each, on this case:
_acme-challenge.leg-back.wemake.pt value: eADa9ktQZNA1spNWAW0_raCD5wg0HwVbkMe_okocX4o
_acme-challenge.leg.wemake.pt value: 3YvirZwf_WKEPexdMvbBukMx-oJpj53E-LYU8Xff3nU
You need a token in linode to have read and write permission on domains. Token should be put in /root/linode_credentials
certbot certonly --dns-linode --dns-linode-credentials /root/linode_credentials --dns-linode-propagation-seconds 120 -d 'inout-beta.wemake.pt,*.inout-beta.wemake.pt,inout-beta-back.wemake.pt,*.inout-beta-back.wemake.pt'This will automatically create the TXT records on Linode
By default the apache config file create by certbot adds the <IfModule mod_ssl.c> condition. By some reason this does not work in Centos 6.9 and the file is not loaded. Just comment the line <IfModule mod_ssl.c> and </IfModule>
For some reason in the wazuh mv we need to stop nginx, run the renewal and start nginx again
systemctl stop nginx
certbot renew
systemctl start nginxDRAFT
Issue certificate: acme.sh --issue --apache -d mydomain.com -d '*.mydomain.com'
Currently only being used on the LinodeRAR machine because certbot no longer works on old ubuntu. Renewing certificates is always a mess because for some reason the .cer file goes empty. The way I found arround this is to delete de old files and always issue a new certificate.
On linodeRAR its better to sudo su and then issue the certificates.
The acme.sh is on /root/.acme.sh/ folder allong with the certificates for each domain
root@rar:~# ll /root/.acme.sh/
total 240
drwx------ 8 root root 4096 Mar 16 10:58 ./
drwx------ 6 root root 4096 Mar 16 11:19 ../
-rw-r--r-- 1 root root 236 Mar 16 10:58 account.conf
-rwxr-xr-x 1 root root 203895 Jun 9 2021 acme.sh*
drwxr-xr-x 3 root root 4096 Mar 14 19:15 ca/
drwxr-xr-x 2 root root 4096 Jun 9 2021 deploy/
drwxr-xr-x 2 root root 4096 Jun 9 2021 dnsapi/
-rw-r--r-- 1 root root 518 Mar 16 10:58 http.header
drwxr-xr-x 2 root root 4096 Mar 16 10:57 multi.wemake.pt/
drwxr-xr-x 2 root root 4096 Jun 9 2021 notify/
drwxr-xr-x 2 root root 4096 Mar 16 10:58 sgi.wemake.pt/
INOUT certificate is still on /home/devel/.acme.sh/ folder
Found errors? Think you can improve this documentation? Simply click the Edit link at the top of the page, and then the icon on Github to make your changes.
Powered by Grav + with by Trilby Media.