diff options
Diffstat (limited to 'www/posts/letsencrypt/atom.xml')
| -rw-r--r-- | www/posts/letsencrypt/atom.xml | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/www/posts/letsencrypt/atom.xml b/www/posts/letsencrypt/atom.xml index 4feba15..86f2f5e 100644 --- a/www/posts/letsencrypt/atom.xml +++ b/www/posts/letsencrypt/atom.xml @@ -12,10 +12,10 @@ <author><name>David T. Sadler.</name></author> <published>2021-05-28T12:00:00Z</published> <updated>2021-05-28T12:00:00Z</updated> - <content type="html"><h1>Pre and Post Validation Hooks with Certbot</h1><blockquote>Fri 28th May 2021 By David T. Sadler.</blockquote><p>I have a wildcard certificate for the domain davidtsadler.com that was issued by Let's Encrypt and I want to setup a cron job that periodically runs the certbot command to automatically renew it before it expires.</p><p>Now because its a wildcard certificate I have to use the DNS-01 challenge to validate that I control the domain name. Normally certbot is able to handle this validation during the renewing through a plugin that supports a dns provider. By using a plugin certbot is able to add and remove the required TXT dns records. Typically this is done through an API that the dns provider has to allow users to manage their dns entries. By suppling certbot with the credentials for the API a user is proving that they own the domain.</p><p>Since I am using Mail-in-a-Box for my dns there are no plugins available for certbot so instead I can use the pre and post validation hooks. These hooks are paths to scripts that will be called when certbot performs a DNS-01 challenge in manual mode. The pre auth hook is called at the start of the validation and in your script you can perform whatever steps are needed to pass the validation. It is here where you can call an API to add any dns entries. The post cleanup hook is where you can clean up any changes brought about by the auth hook.</p><p>Mail-in-a-Box provides an API for managing dns records that can be called by using curl. So my auth script will add a TXT record that is then removed by the cleanup script. Credentials for the API are the email and password of an existing user on the Mail-in-a-Box server.</p><p>When certbot calls the scripts it passes various environment variables so that they can be read by the scripts. Of which CERTBOT_VALIDATION is used to get the value of the TXT record, and CERTBOT_DOMAIN to obtain the domain name that is been validated.</p><p>The auth script is shown below.</p><pre><code class="bash">#!/bin/sh + <content type="html"><h1>Pre and Post Validation Hooks with Certbot</h1><blockquote>Fri 28th May 2021 By David T. Sadler.</blockquote><p>I have a wildcard certificate for the domain davidtsadler.com that was issued by Let&#039;s Encrypt and I want to setup a cron job that periodically runs the certbot command to automatically renew it before it expires.</p><p>Now because its a wildcard certificate I have to use the DNS-01 challenge to validate that I control the domain name. Normally certbot is able to handle this validation during the renewing through a plugin that supports a dns provider. By using a plugin certbot is able to add and remove the required TXT dns records. Typically this is done through an API that the dns provider has to allow users to manage their dns entries. By suppling certbot with the credentials for the API a user is proving that they own the domain.</p><p>Since I am using Mail-in-a-Box for my dns there are no plugins available for certbot so instead I can use the pre and post validation hooks. These hooks are paths to scripts that will be called when certbot performs a DNS-01 challenge in manual mode. The pre auth hook is called at the start of the validation and in your script you can perform whatever steps are needed to pass the validation. It is here where you can call an API to add any dns entries. The post cleanup hook is where you can clean up any changes brought about by the auth hook.</p><p>Mail-in-a-Box provides an API for managing dns records that can be called by using curl. So my auth script will add a TXT record that is then removed by the cleanup script. Credentials for the API are the email and password of an existing user on the Mail-in-a-Box server.</p><p>When certbot calls the scripts it passes various environment variables so that they can be read by the scripts. Of which CERTBOT_VALIDATION is used to get the value of the TXT record, and CERTBOT_DOMAIN to obtain the domain name that is been validated.</p><p>The auth script is shown below.</p><pre><code class="bash">#!/bin/sh EMAIL=username@example.com -PASSWORD='super strong password' +PASSWORD=&#039;super strong password&#039; # Create TXT record curl -s -X POST -d &quot;$CERTBOT_VALIDATION&quot; --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt @@ -24,10 +24,10 @@ curl -s -X POST -d &quot;$CERTBOT_VALIDATION&quot; --user $EMAIL:$PASSWO sleep 25</code></pre><p>Below is the cleanup script.</p><pre><code class="bash">#!/bin/sh EMAIL=username@example.com -PASSWORD='super strong password' +PASSWORD=&#039;super strong password&#039; # Delete TXT record -curl -s -X DELETE -d &quot;$CERTBOT_VALIDATION&quot; --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt</code></pre><p>With these scripts I can setup the below cron job to call certbot.</p><pre>0 0 * * * /usr/bin/certbot renew --preferred-challenges=dns -q --manual-auth-hook /path/to/auth.sh --manual-cleanup-hook /path/to/cleanup.sh &gt; /dev/null 2&gt;&amp;1</pre><h3>Links</h3><a href="https://letsencrypt.org/docs/challenge-types/#dns-01-challenge">Let's Encrypt DNS-01 challenge.</a><a href="https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks">Certbot manual on pre and post validation hooks.</a><a href="https://mailinabox.email">Mail-in-a-Box. Self hosting mail server.</a><a href="/posts/letsencrypt/">Let's Encrypt - Read More Posts.</a><p>I don't have comments as I don't want to manage them. You can however contact me at the below address if you want to.</p><a href="mailto:david@davidtsadler.com">Email david@davidtsadler.com</a><h3>License</h3><a href="https://creativecommons.org/licenses/by-sa/4.0/">The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.</a><p>Copyright © 2021 David T. Sadler.</p><a href="/">Return to Homepage.</a></content> +curl -s -X DELETE -d &quot;$CERTBOT_VALIDATION&quot; --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt</code></pre><p>With these scripts I can setup the below cron job to call certbot.</p><pre>0 0 * * * /usr/bin/certbot renew --preferred-challenges=dns -q --manual-auth-hook /path/to/auth.sh --manual-cleanup-hook /path/to/cleanup.sh &gt; /dev/null 2&gt;&amp;1</pre><h3>Links</h3><a href="https://letsencrypt.org/docs/challenge-types/#dns-01-challenge">Let&#039;s Encrypt DNS-01 challenge.</a><a href="https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks">Certbot manual on pre and post validation hooks.</a><a href="https://mailinabox.email">Mail-in-a-Box. Self hosting mail server.</a><a href="/posts/letsencrypt/">Let&#039;s Encrypt - Read More Posts.</a><p>I don&#039;t have comments as I don&#039;t want to manage them. You can however contact me at the below address if you want to.</p><a href="mailto:david@davidtsadler.com">Email david@davidtsadler.com</a><h3>License</h3><a href="https://creativecommons.org/licenses/by-sa/4.0/">The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.</a><p>Copyright © 2021 David T. Sadler.</p><a href="/">Return to Homepage.</a></content> </entry><entry> <title type="text">Wildcard Certificates with Let's Encrypt</title> <id>https://davidtsadler.com/posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/</id> @@ -35,7 +35,7 @@ curl -s -X DELETE -d &quot;$CERTBOT_VALIDATION&quot; --user $EMAIL:$PASS <author><name>David T. Sadler.</name></author> <published>2021-05-27T12:00:00Z</published> <updated>2021-05-27T12:00:00Z</updated> - <content type="html"><h1>Wildcard Certificates with Let's Encrypt</h1><blockquote>Thu 27th May 2021 By David T. Sadler.</blockquote><p>Currently my little bit of the internet is davidtsadler.com. However I have a few ideas for some other projects that I would like to host under a subdomain. For example at some point I want to make my source code available at git.davidtsadler.com. I also want SSL on each of the sites.</p><p>Since I'm self hosting my sites I can make use of Let's Encrypt to obtain the nessecary certificates. However I don't want the hassle of maintaing a seperate certificate for each site so I'm going with having a single wildcard certificate that will be valid for each subdomain.</p><p>Obtaining a wildcard certificate can be done with the certbot command.</p><pre><code class="shell">$ sudo certbot certonly --manual --preferred-challenges=dns --email me@email.com --agree-tos -d &quot;*.davidtsadler.com,davidtsadler.com&quot;</code></pre><ul><li>certonly This will obtain and save the certificate but will not install it. That is left to you.</li><li>--manual Obtains certificates interactively.</li><li>--preferred-challenges=dns Tells certbot that I will use the dns method to prove I own the domain name.</li><li>--email Email address used for registration and recovery contact.</li><li>--agree-tos Automatically agree to the terms of service.</li><li>-d Comma seperataed list of domain names that the certificate should cover.</li></ul><p>There are a couple of things to note with the above command. For starters I had to specifiy both *.davidtsadler and davidtsadler.com as the domains. This is because if I did not include davidtsadler.com then only subdomains would be covered by the certificate. In other words *.davidtsadler means any subdomain under davidtsadler.com but not the domain davidtsadler.com itself. </p><p>Secondaly, due to how my dns is been managed I could not have certbot automatically add the appropriate dns entries in order for it to validate the authenancy of the domain name. Instead certbot displayed the instructions needed to manually add two TXT records to my dns. Once I had done this certbot was happy that I owned the domain that the certificate would cover.</p><p>Running the certbot command results in the certificates been saved in /etc/letsencrypt/live/davidtsadler.com/</p><p>After that all I need to do is ensure that Apache has SSL support enabled and then add the below settings to my vhost file which tells Apache where to find the certificates.</p><pre>SSLCertificateFile /etc/letsencrypt/live/davidtsadler.com/fullchain.pem -SSLCertificateKeyFile /etc/letsencrypt/live/davidtsadler.com/privkey.pem</pre><p>Now in future I can simply create the required vhost file for the new subdomain site and have it use the same certificate as the others.</p><h3>Links</h3><a href="https://davidtsadler.com">davidtsadler.com - My little bit of the internet.</a><a href="/posts/letsencrypt/">Let's Encrypt - Read More Posts.</a><p>I don't have comments as I don't want to manage them. You can however contact me at the below address if you want to.</p><a href="mailto:david@davidtsadler.com">Email david@davidtsadler.com</a><h3>License</h3><a href="https://creativecommons.org/licenses/by-sa/4.0/">The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.</a><p>Copyright © 2021 David T. Sadler.</p><a href="/">Return to Homepage.</a></content> + <content type="html"><h1>Wildcard Certificates with Let&#039;s Encrypt</h1><blockquote>Thu 27th May 2021 By David T. Sadler.</blockquote><p>Currently my little bit of the internet is davidtsadler.com. However I have a few ideas for some other projects that I would like to host under a subdomain. For example at some point I want to make my source code available at git.davidtsadler.com. I also want SSL on each of the sites.</p><p>Since I&#039;m self hosting my sites I can make use of Let&#039;s Encrypt to obtain the nessecary certificates. However I don&#039;t want the hassle of maintaing a seperate certificate for each site so I&#039;m going with having a single wildcard certificate that will be valid for each subdomain.</p><p>Obtaining a wildcard certificate can be done with the certbot command.</p><pre><code class="shell">$ sudo certbot certonly --manual --preferred-challenges=dns --email me@email.com --agree-tos -d &quot;*.davidtsadler.com,davidtsadler.com&quot;</code></pre><ul><li>certonly This will obtain and save the certificate but will not install it. That is left to you.</li><li>--manual Obtains certificates interactively.</li><li>--preferred-challenges=dns Tells certbot that I will use the dns method to prove I own the domain name.</li><li>--email Email address used for registration and recovery contact.</li><li>--agree-tos Automatically agree to the terms of service.</li><li>-d Comma seperataed list of domain names that the certificate should cover.</li></ul><p>There are a couple of things to note with the above command. For starters I had to specifiy both *.davidtsadler and davidtsadler.com as the domains. This is because if I did not include davidtsadler.com then only subdomains would be covered by the certificate. In other words *.davidtsadler means any subdomain under davidtsadler.com but not the domain davidtsadler.com itself. </p><p>Secondaly, due to how my dns is been managed I could not have certbot automatically add the appropriate dns entries in order for it to validate the authenancy of the domain name. Instead certbot displayed the instructions needed to manually add two TXT records to my dns. Once I had done this certbot was happy that I owned the domain that the certificate would cover.</p><p>Running the certbot command results in the certificates been saved in /etc/letsencrypt/live/davidtsadler.com/</p><p>After that all I need to do is ensure that Apache has SSL support enabled and then add the below settings to my vhost file which tells Apache where to find the certificates.</p><pre>SSLCertificateFile /etc/letsencrypt/live/davidtsadler.com/fullchain.pem +SSLCertificateKeyFile /etc/letsencrypt/live/davidtsadler.com/privkey.pem</pre><p>Now in future I can simply create the required vhost file for the new subdomain site and have it use the same certificate as the others.</p><h3>Links</h3><a href="https://davidtsadler.com">davidtsadler.com - My little bit of the internet.</a><a href="/posts/letsencrypt/">Let&#039;s Encrypt - Read More Posts.</a><p>I don&#039;t have comments as I don&#039;t want to manage them. You can however contact me at the below address if you want to.</p><a href="mailto:david@davidtsadler.com">Email david@davidtsadler.com</a><h3>License</h3><a href="https://creativecommons.org/licenses/by-sa/4.0/">The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.</a><p>Copyright © 2021 David T. Sadler.</p><a href="/">Return to Homepage.</a></content> </entry> </feed>
\ No newline at end of file |