| | 1 | = Letsencrypt/Certbot activeren op SYN-3 = |
| | 2 | |
| | 3 | Via [https://letsencrypt.org/ Let's Encrypt] is het mogelijk om automatisch en veilig een SSL certificaat te verkrijgen. Nadat u dit eenmaal opgezet heeft heeft u er geen omkijken meer aan. |
| | 4 | |
| | 5 | * U heeft minimaal SYN-3 versie 5.1 nodig |
| | 6 | |
| | 7 | |
| | 8 | == Activeren === |
| | 9 | |
| | 10 | * Stel de gewenste dominen in in `/etc/webint/SSL_DOMAINS`. 1 domein per regel: |
| | 11 | |
| | 12 | {{{ |
| | 13 | [Syn-3] root@test.datux.nl ~# mcedit /etc/webint/SSL_DOMAINS |
| | 14 | test.datux.nl |
| | 15 | }}} |
| | 16 | |
| | 17 | * Vraag het initiele certificaat aan met het `syn3-acme-issue` commando: |
| | 18 | |
| | 19 | {{{ |
| | 20 | [Syn-3] root@test.datux.nl ~# syn3-acme-issue |
| | 21 | SYN-3: Issueing TEST certificate |
| | 22 | Stopping /service/apache2/ ...OK |
| | 23 | [Wed Mar 25 14:11:07 CET 2020] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory |
| | 24 | [Wed Mar 25 14:11:08 CET 2020] Standalone mode. |
| | 25 | [Wed Mar 25 14:11:08 CET 2020] Create account key ok. |
| | 26 | [Wed Mar 25 14:11:08 CET 2020] Registering account |
| | 27 | [Wed Mar 25 14:11:10 CET 2020] Registered |
| | 28 | [Wed Mar 25 14:11:10 CET 2020] ACCOUNT_THUMBPRINT='EdyZNMe80AOVAZMsAFqRk2Np4ay3mUWnPKNaJq2xSZE' |
| | 29 | [Wed Mar 25 14:11:10 CET 2020] Creating domain key |
| | 30 | [Wed Mar 25 14:11:10 CET 2020] The domain key is here: /etc/acme/test/test.datux.nl/test.datux.nl.key |
| | 31 | [Wed Mar 25 14:11:10 CET 2020] Single domain='test.datux.nl' |
| | 32 | [Wed Mar 25 14:11:11 CET 2020] Getting domain auth token for each domain |
| | 33 | [Wed Mar 25 14:11:12 CET 2020] Getting webroot for domain='test.datux.nl' |
| | 34 | [Wed Mar 25 14:11:12 CET 2020] Verifying: test.datux.nl |
| | 35 | [Wed Mar 25 14:11:12 CET 2020] Standalone mode server |
| | 36 | [Wed Mar 25 14:11:16 CET 2020] Success |
| | 37 | [Wed Mar 25 14:11:16 CET 2020] Verify finished, start to sign. |
| | 38 | [Wed Mar 25 14:11:16 CET 2020] Lets finalize the order, Le_OrderFinalize: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/12897409/81101479 |
| | 39 | [Wed Mar 25 14:11:18 CET 2020] Download cert, Le_LinkCert: https://acme-staging-v02.api.letsencrypt.org/acme/cert/fae2710c15cfa0f9b3bf829dc7456eb2de9e |
| | 40 | [Wed Mar 25 14:11:19 CET 2020] Cert success. |
| | 41 | -----BEGIN CERTIFICATE----- |
| | 42 | MIIFNjCCBB6gAwIBAgITAPricQwVz6D5s7+CncdFbrLenjANBgkqhkiG9w0BAQsF |
| | 43 | ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0yMDAzMjUx |
| | 44 | ... |
| | 45 | y/E8JgQOITv+3DPndSb/kEr+rf4E8ZO9a8JJIAtEwLuyOjHSxYIySFea21Kyk4If |
| | 46 | b+8rz8+czgNDIDq1T866I4EyfbI6U0F4Eh5pqzW82rhxoB0+62Vox6KZhhh54/45 |
| | 47 | IzwzVe1d9fYnnDDFpFfSfxKe+TGaIuK1p6BYgl5yoO5dGUAJnpslU2Wd |
| | 48 | -----END CERTIFICATE----- |
| | 49 | [Wed Mar 25 14:11:19 CET 2020] Your cert is in /etc/acme/test/test.datux.nl/test.datux.nl.cer |
| | 50 | [Wed Mar 25 14:11:19 CET 2020] Your cert key is in /etc/acme/test/test.datux.nl/test.datux.nl.key |
| | 51 | [Wed Mar 25 14:11:19 CET 2020] The intermediate CA cert is in /etc/acme/test/test.datux.nl/ca.cer |
| | 52 | [Wed Mar 25 14:11:19 CET 2020] And the full chain certs is there: /etc/acme/test/test.datux.nl/fullchain.cer |
| | 53 | Starting /service/apache2/ ...DONE |
| | 54 | SYN-3: Issueing LIVE certificate |
| | 55 | Stopping /service/apache2/ ....OK |
| | 56 | [Wed Mar 25 14:11:20 CET 2020] Standalone mode. |
| | 57 | [Wed Mar 25 14:11:21 CET 2020] Create account key ok. |
| | 58 | [Wed Mar 25 14:11:21 CET 2020] Registering account |
| | 59 | [Wed Mar 25 14:11:22 CET 2020] Registered |
| | 60 | [Wed Mar 25 14:11:22 CET 2020] ACCOUNT_THUMBPRINT='FdPrS_aYthE1QzCudmNH9cq42dOo2TV4ur2rpnOgI5o' |
| | 61 | [Wed Mar 25 14:11:22 CET 2020] Creating domain key |
| | 62 | [Wed Mar 25 14:11:22 CET 2020] The domain key is here: /etc/acme/live/test.datux.nl/test.datux.nl.key |
| | 63 | [Wed Mar 25 14:11:22 CET 2020] Single domain='test.datux.nl' |
| | 64 | [Wed Mar 25 14:11:22 CET 2020] Getting domain auth token for each domain |
| | 65 | [Wed Mar 25 14:11:24 CET 2020] Getting webroot for domain='test.datux.nl' |
| | 66 | [Wed Mar 25 14:11:24 CET 2020] Verifying: test.datux.nl |
| | 67 | [Wed Mar 25 14:11:24 CET 2020] Standalone mode server |
| | 68 | [Wed Mar 25 14:11:28 CET 2020] Success |
| | 69 | [Wed Mar 25 14:11:28 CET 2020] Verify finished, start to sign. |
| | 70 | [Wed Mar 25 14:11:28 CET 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/81553945/2775105307 |
| | 71 | [Wed Mar 25 14:11:30 CET 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/041ac68861d3d4feb7030d1aafb8c13a0595 |
| | 72 | [Wed Mar 25 14:11:31 CET 2020] Cert success. |
| | 73 | -----BEGIN CERTIFICATE----- |
| | 74 | MIIFVDCCBDygAwIBAgISBBrGiGHT1P63Aw0ar7jBOgWVMA0GCSqGSIb3DQEBCwUA |
| | 75 | MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD |
| | 76 | ... |
| | 77 | 7uY3aEZ+bfp8NH7xIkD/jpjoSUKYadvg86ZcoVc5bnFL7ekC8uBnogO2j29Y7Pb4 |
| | 78 | glRCWdfbjGBxuOCLL7HAwHes7NxsQlDN |
| | 79 | -----END CERTIFICATE----- |
| | 80 | [Wed Mar 25 14:11:31 CET 2020] Your cert is in /etc/acme/live/test.datux.nl/test.datux.nl.cer |
| | 81 | [Wed Mar 25 14:11:31 CET 2020] Your cert key is in /etc/acme/live/test.datux.nl/test.datux.nl.key |
| | 82 | [Wed Mar 25 14:11:31 CET 2020] The intermediate CA cert is in /etc/acme/live/test.datux.nl/ca.cer |
| | 83 | [Wed Mar 25 14:11:31 CET 2020] And the full chain certs is there: /etc/acme/live/test.datux.nl/fullchain.cer |
| | 84 | [Wed Mar 25 14:11:31 CET 2020] Installing key to:/usr/webint/ssl/server.pem |
| | 85 | [Wed Mar 25 14:11:31 CET 2020] Installing full chain to:/usr/webint/ssl/server.crt |
| | 86 | Starting /service/apache2/ ...DONE |
| | 87 | }}} |
| | 88 | Er word eerst een test certificaat aangevraagd en daarna een echt certiciaat. |
| | 89 | |
| | 90 | Hierna is het certificaat actief. |
| | 91 | |
| | 92 | === Vernieuwen === |
| | 93 | |
| | 94 | Het vernieuwen gebeurd wekelijks automatisch door een cronjob. U kunt in de SYN-3 montoring zien of dit goed gegaan is. |
| | 95 | |
| | 96 | Als er wat mis gaat kunt u handmatig vernieuwen via `syn3-acme-renew` om te zien wat er gebeurd: |
| | 97 | |
| | 98 | {{{ |
| | 99 | [Syn-3] root@test.datux.nl ~# syn3-acme-renew |
| | 100 | SYN-3: Renewing live certificate |
| | 101 | Stopping /service/apache2/ ...OK |
| | 102 | [Wed Mar 25 14:11:42 CET 2020] ===Starting cron=== |
| | 103 | [Wed Mar 25 14:11:42 CET 2020] Renew: 'test.datux.nl' |
| | 104 | [Wed Mar 25 14:11:42 CET 2020] Skip, Next renewal time is: Sun May 24 15:11:31 2020 |
| | 105 | [Wed Mar 25 14:11:42 CET 2020] Add '--force' to force to renew. |
| | 106 | [Wed Mar 25 14:11:42 CET 2020] Skipped test.datux.nl |
| | 107 | [Wed Mar 25 14:11:42 CET 2020] ===End cron=== |
| | 108 | Starting /service/apache2/ ...DONE |
| | 109 | [Syn-3] root@test.datux.nl ~# |
| | 110 | |
| | 111 | }}} |
