Certificate Provisioning

From ScottWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Certificate Authority Security Certificates

Install the required packages: 

apt install certbot python3-certbot-dns-ovh

Create an OVH Consumer Key using the following details: 

Site: https://api.ovh.com/createToken/?GET=/domain/zone/*&POST=/domain/zone/*&PUT=/domain/zone/*&DELETE=/domain/zone/*/record/*
Script name: certbot
Script description: ACME client for security certificates
Validity: Unlimited

You may need to use the OVH "Userid" rather than email - and you need to turn on developer APIs in the account options.

With the output of the above site, create /etc/letsencrypt/ovh.ini 

# OVH API credentials used by Certbot
dns_ovh_endpoint = ovh-eu
dns_ovh_application_key = <app_key>
dns_ovh_application_secret = <app_secret>
dns_ovh_consumer_key = <consumer_key>

Secure the file: 

chmod 600 /etc/letsencrypt/ovh.ini

If the key is ever compromised, revoking it by logging into https://api.ovh.com/console/ and executing: 

Check apps with: GET /me/api/application
Locate correct app: GET /me/api/application/{applicationId}
Delete the app: DELETE /me/api/application/{applicationId}

Update the configuration file /etc/letsencrypt/cli.ini to use DNS validation at OVH: 

# Use DNS authentication at OVH by default
authenticator = dns-ovh
dns-ovh-propagation-seconds = 60
dns-ovh-credentials = /etc/letsencrypt/ovh.ini

To trust Let’s Encrypt certificates: 

wget -O /usr/local/share/ca-certificates/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /usr/local/share/ca-certificates/letsencryptauthorityx3.crt https://letsencrypt.org/certs/letsencryptauthorityx3.pem
update-ca-certificates

Create /etc/letsenrypt/renewal-hooks/deploy/distribute.sh: 

	
#!/bin/bash

declare -A domain

########################################################################
## Copyright (c) 2017-20 Sigma Consulting Services Limited
## v1.00 2017/03/04 ISM: Initial implementation
## v1.01 2018/12/12 ISM: Fix service restarts for systemd
## v1.02 2019/05/28 ISM: Add freepbx service support
## v1.03 2019/12/05 ISM: Fixed freepbx certificate chain issue
## v1.04 2020/01/05 ISM: Added cloud support
##
## This program is free software: you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation, either version 2 of the License, or
## any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
## GNU General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with this program.  If not, see <http://www.gnu.org/licenses/>.
########################################################################

# ------------------------------------------------------------------
# Script to process LetsEncrypt renewal events for the domains
# listed in $RENEWED_DOMAIN and new certificates stored in
# $RENEWED_LINEAGE.
# ------------------------------------------------------------------

domain[solaris.scottworld.net]='apache'
domain[scottcloud.scottworld.net]='apache'
#domain[mail.example.net]='dovecot postfix'
#domain[secure.example.net]=apache
#domain[voice.example.net]=freepbx

#freepbx_user='root'
logfile="/var/log/letsencrypt/deploy_script.log"

# End of user configuration

logmsg() {
        echo "$(date "+%b %_d %T") $1" >> $logfile
}


for renewed in $RENEWED_DOMAINS; do
    services=${domain[$renewed]}

    if [ "$services" != '' ]; then
        for service in $services; do
            logmsg "INFO: Updating $service for domain $renewed"

            case "$service" in
            apache)
                systemctl reload apache2.service
                logmsg "INFO: Apache service reloaded"
                ;;
            dovecot)
                doveadm reload
                logmsg "INFO: Dovecot service reloaded"
                ;;
            freepbx)
                scp $RENEWED_LINEAGE/privkey.pem $freepbx_user@$renewed:/etc/asterisk/keys/$renewed.key
                scp $RENEWED_LINEAGE/fullchain.pem $freepbx_user@$renewed:/etc/asterisk/keys/$renewed.crt
                ssh $freepbx_user@$renewed chown asterisk:asterisk /etc/asterisk/keys/$renewed*
                ssh $freepbx_user@$renewed fwconsole certificates --import
                ssh $freepbx_user@$renewed fwconsole sysadmin updatecert
                ;;
            postfix)
                systemctl reload postfix.service
                logmsg "INFO: Postfix service reloaded"
                ;;
            *)
                logmsg "ERROR: Service $service not recognised for domain $renewed"
                ;;
            esac
        done
    else
        logmsg "WARNING: No service defined for domain $renewed"
    fi

    expires=$(openssl x509 -in $RENEWED_LINEAGE/cert.pem -noout -enddate)
    expires=$(cut -d= -f2- <<<"$expires")
    expires=$(date -d "$expires" '+%F %T %Z')
    logmsg "INFO: New certificate for $renewed expires $expires"
done

Make the script executable and secure: 

chmod 750 /etc/letsencrypt/renewal-hooks/deploy/distribute.sh

Request a test certificate to validate the process: 

certbot certonly --dry-run --rsa-key-size 4096 -d www.example.net

Once you have entered an e-mail address, agreed to the terms and the process has succeeded, run the process for a domains needed: 

certbot certonly --rsa-key-size 4096 -d www.example.net

For other services... (you may not need those) 

certbot certonly --rsa-key-size 4096 -d cloud.example.net
certbot certonly --rsa-key-size 4096 -d mail.example.net
certbot certonly --rsa-key-size 4096 -d voice.example.net
Retrieved from ‘https://wiki.scottworld.net/index.php?title=Certificate_Provisioning&oldid=43