Project LetsEncrypt: Difference between revisions
(Created page with "= LetsEncrypt Today I replaced my self signed certs with official ones from Lets Encrypt: == Request First Cert ssh root@job4 cd /usr/local/bin sudo wget https://dl.eff....") |
No edit summary |
||
| Line 1: | Line 1: | ||
= LetsEncrypt | = LetsEncrypt = | ||
Today I replaced my self signed certs with official ones from Lets Encrypt: | Today I replaced my self signed certs with official ones from Lets Encrypt: | ||
== Request First Cert | == Request First Cert == | ||
ssh root@job4 | ssh root@job4 | ||
| Line 10: | Line 10: | ||
sudo certbot-auto --apache | sudo certbot-auto --apache | ||
== Apache Config Preparation | == Apache Config Preparation == | ||
At first, this did not work. The script needs a vhost for port 80, so I created one: | At first, this did not work. The script needs a vhost for port 80, so I created one: | ||
| Line 34: | Line 34: | ||
* systemctl restart apache2 | * systemctl restart apache2 | ||
== Automation | Now the cert was used and validated as safe (although chromium needed some time to accept it) | ||
== Automation == | |||
The cert is only valid for 90 days. Better automate the renewal. | The cert is only valid for 90 days. Better automate the renewal. | ||
| Line 44: | Line 46: | ||
python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew | python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew | ||
== Fritz Box Cert | == Fritz Box Cert == | ||
To use the cert with the fritz box web interface, | To use the cert with the fritz box web interface, | ||
Revision as of 00:32, 4 August 2018
LetsEncrypt
Today I replaced my self signed certs with official ones from Lets Encrypt:
Request First Cert
ssh root@job4 cd /usr/local/bin sudo wget https://dl.eff.org/certbot-auto sudo certbot-auto --apache
Apache Config Preparation
At first, this did not work. The script needs a vhost for port 80, so I created one:
/etc/apache2/vhosts.d/vhost-chickenkiller.conf:
<VirtualHost *:80> ServerAdmin joachim.banzhaf@gmail.com ServerName banzhaf.chickenkiller.com ServerAlias banzhaf.chickenkiller.com DocumentRoot /srv/www/htdocs ErrorLog /var/log/apache2/error.log CustomLog /var/log/apache2/access.log combined </VirtualHost>
Then it complained about syntax errors in my apache config that I needed to fix (quotes not closed). Finally the validation failed due to access errors. I had to remove all old style access control and use the new apache 2.4 style, which was more straightforward than I expected:
- remove all "Order deny/allow" stuff that was not ifdefd
- replace all "Allow/Deny from all" by "Require all granted/denied" if not ifdefd
- replace all "Allow from ip/hostname/net" by "Require host ip/hostname/net"
- remove module access_compat from /etc/sysconfig/apache2 variable APACHE_MODULES
- systemctl restart apache2
Now the cert was used and validated as safe (although chromium needed some time to accept it)
Automation
The cert is only valid for 90 days. Better automate the renewal. It is enough to create this script
/etc/cron.daily/certbot-auto-renew
#!/bin/sh python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew
Fritz Box Cert
To use the cert with the fritz box web interface,
ssh root@job4 'cat /etc/letsencrypt/live/banzhaf.chickenkiller.com/[pf]*.pem' >fritz.pem
Then upload this file in the fritz box cert store with the web interface (Internet/Freigaben/Fritzbox Dienste/)
Planned: use this script to automate: https://gist.github.com/joba-1/6b2fe7294ebda3f6a5d058c6fd9ea44a