technical:24.04_certificate_provisioning
24.04 Certificate Provisioning
Certificate Authority Security Certificates
Install the required packages:
apt install certbot python3-certbot-dns-ovh
Create an OVH Consumer Key using the following details:
Site: https://api.ovh.com/createToken/?GET=/domain/zone/*&POST=/domain/zone/*&PUT=/domain/zone/*&DELETE=/domain/zone/*/record/* Script name: certbot Script description: ACME client for security certificates Validity: Unlimited
You may need to use the OVH “Userid” rather than email - and you need to turn on developer APIs in the account options.
With the output of the above site, create /etc/letsencrypt/ovh.ini
# OVH API credentials used by Certbot dns_ovh_endpoint = ovh-eu dns_ovh_application_key = <app_key> dns_ovh_application_secret = <app_secret> dns_ovh_consumer_key = <consumer_key>
Secure the file:
chmod 600 /etc/letsencrypt/ovh.ini
If the key is ever compromised, revoking it by logging into https://api.ovh.com/console/ and executing:
Check apps with: GET /me/api/application Locate correct app: GET /me/api/application/{applicationId} Delete the app: DELETE /me/api/application/{applicationId}
Update the configuration file /etc/letsencrypt/cli.ini to use DNS validation at OVH:
# Use DNS authentication at OVH by default authenticator = dns-ovh dns-ovh-propagation-seconds = 60 dns-ovh-credentials = /etc/letsencrypt/ovh.ini
To trust Let’s Encrypt certificates:
wget -O /usr/local/share/ca-certificates/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem update-ca-certificates
Create /etc/letsenrypt/renewal-hooks/deploy/distribute.sh:
#!/bin/bash declare -A domain ######################################################################## ## Copyright (c) 2017-20 Sigma Consulting Services Limited ## v1.00 2017/03/04 ISM: Initial implementation ## v1.01 2018/12/12 ISM: Fix service restarts for systemd ## v1.02 2019/05/28 ISM: Add freepbx service support ## v1.03 2019/12/05 ISM: Fixed freepbx certificate chain issue ## v1.04 2020/01/05 ISM: Added cloud support ## ## This program is free software: you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by ## the Free Software Foundation, either version 2 of the License, or ## any later version. ## ## This program is distributed in the hope that it will be useful, ## but WITHOUT ANY WARRANTY; without even the implied warranty of ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ## GNU General Public License for more details. ## ## You should have received a copy of the GNU General Public License ## along with this program. If not, see <http://www.gnu.org/licenses/>. ######################################################################## # ------------------------------------------------------------------ # Script to process LetsEncrypt renewal events for the domains # listed in $RENEWED_DOMAIN and new certificates stored in # $RENEWED_LINEAGE. # ------------------------------------------------------------------ domain[solaris.scottworld.net]='apache' domain[scottcloud.scottworld.net]='apache' #domain[mail.example.net]='dovecot postfix' #domain[secure.example.net]=apache #domain[voice.example.net]=freepbx #freepbx_user='root' logfile="/var/log/letsencrypt/deploy_script.log" # End of user configuration logmsg() { echo "$(date "+%b %_d %T") $1" >> $logfile } for renewed in $RENEWED_DOMAINS; do services=${domain[$renewed]} if [ "$services" != '' ]; then for service in $services; do logmsg "INFO: Updating $service for domain $renewed" case "$service" in apache) systemctl reload apache2.service logmsg "INFO: Apache service reloaded" ;; dovecot) doveadm reload logmsg "INFO: Dovecot service reloaded" ;; freepbx) scp $RENEWED_LINEAGE/privkey.pem $freepbx_user@$renewed:/etc/asterisk/keys/$renewed.key scp $RENEWED_LINEAGE/fullchain.pem $freepbx_user@$renewed:/etc/asterisk/keys/$renewed.crt ssh $freepbx_user@$renewed chown asterisk:asterisk /etc/asterisk/keys/$renewed* ssh $freepbx_user@$renewed fwconsole certificates --import ssh $freepbx_user@$renewed fwconsole sysadmin updatecert ;; postfix) systemctl reload postfix.service logmsg "INFO: Postfix service reloaded" ;; *) logmsg "ERROR: Service $service not recognised for domain $renewed" ;; esac done else logmsg "WARNING: No service defined for domain $renewed" fi expires=$(openssl x509 -in $RENEWED_LINEAGE/cert.pem -noout -enddate) expires=$(cut -d= -f2- <<<"$expires") expires=$(date -d "$expires" '+%F %T %Z') logmsg "INFO: New certificate for $renewed expires $expires" done </pre> Make the script executable and secure: chmod 750 /etc/letsencrypt/renewal-hooks/deploy/distribute.sh Request a test certificate to validate the process: certbot certonly --dry-run --rsa-key-size 4096 -d www.example.net Once you have entered an e-mail address, agreed to the terms and the process has succeeded, run the process for a domains needed: certbot certonly --rsa-key-size 4096 -d www.example.net For other services... (you may not need those) certbot certonly --rsa-key-size 4096 -d cloud.example.net certbot certonly --rsa-key-size 4096 -d mail.example.net certbot certonly --rsa-key-size 4096 -d voice.example.net
technical/24.04_certificate_provisioning.txt · Last modified: 2024/10/12 21:17 by wikiadmin