Changes between Initial Version and Version 1 of howto/Certbot


Ignore:
Timestamp:
03/25/20 14:22:13 (5 years ago)
Author:
Edwin Eefting
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • howto/Certbot

    v1 v1  
     1= Letsencrypt/Certbot activeren op SYN-3 =
     2
     3Via [https://letsencrypt.org/ Let's Encrypt] is het mogelijk om automatisch en veilig een SSL certificaat te verkrijgen. Nadat u dit eenmaal opgezet heeft heeft u er geen omkijken meer aan.
     4
     5* U heeft minimaal SYN-3 versie 5.1 nodig
     6
     7
     8== Activeren ===
     9
     10* Stel de gewenste dominen in in `/etc/webint/SSL_DOMAINS`. 1 domein per regel:
     11
     12{{{
     13[Syn-3] root@test.datux.nl ~# mcedit /etc/webint/SSL_DOMAINS
     14test.datux.nl
     15}}}
     16
     17* Vraag het initiele certificaat aan met het `syn3-acme-issue` commando:
     18
     19{{{
     20[Syn-3] root@test.datux.nl ~# syn3-acme-issue                                                                                                                                                                                                                               
     21SYN-3: Issueing TEST certificate
     22Stopping /service/apache2/ ...OK
     23[Wed Mar 25 14:11:07 CET 2020] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
     24[Wed Mar 25 14:11:08 CET 2020] Standalone mode.
     25[Wed Mar 25 14:11:08 CET 2020] Create account key ok.
     26[Wed Mar 25 14:11:08 CET 2020] Registering account
     27[Wed Mar 25 14:11:10 CET 2020] Registered
     28[Wed Mar 25 14:11:10 CET 2020] ACCOUNT_THUMBPRINT='EdyZNMe80AOVAZMsAFqRk2Np4ay3mUWnPKNaJq2xSZE'
     29[Wed Mar 25 14:11:10 CET 2020] Creating domain key
     30[Wed Mar 25 14:11:10 CET 2020] The domain key is here: /etc/acme/test/test.datux.nl/test.datux.nl.key
     31[Wed Mar 25 14:11:10 CET 2020] Single domain='test.datux.nl'
     32[Wed Mar 25 14:11:11 CET 2020] Getting domain auth token for each domain
     33[Wed Mar 25 14:11:12 CET 2020] Getting webroot for domain='test.datux.nl'
     34[Wed Mar 25 14:11:12 CET 2020] Verifying: test.datux.nl
     35[Wed Mar 25 14:11:12 CET 2020] Standalone mode server
     36[Wed Mar 25 14:11:16 CET 2020] Success
     37[Wed Mar 25 14:11:16 CET 2020] Verify finished, start to sign.
     38[Wed Mar 25 14:11:16 CET 2020] Lets finalize the order, Le_OrderFinalize: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/12897409/81101479
     39[Wed Mar 25 14:11:18 CET 2020] Download cert, Le_LinkCert: https://acme-staging-v02.api.letsencrypt.org/acme/cert/fae2710c15cfa0f9b3bf829dc7456eb2de9e
     40[Wed Mar 25 14:11:19 CET 2020] Cert success.
     41-----BEGIN CERTIFICATE-----
     42MIIFNjCCBB6gAwIBAgITAPricQwVz6D5s7+CncdFbrLenjANBgkqhkiG9w0BAQsF
     43ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0yMDAzMjUx
     44...
     45y/E8JgQOITv+3DPndSb/kEr+rf4E8ZO9a8JJIAtEwLuyOjHSxYIySFea21Kyk4If
     46b+8rz8+czgNDIDq1T866I4EyfbI6U0F4Eh5pqzW82rhxoB0+62Vox6KZhhh54/45
     47IzwzVe1d9fYnnDDFpFfSfxKe+TGaIuK1p6BYgl5yoO5dGUAJnpslU2Wd
     48-----END CERTIFICATE-----
     49[Wed Mar 25 14:11:19 CET 2020] Your cert is in  /etc/acme/test/test.datux.nl/test.datux.nl.cer
     50[Wed Mar 25 14:11:19 CET 2020] Your cert key is in  /etc/acme/test/test.datux.nl/test.datux.nl.key
     51[Wed Mar 25 14:11:19 CET 2020] The intermediate CA cert is in  /etc/acme/test/test.datux.nl/ca.cer
     52[Wed Mar 25 14:11:19 CET 2020] And the full chain certs is there:  /etc/acme/test/test.datux.nl/fullchain.cer
     53Starting /service/apache2/ ...DONE
     54SYN-3: Issueing LIVE certificate
     55Stopping /service/apache2/ ....OK
     56[Wed Mar 25 14:11:20 CET 2020] Standalone mode.
     57[Wed Mar 25 14:11:21 CET 2020] Create account key ok.
     58[Wed Mar 25 14:11:21 CET 2020] Registering account
     59[Wed Mar 25 14:11:22 CET 2020] Registered
     60[Wed Mar 25 14:11:22 CET 2020] ACCOUNT_THUMBPRINT='FdPrS_aYthE1QzCudmNH9cq42dOo2TV4ur2rpnOgI5o'
     61[Wed Mar 25 14:11:22 CET 2020] Creating domain key
     62[Wed Mar 25 14:11:22 CET 2020] The domain key is here: /etc/acme/live/test.datux.nl/test.datux.nl.key
     63[Wed Mar 25 14:11:22 CET 2020] Single domain='test.datux.nl'
     64[Wed Mar 25 14:11:22 CET 2020] Getting domain auth token for each domain
     65[Wed Mar 25 14:11:24 CET 2020] Getting webroot for domain='test.datux.nl'
     66[Wed Mar 25 14:11:24 CET 2020] Verifying: test.datux.nl
     67[Wed Mar 25 14:11:24 CET 2020] Standalone mode server
     68[Wed Mar 25 14:11:28 CET 2020] Success
     69[Wed Mar 25 14:11:28 CET 2020] Verify finished, start to sign.
     70[Wed Mar 25 14:11:28 CET 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/81553945/2775105307
     71[Wed Mar 25 14:11:30 CET 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/041ac68861d3d4feb7030d1aafb8c13a0595
     72[Wed Mar 25 14:11:31 CET 2020] Cert success.
     73-----BEGIN CERTIFICATE-----
     74MIIFVDCCBDygAwIBAgISBBrGiGHT1P63Aw0ar7jBOgWVMA0GCSqGSIb3DQEBCwUA
     75MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
     76...
     777uY3aEZ+bfp8NH7xIkD/jpjoSUKYadvg86ZcoVc5bnFL7ekC8uBnogO2j29Y7Pb4
     78glRCWdfbjGBxuOCLL7HAwHes7NxsQlDN
     79-----END CERTIFICATE-----
     80[Wed Mar 25 14:11:31 CET 2020] Your cert is in  /etc/acme/live/test.datux.nl/test.datux.nl.cer
     81[Wed Mar 25 14:11:31 CET 2020] Your cert key is in  /etc/acme/live/test.datux.nl/test.datux.nl.key
     82[Wed Mar 25 14:11:31 CET 2020] The intermediate CA cert is in  /etc/acme/live/test.datux.nl/ca.cer
     83[Wed Mar 25 14:11:31 CET 2020] And the full chain certs is there:  /etc/acme/live/test.datux.nl/fullchain.cer
     84[Wed Mar 25 14:11:31 CET 2020] Installing key to:/usr/webint/ssl/server.pem
     85[Wed Mar 25 14:11:31 CET 2020] Installing full chain to:/usr/webint/ssl/server.crt
     86Starting /service/apache2/ ...DONE
     87}}}
     88Er word eerst een test certificaat aangevraagd en daarna een echt certiciaat.
     89
     90Hierna is het certificaat actief.
     91
     92=== Vernieuwen ===
     93
     94Het vernieuwen gebeurd wekelijks automatisch door een cronjob. U kunt in de SYN-3 montoring zien of dit goed gegaan is.
     95
     96Als er wat mis gaat kunt u handmatig vernieuwen via `syn3-acme-renew` om te zien wat er gebeurd:
     97
     98{{{
     99[Syn-3] root@test.datux.nl ~# syn3-acme-renew                                                                                                                                                                                                                               
     100SYN-3: Renewing live certificate
     101Stopping /service/apache2/ ...OK
     102[Wed Mar 25 14:11:42 CET 2020] ===Starting cron===
     103[Wed Mar 25 14:11:42 CET 2020] Renew: 'test.datux.nl'
     104[Wed Mar 25 14:11:42 CET 2020] Skip, Next renewal time is: Sun May 24 15:11:31 2020
     105[Wed Mar 25 14:11:42 CET 2020] Add '--force' to force to renew.
     106[Wed Mar 25 14:11:42 CET 2020] Skipped test.datux.nl
     107[Wed Mar 25 14:11:42 CET 2020] ===End cron===
     108Starting /service/apache2/ ...DONE
     109[Syn-3] root@test.datux.nl ~#                                                                     
     110
     111}}}