Letsencrypt: Setting up certificates for use with web interface and haproxy
Jump to navigation
Jump to search
Ok ive gone ahead and tried this out
I don’t like messing with pip on host OS – ive broken too many things! Containerise!
# docker pull
docker pull certbot/certbotRun Certbot from the container
# to drop in to shell and play around with parameters
docker run --entrypoint="/bin/sh" -it --name certbot certbot/certbot:latestRunning the Certbot manually
# otherwise recommended run args
[root@head01 ~]# docker run -it --rm --name certbot -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" certbot/certbot:latest certonly --manual --preferred-challenges dns-01 --agree-tos -d "vscaler.com" -d "*.vscaler.com" --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): david.power@vscaler.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: yes
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for vscaler.com
dns-01 challenge for vscaler.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.vscaler.com with the following value:
jCQFq6haO3N8kazdGU2pyBeN4hp2hWQ_kJbUrr30Du0
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.vscaler.com with the following value:
paVkA3XJ4ZlbeXPR0I8wUTmK66nRlrANqnuf1xhYjOc
Before continuing, verify the record is deployed.Note STOP HERE AND UPDATE DNS!!
(Then you can dig with: dig @dns1.doteasy.com _acme-challenge.vscaler.com TXT
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/vscaler.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/vscaler.com/privkey.pem
Your cert will expire on 2019-05-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
You have mail in /var/spool/mail/rootVerify things
verify the acme-challenge
[david@Davids-MacBook-Pro-3 ~]$ dig _acme-challenge.vscaler.com txt
; <<>> DiG 9.10.6 <<>> _acme-challenge.vscaler.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26790
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.vscaler.com. IN TXT
;; ANSWER SECTION:
_acme-challenge.vscaler.com. 7200 IN TXT "paVkA3XJ4ZlbeXPR0I8wUTmK66nRlrANqnuf1xhYjOc"
_acme-challenge.vscaler.com. 7200 IN TXT "jCQFq6haO3N8kazdGU2pyBeN4hp2hWQ_kJbUrr30Du0"
;; Query time: 314 msec
;; SERVER: 192.168.192.1#53(192.168.192.1)
;; WHEN: Wed Feb 27 12:24:10 GMT 2019
;; MSG SIZE rcvd: 168
Then letsencrypt folder will look like this:
[root@head01 ~]# ls /etc/letsencrypt/ -R
/etc/letsencrypt/:
accounts archive csr keys live renewal renewal-hooks
/etc/letsencrypt/accounts:
acme-v02.api.letsencrypt.org
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
directory
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
6f5d5f406ccb630b92ae38f1f88dd45a
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/6f5d5f406ccb630b92ae38f1f88dd45a:
meta.json private_key.json regr.json
/etc/letsencrypt/archive:
vscaler.com
/etc/letsencrypt/archive/vscaler.com:
cert1.pem chain1.pem fullchain1.pem privkey1.pem
/etc/letsencrypt/csr:
0000_csr-certbot.pem
/etc/letsencrypt/keys:
0000_key-certbot.pem
/etc/letsencrypt/live:
README vscaler.com
/etc/letsencrypt/live/vscaler.com:
cert.pem chain.pem fullchain.pem privkey.pem README
/etc/letsencrypt/renewal:
vscaler.com.conf
/etc/letsencrypt/renewal-hooks:
deploy post pre
/etc/letsencrypt/renewal-hooks/deploy:
/etc/letsencrypt/renewal-hooks/post:
/etc/letsencrypt/renewal-hooks/pre:
You have mail in /var/spool/mail/root
OR if you have access to a webserver
/opt/certbot # certbot --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
With the manual plugin, you probably want to use the "certonly" command, eg:
certbot certonly --manual
(Alternatively, add a --installer flag. See https://eff.org/letsencrypt-plugins
and "--help plugins" for more information.)
/opt/certbot # certbot certonly --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): vscaler.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vscaler.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:
TLtV3nEfE640XiI9mtHZDRqu2hnPURSeEWGV4hR0TRM.fR6UqcQpYEZwG-VuQX5dBaZJYjdv883n9juoijrT184
And make it available on your web server at this URL:
http://vscaler.com/.well-known/acme-challenge/TLtV3nEfE640XiI9mtHZDRqu2hnPURSeEWGV4hR0TRM
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/vscaler.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/vscaler.com/privkey.pem
Your cert will expire on 2019-05-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
/opt/certbot #
sudo yum install certbot
sudo chmod -R go-rwx /etc/haproxy/certs
There was a problem with Certbot installation whoch was resolved by upgrading pip
pip install requests==2.6.0
easy_install --upgrade pip
sudo mkdir -p /etc/haprolxy/certs
sudo chmod -R go-rwx /etc/haproxy/certs
DOMAIN='bostonhpc.zapto.org' sudo -E bash -c 'cat /etc/letsencrypt/live/<Domainname>/fullchain.pem /etc/letsencrypt/live/<Domainname>/privkey.pem > /etc/haproxy/certs/vos.pem'
In /etc/kolla/globals.ymlAdditional notes for updating demo.vscaler.com
# copied across the wildcard *.vscaler.com cert from the www.vsacler.com web site; essentially did the 'cat' command above so its in the right format
[root@head01 certs]# grep cert /etc/kolla/globals.yml
kolla_external_fqdn_cert: "/etc/haproxy/certs/vos.pem"
cp updated_cert.pem /etc/haproxy/certs/vos.pem
# then rather than a reconfigure - this is a quick way to sync:
[root@head01 certs]# scp vos.pem controller01:/etc/kolla/haproxy/haproxy.pem
vos.pem 100% 5274 5.2KB/s 00:00
[root@head01 certs]# scp vos.pem controller02:/etc/kolla/haproxy/haproxy.pem
vos.pem 100% 5274 5.2KB/s 00:00
[root@head01 certs]# scp vos.pem controller03:/etc/kolla/haproxy/haproxy.pem
vos.pem 100% 5274 5.2KB/s 00:00
[root@head01 certs]# pdsh -w controller[01-03] docker restart haproxy
controller03: haproxy
controller02: haproxy
controller01: haproxy
To check the dates of the certificates
openssl x509 -enddate -noout -in file.pem