crypto:letsencrypt
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | |||
crypto:letsencrypt [2019-05-21 22:00] – note re: badphotography.ca gabriel | crypto:letsencrypt [2019-10-16 13:03] (current) – updated to semi-manual process with dns-route53 gabriel | ||
---|---|---|---|
Line 3: | Line 3: | ||
We're currently using Let's Encrypt to generate and manage TLS certificates for quay.net and several other domains. | We're currently using Let's Encrypt to generate and manage TLS certificates for quay.net and several other domains. | ||
- | Now that Let's Encrypt supports wildcard certs, our cert has been modified accordingly. | + | Currently quay.net is hosted on Amazon' |
- | Thus, we'll use the manual process for generating and managing our certificates. | + | <code bash> |
+ | #!/bin/bash | ||
- | ===== certbot manual DNS validation ===== | + | # my domains |
+ | mapfile -t domains << | ||
+ | quay.net | ||
+ | gabriel.to | ||
+ | gabrielobrien.ca | ||
+ | k538.ca | ||
+ | unx.is | ||
+ | badphoto.ca | ||
+ | badphotography.ca | ||
+ | DOMAINS | ||
- | First we'll install the distribution package for certbot + dependencies: | + | # AWS credentials |
+ | export AWS_ACCESS_KEY_ID=" | ||
+ | export AWS_SECRET_ACCESS_KEY=" | ||
- | <code sh> | + | # generate wildcard records for each domain |
- | apt install certbot | + | for domain in ${domains[@]}; |
- | </ | + | |
+ | done | ||
- | Now let's request a new certificate, | + | systemctl stop nginx |
- | + | certbot | |
- | <code sh> | + | systemctl start nginx |
- | sudo certbot --manual | + | |
</ | </ | ||
- | |||
- | Enter our domains at the prompt. | ||
- | |||
- | <code sh> | ||
- | quay.net *.quay.net gabriel.to *.gabriel.to gabrielobrien.ca *.gabrielobrien.ca k538.ca *.k538.ca unx.is *.unx.is badphoto.ca *.badphoto.ca badphotography.ca *.badphotography.ca | ||
- | </ | ||
- | |||
- | If all goes well, you will now be prompted to update a DNS TXT record for each domain as well as a file on the local webserver to allow the ACME service to validate that you actually control the domain(s) in question. | ||
- | |||
- | On our server we use an nginx configuration file that can be enabled or disabled to turn on shared challenge files during certificate renewal. | ||
- | |||
- | < | ||
- | # USAGE: enable this configuration for Route 53 validation for Let's Encrypt | ||
- | location / | ||
- | alias / | ||
- | | ||
- | } | ||
- | </ | ||
- | |||
- | > **Note:** locally we have to manage some custom config for [[https:// | ||
- | |||
- | The instructions are provided at each step and are fairly simple. | ||
- | |||
- | <code sh> | ||
- | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
- | Please deploy a DNS TXT record under the name | ||
- | _acme-challenge.quay.net with the following value: | ||
- | |||
- | <a random string of characters> | ||
- | |||
- | Before continuing, verify the record is deployed. | ||
- | (This must be set up in addition to the previous challenges; do not remove, | ||
- | replace, or undo the previous challenge tasks yet. Note that you might be | ||
- | asked to create multiple distinct TXT records with the same name. This is | ||
- | permitted by DNS standards.) | ||
- | |||
- | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
- | Press Enter to Continue | ||
- | </ | ||
- | |||
- | After you have made the DNS changes for each domain, you will be prompted to create the challenge responses on your webserver, again instructions are provided. | ||
- | |||
- | <code sh> | ||
- | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
- | Create a file containing just this data: | ||
- | |||
- | <another random string of characters> | ||
- | |||
- | And make it available on your web server at this URL: | ||
- | |||
- | http:// | ||
- | |||
- | (This must be set up in addition to the previous challenges; do not remove, | ||
- | replace, or undo the previous challenge tasks yet.) | ||
- | |||
- | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
- | Press Enter to Continue | ||
- | </ | ||
- | |||
- | If all goes well, then your cert will be updated and you just need to restart your webserver(s). | ||
- | |||
- | It's a good idea to clean up these records now to avoid a potential backdoor that might allow somebody to take over your certificate and/or webserver. |
crypto/letsencrypt.1558490427.txt.gz · Last modified: 2019-05-21 22:00 by gabriel