|
|
| Line 1: |
Line 1: |
| Certificate Authority Security Certificates
| | Install a few helper utils (Make sure Virtualization is enabled in the bios) |
|
| |
| Install the required packages: | |
|
| |
| apt install certbot python3-certbot-dns-ovh
| |
|
| |
| Create an OVH Consumer Key using the following details:
| |
|
| |
| Site: https://api.ovh.com/createToken/?GET=/domain/zone/*&POST=/domain/zone/*&PUT=/domain/zone/*&DELETE=/domain/zone/*/record/*
| |
| Script name: certbot
| |
| Script description: ACME client for security certificates
| |
| Validity: Unlimited
| |
|
| |
|
| You may need to use the OVH "Userid" rather than email - and you need to turn on developer APIs in the account options.
| | apt install qemu-kvm libvirt-clients libvirt-daemon-system |
|
| |
| With the output of the above site, create /etc/letsencrypt/ovh.ini
| |
|
| |
| # OVH API credentials used by Certbot
| |
| dns_ovh_endpoint = ovh-eu
| |
| dns_ovh_application_key = <app_key>
| |
| dns_ovh_application_secret = <app_secret>
| |
| dns_ovh_consumer_key = <consumer_key>
| |
|
| |
| Secure the file:
| |
|
| |
| chmod 600 /etc/letsencrypt/ovh.ini
| |
|
| |
| If the key is ever compromised, revoking it by logging into https://api.ovh.com/console/ and executing:
| |
|
| |
| Check apps with: GET /me/api/application
| |
| Locate correct app: GET /me/api/application/{applicationId}
| |
| Delete the app: DELETE /me/api/application/{applicationId}
| |
|
| |
| Update the configuration file /etc/letsencrypt/cli.ini to use DNS validation at OVH:
| |
|
| |
| # Use DNS authentication at OVH by default
| |
| authenticator = dns-ovh
| |
| dns-ovh-propagation-seconds = 60 | |
| dns-ovh-credentials = /etc/letsencrypt/ovh.ini
| |
|
| |
| To trust Let’s Encrypt certificates:
| |
|
| |
| wget -O /usr/local/share/ca-certificates/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
| |
| wget -O /usr/local/share/ca-certificates/letsencryptauthorityx3.crt https://letsencrypt.org/certs/letsencryptauthorityx3.pem
| |
| update-ca-certificates
| |
|
| |
| Create /etc/letsenrypt/renewal-hooks/deploy/distribute.sh:
| |
| <pre>
| |
| #!/bin/bash
| |
|
| |
|
| declare -A domain
| | Check all is ok with a |
|
| |
|
| ########################################################################
| | kvm-ok |
| ## Copyright (c) 2017-20 Sigma Consulting Services Limited
| |
| ## v1.00 2017/03/04 ISM: Initial implementation
| |
| ## v1.01 2018/12/12 ISM: Fix service restarts for systemd
| |
| ## v1.02 2019/05/28 ISM: Add freepbx service support
| |
| ## v1.03 2019/12/05 ISM: Fixed freepbx certificate chain issue
| |
| ## v1.04 2020/01/05 ISM: Added cloud support
| |
| ##
| |
| ## This program is free software: you can redistribute it and/or modify
| |
| ## it under the terms of the GNU General Public License as published by
| |
| ## the Free Software Foundation, either version 2 of the License, or
| |
| ## any later version.
| |
| ##
| |
| ## This program is distributed in the hope that it will be useful,
| |
| ## but WITHOUT ANY WARRANTY; without even the implied warranty of
| |
| ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
| |
| ## GNU General Public License for more details.
| |
| ##
| |
| ## You should have received a copy of the GNU General Public License
| |
| ## along with this program. If not, see <http://www.gnu.org/licenses/>.
| |
| ########################################################################
| |
|
| |
|
| # ------------------------------------------------------------------
| |
| # Script to process LetsEncrypt renewal events for the domains
| |
| # listed in $RENEWED_DOMAIN and new certificates stored in
| |
| # $RENEWED_LINEAGE.
| |
| # ------------------------------------------------------------------
| |
|
| |
|
| domain[solaris.scottworld.net]='apache'
| |
| domain[scottcloud.scottworld.net]='apache'
| |
| #domain[mail.example.net]='dovecot postfix'
| |
| #domain[secure.example.net]=apache
| |
| #domain[voice.example.net]=freepbx
| |
|
| |
|
| #freepbx_user='root'
| | You need to do this and install askpass GNOME |
| logfile="/var/log/letsencrypt/deploy_script.log"
| |
|
| |
|
| # End of user configuration
| | https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-ubuntu-1604 |
| | |
| logmsg() {
| |
| echo "$(date "+%b %_d %T") $1" >> $logfile
| |
| }
| |
| | |
| | |
| for renewed in $RENEWED_DOMAINS; do
| |
| services=${domain[$renewed]}
| |
| | |
| if [ "$services" != '' ]; then
| |
| for service in $services; do
| |
| logmsg "INFO: Updating $service for domain $renewed"
| |
| | |
| case "$service" in
| |
| apache)
| |
| systemctl reload apache2.service
| |
| logmsg "INFO: Apache service reloaded"
| |
| ;;
| |
| dovecot)
| |
| doveadm reload
| |
| logmsg "INFO: Dovecot service reloaded"
| |
| ;;
| |
| freepbx)
| |
| scp $RENEWED_LINEAGE/privkey.pem $freepbx_user@$renewed:/etc/asterisk/keys/$renewed.key
| |
| scp $RENEWED_LINEAGE/fullchain.pem $freepbx_user@$renewed:/etc/asterisk/keys/$renewed.crt
| |
| ssh $freepbx_user@$renewed chown asterisk:asterisk /etc/asterisk/keys/$renewed*
| |
| ssh $freepbx_user@$renewed fwconsole certificates --import
| |
| ssh $freepbx_user@$renewed fwconsole sysadmin updatecert
| |
| ;;
| |
| postfix)
| |
| systemctl reload postfix.service
| |
| logmsg "INFO: Postfix service reloaded"
| |
| ;;
| |
| *)
| |
| logmsg "ERROR: Service $service not recognised for domain $renewed"
| |
| ;;
| |
| esac
| |
| done
| |
| else
| |
| logmsg "WARNING: No service defined for domain $renewed"
| |
| fi
| |
| | |
| expires=$(openssl x509 -in $RENEWED_LINEAGE/cert.pem -noout -enddate)
| |
| expires=$(cut -d= -f2- <<<"$expires")
| |
| expires=$(date -d "$expires" '+%F %T %Z')
| |
| logmsg "INFO: New certificate for $renewed expires $expires"
| |
| done
| |
| </pre>
| |
|
| |
| Make the script executable and secure:
| |
|
| |
| chmod 750 /etc/letsencrypt/renewal-hooks/deploy/distribute.sh
| |
|
| |
| Request a test certificate to validate the process:
| |
|
| |
| certbot certonly --dry-run --rsa-key-size 4096 -d www.example.net
| |
|
| |
| Once you have entered an e-mail address, agreed to the terms and the process has succeeded, run the process for a domains needed:
| |
|
| |
| certbot certonly --rsa-key-size 4096 -d www.example.net
| |
| | |
| For other services... (you may not need those)
| |
| | |
| certbot certonly --rsa-key-size 4096 -d cloud.example.net
| |
| certbot certonly --rsa-key-size 4096 -d mail.example.net
| |
| certbot certonly --rsa-key-size 4096 -d voice.example.net
| |