Skip to main content

Automatic certificate management using Certbot

Enable squashfs before installing certbot.

Modify /etc/modprobe.d/deltagon.conf and remove install squashfs /bin/true line. Run command:

modprobe squashfs

Install certbot. Follow the official installation instructions (external source)

info

Want to use different ACME server than letsencrypt? Check: Certbot documentation (external source)

The following variables are used in this guide. Please replace with correct values when needed

  • $INSTANCE is name of the instance for example: client
  • $INSTANCE_FQDN is fqdn of the instance for example: client.example.org
  • $INSTANCE_IPADDRESS is ip address of instance on server for example: 192.168.1.100
info

Use active node when renewing or registering domain with certbot.

When using HTTP verification you have to create apache virtualhost for port 80 and make sure firewalls allow tcp port 80 inbound traffic. Create apache 80 port configuration file, save it to /etc/httpd/conf.d/ as for example $INSTANCE_80.conf. Replace variables $INSTANCE_IPADDRESS, $INSTANCE_FQDN and $INSTANCE

<VirtualHost $INSTANCE_IPADDRESS:80>
ServerName $INSTANCE_FQDN
ErrorLog /var/log/httpd/d3-$INSTANCE/error_log
CustomLog /var/log/httpd/d3-$INSTANCE/access_log combined
Redirect permanent / https://$INSTANCE_FQDN
RewriteEngine on
RewriteCond %{SERVER_NAME} =$INSTANCE_FQDN
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Replace variables $INSTANCE and $INSTANCE_FQDN and run following commands. This sets shell variables so that you can copy paste following certbot commands:

export INSTANCE=$INSTANCE
export INSTANCE_FQDN=$INSTANCE_FQDN

First check with dry-run that certbot can get cert.

[root@n1 ~]# certbot certonly --dry-run --deploy-hook /opt/Sec\@GW/bin/acme-deploy-hook.sh --webroot-path /server/$INSTANCE/www/ --cert-name $INSTANCE_FQDN -d $INSTANCE_FQDN
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Simulating a certificate request for your.domain.tld
The dry run was successful.

Run without --dry-run if above was successful

[root@n1 ~]# certbot certonly --deploy-hook /opt/Sec\@GW/bin/acme-deploy-hook.sh --webroot-path /server/$INSTANCE/www/ --cert-name $INSTANCE_FQDN -d $INSTANCE_FQDN
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

/opt/Sec@GW/bin/acme-deploy-hook.sh script should update renewed certificate to directory that Sec@GW uses and reload apache. It also creates backups of existing certificates before updating them in same Sec@GW cert directory.

Renewal of certificates are be automatically added to systemd timers on single node installations. You can verify this by running the following command.

systemctl list-timers
Servers with two nodes

Disable systemd timer on both nodes after installing certbot.

systemctl disable --now snap.certbot.renew.timer

Sync /etc/letsencrypt dir to passive node. Use tar to preserve symlinks.

On active node create tar package of letsencrypt directory and scp tar packet to passive node.

cd /etc/letsencrypt/
tar cvf letsencrypt.tar *

On passive node backup letsencrypt directory and unpack data from active node.

mv /etc/letsencrypt/* /some/backupDir/
tar xvf /home/user/letsencrypt.tar -C /etc/letsencrypt/

Before continuing check /etc/opt/Sec@GW/ssl.crt/ and /etc/opt/Sec@GW/ssl.key directories on passive node that dsync has synced certificate to passive node.

It would be good to swap passive to active here and test that certbot renew works with command

certbot --dry-run renew

After everything seems fine, create cron script on both nodes to /etc/cron.daily/ (remember to add +x permission) OR create crontab entry that runs this twice a day:

#!/usr/bin/perl
$status=`/opt/Sec\@GW/bin/get_status.sh`;
if ($status eq "ACTIVE") {
    `certbot renew`;
}
Last updated on