Project LetsEncrypt

From JoBaPedia
Jump to navigation Jump to search

Let's Encrypt

Today I replaced my self signed certs of my dyndns domain with official ones from [Let’s Encrypt]:

Request First Cert

ssh root@job4
cd /usr/local/bin
sudo wget https://dl.eff.org/certbot-auto
sudo certbot-auto --apache

Apache Config Preparation

At first, this did not work. The script needs a vhost for port 80, so I created one:

/etc/apache2/vhosts.d/vhost-chickenkiller.conf: 

<VirtualHost *:80>
   ServerAdmin joachim.banzhaf@gmail.com
   ServerName banzhaf.chickenkiller.com
   ServerAlias banzhaf.chickenkiller.com
   DocumentRoot /srv/www/htdocs
   ErrorLog /var/log/apache2/error.log
   CustomLog /var/log/apache2/access.log combined
</VirtualHost>

Then it complained about syntax errors in my apache config that I needed to fix (quotes not closed). Finally the validation failed due to access errors. I had to remove all old style access control and use the new apache 2.4 style, which was more straightforward than I expected:

  • remove all "Order deny/allow" stuff that was not ifdefd
  • replace all "Allow/Deny from all" by "Require all granted/denied" if not ifdefd
  • replace all "Allow from ip/hostname/net" by "Require host ip/hostname/net"
  • remove module access_compat from /etc/sysconfig/apache2 variable APACHE_MODULES
  • systemctl restart apache2

The script offered to configure forwarding http to https, which I accepted. I think it just added these lines to the virtual host file above: 

RewriteEngine on
RewriteCond %{SERVER_NAME} =banzhaf.chickenkiller.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Now the cert was used and validated as safe (although chromium needed some time to accept it)

Automation

The cert is only valid for 90 days. Better automate the renewal. It is enough to create this script

/etc/cron.daily/certbot-auto-renew 

#!/bin/sh
python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew

No idea why python came into the game. This should work as well... 

#!/bin/bash
sleep $((RANDOM/9)) && /usr/local/bin/certbot-auto renew

Fritz Box Cert

Automatic Update

This script logs into the fritzbox and updates the cert for you. Just edit the variables at the start (user, pass, certpath). I use a separate fritzbox user for this.

To make it even more easy: Store this script in /etc/letsencrypt/renewal-hooks/post and it gets run on updates (I'll see if that works in 2 months)

Manual Update

To use the cert with the fritz box web interface 

ssh root@job4 'cat /etc/letsencrypt/live/banzhaf.chickenkiller.com/[pf]*.pem' >fritz.pem

Then upload this file in the fritz box cert store with the web interface (Internet/Freigaben/Fritzbox Dienste/)

OpenWRT

Manual Setup

copy cert (cat crt+key in one pem) to /etc/letsencrypt by post hook script 

uci set nginx._lan.ssl_certificate=/etc/letsencrypt/banzhaf.chickenkiller.com.pem
uci set nginx._lan.ssl_certificate_key=/etc/letsencrypt/banzhaf.chickenkiller.com.pem
uci set nginx._lan.uci_manage_ssl='my_letsencrypt'

Automatic Renewal

put this in /etc/letsencrypt/renewal-hooks/post (create the id_rsa.letsencrypt ssh key and deploy it to openwrt router /etc/letsencrypt/) 

#!/bin/bash

# parameters
CERT_SRC="/etc/letsencrypt/live/banzhaf.chickenkiller.com"
CERT_DST="/etc/letsencrypt"
CERT_FILE="banzhaf.chickenkiller.com.pem"
SSH_ID="/etc/letsencrypt/id_rsa.letsencrypt"
HOSTS="ax1 ax2"

cd "$CERT_SRC"
for h in $HOSTS; do
   cat fullchain.pem privkey.pem | ssh -i "$SSH_ID" root@$h "mkdir -p '$CERT_DST' && cat >'$CERT_DST/$CERT_FILE' && /etc/init.d/uhttpd restart"
done

Grafana

just needs a restart by putting this to /etc/letsencrypt/renewal-hooks/post 

#!/bin/bash
systemctl restart grafana-server.service

Mosquitto Broker

put this script in /etc/letsencrypt/renewal-hooks/post 

MY_DOMAIN=banzhaf.chickenkiller.com
CERTIFICATE_DIR=/etc/mosquitto/certs

if [ "${RENEWED_DOMAINS}" = "${MY_DOMAIN}" ]; then

# Copy new certificate to Mosquitto directory cp ${RENEWED_LINEAGE}/fullchain.pem ${CERTIFICATE_DIR}/server.pem cp ${RENEWED_LINEAGE}/privkey.pem ${CERTIFICATE_DIR}/server.key

# Set ownership to Mosquitto chown mosquitto: ${CERTIFICATE_DIR}/server.pem ${CERTIFICATE_DIR}/server.key

# Ensure permissions are restrictive chmod 0600 ${CERTIFICATE_DIR}/server.pem ${CERTIFICATE_DIR}/server.key

# Tell Mosquitto to reload certificates and configuration pkill -HUP -x mosquitto 

fi
Retrieved from "https://banzhaf.chickenkiller.com/mediawiki/index.php?title=Project_LetsEncrypt&oldid=14917"