Certbot: Difference between revisions
From Freephile Wiki
additional manual steps without certbot role fully ready in meza |
Adds info about Haproxy and Certbot |
||
| Line 49: | Line 49: | ||
There is even an experimental [https://github.com/greenhost/certbot-haproxy plugin] if you want to go that route, but it's not necessary. | There is even an experimental [https://github.com/greenhost/certbot-haproxy plugin] if you want to go that route, but it's not necessary. | ||
Although a cron like <code>certbot renew --quiet --no-self-upgrade</code> will work to renew certs, it's not going to install them. So, a better approach is to modify haproxy and also setup a renewal script. | |||
We have to modify the certbot configuration for (each) certificate. Notice how we specified the port at 54321, which we'll use in Haproxy: | |||
<code>cat /etc/letsencrypt/renewal/demo.qualitybox.us.conf</code> | |||
<pre> | |||
# renew_before_expiry = 30 days | |||
version = 0.25.1 | |||
archive_dir = /etc/letsencrypt/archive/demo.qualitybox.us | |||
cert = /etc/letsencrypt/live/demo.qualitybox.us/cert.pem | |||
privkey = /etc/letsencrypt/live/demo.qualitybox.us/privkey.pem | |||
chain = /etc/letsencrypt/live/demo.qualitybox.us/chain.pem | |||
fullchain = /etc/letsencrypt/live/demo.qualitybox.us/fullchain.pem | |||
# Options used in the renewal process | |||
[renewalparams] | |||
account = f47c655802900ba026fb42e0bef8acd7 | |||
http01_port = 54321 | |||
authenticator = standalone | |||
installer = None | |||
pref_challs = http-01, | |||
</pre> | |||
Important parts of the Haproxy configuration. [https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-centos-7 More detail] | |||
<pre> | |||
frontend www-https | |||
bind *:443 ssl crt /etc/haproxy/certs | |||
reqadd X-Forwarded-Proto:\ https | |||
acl letsencrypt-acl path_beg /.well-known/acme-challenge/ | |||
use_backend letsencrypt-backend if letsencrypt-acl | |||
[snip] | |||
backend letsencrypt-backend | |||
server letsencrypt 127.0.0.1:54321 | |||
</pre> | |||
<source lang="bash"> | |||
#!/bin/sh | |||
# instead of manually creating a list like this | |||
# declare -a arr=("demo.qualitybox.us" "freephile.qualitybox.us") | |||
# loop through a dynamic list of directories in 'live' | |||
for SITE in $(ls -D /etc/letsencrypt/live) | |||
do | |||
# move to correct let's encrypt directory | |||
cd /etc/letsencrypt/live/$SITE | |||
# echo -e "working in the /etc/letsencrypt/live/$SITE directory\n" | |||
# cat files to make combined .pem for haproxy | |||
cat fullchain.pem privkey.pem > /etc/haproxy/certs/$SITE.pem | |||
# echo -e "created /etc/haproxy/certs/$SITE.pem\n" | |||
done | |||
# reload haproxy | |||
systemctl reload haproxy | |||
# echo -e "reloaded haproxy\n" | |||
</source> | |||
# use crontab -e as 'root' to setup cron to renew expiring certificates | |||
30 2 * * * /usr/bin/certbot renew --renew-hook "/root/bin/renew.sh" >> /var/log/certbot.log | |||
== On Amazon == | == On Amazon == | ||
