Project LetsEncrypt: Difference between revisions
Line 66: | Line 66: | ||
To make it even more easy: Store this script in /etc/letsencrypt/renewal-hooks/post and it gets run on updates (I'll see if that works in 2 months) | To make it even more easy: Store this script in /etc/letsencrypt/renewal-hooks/post and it gets run on updates (I'll see if that works in 2 months) | ||
==== OpenWRT ==== | |||
* copy cert (cat crt+key in one pem) to /etc/letsencrypt by post hook script | |||
uci set nginx._lan.ssl_certificate=/etc/letsencrypt/banzhaf.chickenkiller.com.pem | |||
uci set nginx._lan.ssl_certificate_key=/etc/letsencrypt/banzhaf.chickenkiller.com.pem | |||
uci set nginx._lan.uci_manage_ssl='my_letsencrypt' | |||
=== Manual Update === | === Manual Update === |
Revision as of 18:54, 27 June 2021
Let's Encrypt
Today I replaced my self signed certs of my dyndns domain with official ones from [Let’s Encrypt]:
Request First Cert
ssh root@job4 cd /usr/local/bin sudo wget https://dl.eff.org/certbot-auto sudo certbot-auto --apache
Apache Config Preparation
At first, this did not work. The script needs a vhost for port 80, so I created one:
/etc/apache2/vhosts.d/vhost-chickenkiller.conf:
<VirtualHost *:80> ServerAdmin joachim.banzhaf@gmail.com ServerName banzhaf.chickenkiller.com ServerAlias banzhaf.chickenkiller.com DocumentRoot /srv/www/htdocs ErrorLog /var/log/apache2/error.log CustomLog /var/log/apache2/access.log combined </VirtualHost>
Then it complained about syntax errors in my apache config that I needed to fix (quotes not closed). Finally the validation failed due to access errors. I had to remove all old style access control and use the new apache 2.4 style, which was more straightforward than I expected:
- remove all "Order deny/allow" stuff that was not ifdefd
- replace all "Allow/Deny from all" by "Require all granted/denied" if not ifdefd
- replace all "Allow from ip/hostname/net" by "Require host ip/hostname/net"
- remove module access_compat from /etc/sysconfig/apache2 variable APACHE_MODULES
- systemctl restart apache2
The script offered to configure forwarding http to https, which I accepted. I think it just added these lines to the virtual host file above:
RewriteEngine on RewriteCond %{SERVER_NAME} =banzhaf.chickenkiller.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Now the cert was used and validated as safe (although chromium needed some time to accept it)
Automation
The cert is only valid for 90 days. Better automate the renewal. It is enough to create this script
/etc/cron.daily/certbot-auto-renew
#!/bin/sh python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew
No idea why python came into the game. This should work as well...
#!/bin/bash sleep $((RANDOM/9)) && /usr/local/bin/certbot-auto renew
Fritz Box Cert
Automatic Update
This script logs into the fritzbox and updates the cert for you. Just edit the variables at the start (user, pass, certpath). I use a separate fritzbox user for this.
To make it even more easy: Store this script in /etc/letsencrypt/renewal-hooks/post and it gets run on updates (I'll see if that works in 2 months)
OpenWRT
- copy cert (cat crt+key in one pem) to /etc/letsencrypt by post hook script
uci set nginx._lan.ssl_certificate=/etc/letsencrypt/banzhaf.chickenkiller.com.pem uci set nginx._lan.ssl_certificate_key=/etc/letsencrypt/banzhaf.chickenkiller.com.pem uci set nginx._lan.uci_manage_ssl='my_letsencrypt'
Manual Update
To use the cert with the fritz box web interface
ssh root@job4 'cat /etc/letsencrypt/live/banzhaf.chickenkiller.com/[pf]*.pem' >fritz.pem
Then upload this file in the fritz box cert store with the web interface (Internet/Freigaben/Fritzbox Dienste/)