Runbook:TLS Certs

From SoMakeIt
Jump to: navigation, search


So Make It's TLS certs are from Letsencrypt.

Yoshi

There is a cron job as root to update the cert if it needs to be:

# m	h	dom	mon	dow	command
27  	20	*	*	*	/root/certbot-auto renew --posthook '/usr/sbin/service nginx reload; /usr/sbin/service mosquitto restart; /usr/sbin/service wordpress-spaceopen stop; sleep 1; /usr/sbin/service wordpress-spaceopen start' | /usr/bin/logger -t certbot-auto

This is roughly how the cert was made to start with.

#!/bin/sh

## Make sure the acme well known directory exists
mkdir /tmp/letsencrypt-auto
chmod 755 /tmp/letsencrypt-auto

## Update the cert
# --expand means you can add domains to the list. No email etc is needed because certbot-auto has been run before in interactive mode
/root/certbot-auto certonly --expand --webroot -w /tmp/letsencrypt-auto -d giraph.somakeit.org.uk -d spacehub.somakeit.org.uk -d wiki.somakeit.org.uk

## Move the cert & key into the needed locations
# I think the cert will always be written to the spacehub directory because it is the first domain that was registered with letsencrypt
ln -s /etc/letsencrypt/live/spacehub.somakeit.org.uk/fullchain.pem /etc/nginx/ssl/spacehub.somakeit.org.uk/fullchain.pem
ln -s /etc/letsencrypt/live/spacehub.somakeit.org.uk/privkey.pem   /etc/nginx/ssl/spacehub.somakeit.org.uk/privkey.pem

ln -s /etc/letsencrypt/live/spacehub.somakeit.org.uk/fullchain.pem /etc/nginx/ssl/wiki.somakeit.org.uk/ssl-unified.crt
ln -s /etc/letsencrypt/live/spacehub.somakeit.org.uk/privkey.pem   /etc/nginx/ssl/wiki.somakeit.org.uk/ssl-decrypted.key

ln -s /etc/letsencrypt/live/spacehub.somakeit.org.uk/chain.pem     /etc/mosquitto/certs/ca.crt
ln -s /etc/letsencrypt/live/spacehub.somakeit.org.uk/cert.pem      /etc/mosquitto/certs/server.crt
ln -s /etc/letsencrypt/live/spacehub.somakeit.org.uk/privkey.pem   /etc/mosquitto/certs/server.key

## Notify apps to re-read cert files
/usr/sbin/service nginx reload

# Reading the source I think mosquitto does not read certificates on SIGHUP
# killall -HUP mosquitto
/usr/sbin/service mosquitto restart

# Restart dependant services
sleep 10
service wordpress-spaceopen stop
sleep 1
service wordpress-spaceopen start

Each nginx site config needs to have a location pointing to the acme well known directory:

        location '/.well-known/acme-challenge' {
                default_type "text/plain";
                root /tmp/letsencrypt-auto;
        }

If it's not working, debug it.

members.somakeit.org.uk

There is a cron job as root to update the cert if it needs to be:

# m	h	dom	mon	dow	command
47	20	*	*	*	/usr/bin/certbot renew --post-hook '/usr/sbin/service nginx reload' | /usr/bin/logger -t certbot

This is roughly how the cert was made to start with

#!/bin/sh

## Make sure the acme well known directory exists
mkdir /tmp/letsencrypt-auto
chmod 755 /tmp/letsencrypt-auto

## Update the cert
# --expand means you can add domains to the list. No email etc is needed because certbot-auto has been run before in interactive mode
/root/certbot-auto certonly --expand --webroot -w /tmp/letsencrypt-auto -d members.somakeit.org.uk

## Move the cert & key into the needed locations
# I think the cert will always be written to the members directory because it is the first domain that was registered with letsencrypt
cp -v /etc/letsencrypt/live/members.somakeit.org.uk/fullchain.pem /etc/nginx/ssl/members.somakeit.org.uk/ssl-unified.crt
cp -v /etc/letsencrypt/live/members.somakeit.org.uk/privkey.pem   /etc/nginx/ssl/members.somakeit.org.uk/ssl-decrypted.key

## Notify apps to re-read cert files
/usr/sbin/service nginx reload

Each nginx site config needs to have a location pointing to the acme well known directory:

        location '/.well-known/acme-challenge' {
                default_type "text/plain";
                root /tmp/letsencrypt-auto;
        }

If it's not working, debug it.

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox
Donate