Certificate Provisioning

From Scottworld
Jump to navigation Jump to search

Certificate Authority Security Certificates

Install the required packages:

apt install certbot python3-certbot-dns-ovh

Create an OVH Consumer Key using the following details:

Site: https://api.ovh.com/createToken/?GET=/domain/zone/*&POST=/domain/zone/*&PUT=/domain/zone/*&DELETE=/domain/zone/*/record/*
Script name: certbot
Script description: ACME client for security certificates
Validity: Unlimited

You may need to use the OVH "Userid" rather than email - and you need to turn on developer APIs in the account options.

With the output of the above site, create /etc/letsencrypt/ovh.ini

# OVH API credentials used by Certbot
dns_ovh_endpoint = ovh-eu
dns_ovh_application_key = <app_key>
dns_ovh_application_secret = <app_secret>
dns_ovh_consumer_key = <consumer_key>

Secure the file:

chmod 600 /etc/letsencrypt/ovh.ini

If the key is ever compromised, revoking it by logging into https://api.ovh.com/console/ and executing:

Check apps with: GET /me/api/application
Locate correct app: GET /me/api/application/{applicationId}
Delete the app: DELETE /me/api/application/{applicationId}

Update the configuration file /etc/letsencrypt/cli.ini to use DNS validation at OVH:

# Use DNS authentication at OVH by default
authenticator = dns-ovh
dns-ovh-propagation-seconds = 60
dns-ovh-credentials = /etc/letsencrypt/ovh.ini

To trust Let’s Encrypt certificates:

wget -O /usr/local/share/ca-certificates/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /usr/local/share/ca-certificates/letsencryptauthorityx3.crt https://letsencrypt.org/certs/letsencryptauthorityx3.pem
update-ca-certificates

Create /etc/letsenrypt/renewal-hooks/deploy/distribute.sh:

	
#!/bin/bash

declare -A domain

########################################################################
## Copyright (c) 2017-20 Sigma Consulting Services Limited
## v1.00 2017/03/04 ISM: Initial implementation
## v1.01 2018/12/12 ISM: Fix service restarts for systemd
## v1.02 2019/05/28 ISM: Add freepbx service support
## v1.03 2019/12/05 ISM: Fixed freepbx certificate chain issue
## v1.04 2020/01/05 ISM: Added cloud support
##
## This program is free software: you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation, either version 2 of the License, or
## any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
## GNU General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with this program.  If not, see <http://www.gnu.org/licenses/>.
########################################################################

# ------------------------------------------------------------------
# Script to process LetsEncrypt renewal events for the domains
# listed in $RENEWED_DOMAIN and new certificates stored in
# $RENEWED_LINEAGE.
# ------------------------------------------------------------------

domain[solaris.scottworld.net]='apache'
domain[scottcloud.scottworld.net]='apache'
#domain[mail.example.net]='dovecot postfix'
#domain[secure.example.net]=apache
#domain[voice.example.net]=freepbx

#freepbx_user='root'
logfile="/var/log/letsencrypt/deploy_script.log"

# End of user configuration

logmsg() {
        echo "$(date "+%b %_d %T") $1" >> $logfile
}


for renewed in $RENEWED_DOMAINS; do
    services=${domain[$renewed]}

    if [ "$services" != '' ]; then
        for service in $services; do
            logmsg "INFO: Updating $service for domain $renewed"

            case "$service" in
            apache)
                systemctl reload apache2.service
                logmsg "INFO: Apache service reloaded"
                ;;
            dovecot)
                doveadm reload
                logmsg "INFO: Dovecot service reloaded"
                ;;
            freepbx)
                scp $RENEWED_LINEAGE/privkey.pem $freepbx_user@$renewed:/etc/asterisk/keys/$renewed.key
                scp $RENEWED_LINEAGE/fullchain.pem $freepbx_user@$renewed:/etc/asterisk/keys/$renewed.crt
                ssh $freepbx_user@$renewed chown asterisk:asterisk /etc/asterisk/keys/$renewed*
                ssh $freepbx_user@$renewed fwconsole certificates --import
                ssh $freepbx_user@$renewed fwconsole sysadmin updatecert
                ;;
            postfix)
                systemctl reload postfix.service
                logmsg "INFO: Postfix service reloaded"
                ;;
            *)
                logmsg "ERROR: Service $service not recognised for domain $renewed"
                ;;
            esac
        done
    else
        logmsg "WARNING: No service defined for domain $renewed"
    fi

    expires=$(openssl x509 -in $RENEWED_LINEAGE/cert.pem -noout -enddate)
    expires=$(cut -d= -f2- <<<"$expires")
    expires=$(date -d "$expires" '+%F %T %Z')
    logmsg "INFO: New certificate for $renewed expires $expires"
done

Make the script executable and secure:

chmod 750 /etc/letsencrypt/renewal-hooks/deploy/distribute.sh

Request a test certificate to validate the process:

certbot certonly --dry-run --rsa-key-size 4096 -d www.example.net

Once you have entered an e-mail address, agreed to the terms and the process has succeeded, run the process for a domains needed:

certbot certonly --rsa-key-size 4096 -d www.example.net

For other services... (you may not need those)

certbot certonly --rsa-key-size 4096 -d cloud.example.net
certbot certonly --rsa-key-size 4096 -d mail.example.net
certbot certonly --rsa-key-size 4096 -d voice.example.net