====== 24.04 Certificate Provisioning ======


Certificate Authority Security Certificates	
	
Install the required packages:	
	
  apt install certbot python3-certbot-dns-ovh
	
Create an OVH Consumer Key using the following details:	
<code>	
 Site: https://api.ovh.com/createToken/?GET=/domain/zone/*&POST=/domain/zone/*&PUT=/domain/zone/*&DELETE=/domain/zone/*/record/*
 Script name: certbot
 Script description: ACME client for security certificates
 Validity: Unlimited
</code>

You may need to use the OVH "Userid" rather than email - and you need to turn on developer APIs in the account options.
	
With the output of the above site, create /etc/letsencrypt/ovh.ini	
	
<code>
 # OVH API credentials used by Certbot
 dns_ovh_endpoint = ovh-eu
 dns_ovh_application_key = <app_key>
 dns_ovh_application_secret = <app_secret>
 dns_ovh_consumer_key = <consumer_key>
</code>
	
Secure the file:	
	
  chmod 600 /etc/letsencrypt/ovh.ini
	
If the key is ever compromised, revoking it by logging into https://api.ovh.com/console/ and executing:	
	
<code>
 Check apps with: GET /me/api/application
 Locate correct app: GET /me/api/application/{applicationId}
 Delete the app: DELETE /me/api/application/{applicationId}
</code>	

Update the configuration file /etc/letsencrypt/cli.ini to use DNS validation at OVH:	
	
<code>
 # Use DNS authentication at OVH by default
 authenticator = dns-ovh
 dns-ovh-propagation-seconds = 60
 dns-ovh-credentials = /etc/letsencrypt/ovh.ini
</code>
	
To trust Let’s Encrypt certificates:	
	
  wget -O /usr/local/share/ca-certificates/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem
  update-ca-certificates
	
Create /etc/letsenrypt/renewal-hooks/deploy/distribute.sh:	
<code>	
#!/bin/bash

declare -A domain

########################################################################
## Copyright (c) 2017-20 Sigma Consulting Services Limited
## v1.00 2017/03/04 ISM: Initial implementation
## v1.01 2018/12/12 ISM: Fix service restarts for systemd
## v1.02 2019/05/28 ISM: Add freepbx service support
## v1.03 2019/12/05 ISM: Fixed freepbx certificate chain issue
## v1.04 2020/01/05 ISM: Added cloud support
##
## This program is free software: you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation, either version 2 of the License, or
## any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
## GNU General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with this program.  If not, see <http://www.gnu.org/licenses/>.
########################################################################

# ------------------------------------------------------------------
# Script to process LetsEncrypt renewal events for the domains
# listed in $RENEWED_DOMAIN and new certificates stored in
# $RENEWED_LINEAGE.
# ------------------------------------------------------------------

domain[solaris.scottworld.net]='apache'
domain[scottcloud.scottworld.net]='apache'
#domain[mail.example.net]='dovecot postfix'
#domain[secure.example.net]=apache
#domain[voice.example.net]=freepbx

#freepbx_user='root'
logfile="/var/log/letsencrypt/deploy_script.log"

# End of user configuration

logmsg() {
        echo "$(date "+%b %_d %T") $1" >> $logfile
}


for renewed in $RENEWED_DOMAINS; do
    services=${domain[$renewed]}

    if [ "$services" != '' ]; then
        for service in $services; do
            logmsg "INFO: Updating $service for domain $renewed"

            case "$service" in
            apache)
                systemctl reload apache2.service
                logmsg "INFO: Apache service reloaded"
                ;;
            dovecot)
                doveadm reload
                logmsg "INFO: Dovecot service reloaded"
                ;;
            freepbx)
                scp $RENEWED_LINEAGE/privkey.pem $freepbx_user@$renewed:/etc/asterisk/keys/$renewed.key
                scp $RENEWED_LINEAGE/fullchain.pem $freepbx_user@$renewed:/etc/asterisk/keys/$renewed.crt
                ssh $freepbx_user@$renewed chown asterisk:asterisk /etc/asterisk/keys/$renewed*
                ssh $freepbx_user@$renewed fwconsole certificates --import
                ssh $freepbx_user@$renewed fwconsole sysadmin updatecert
                ;;
            postfix)
                systemctl reload postfix.service
                logmsg "INFO: Postfix service reloaded"
                ;;
            *)
                logmsg "ERROR: Service $service not recognised for domain $renewed"
                ;;
            esac
        done
    else
        logmsg "WARNING: No service defined for domain $renewed"
    fi

    expires=$(openssl x509 -in $RENEWED_LINEAGE/cert.pem -noout -enddate)
    expires=$(cut -d= -f2- <<<"$expires")
    expires=$(date -d "$expires" '+%F %T %Z')
    logmsg "INFO: New certificate for $renewed expires $expires"
done
</pre>
	
Make the script executable and secure:	
	
 chmod 750 /etc/letsencrypt/renewal-hooks/deploy/distribute.sh
	
Request a test certificate to validate the process:	
	
 certbot certonly --dry-run --rsa-key-size 4096 -d www.example.net
	
Once you have entered an e-mail address, agreed to the terms and the process has succeeded, run the process for a domains needed:	
	
 certbot certonly --rsa-key-size 4096 -d www.example.net

For other services... (you may not need those)
 certbot certonly --rsa-key-size 4096 -d cloud.example.net
 certbot certonly --rsa-key-size 4096 -d mail.example.net
 certbot certonly --rsa-key-size 4096 -d voice.example.net
</code>