| 1 | = Letsencrypt/Certbot activeren op SYN-3 = |
| 2 | |
| 3 | Via [https://letsencrypt.org/ Let's Encrypt] is het mogelijk om automatisch en veilig een SSL certificaat te verkrijgen. Nadat u dit eenmaal opgezet heeft heeft u er geen omkijken meer aan. |
| 4 | |
| 5 | * U heeft minimaal SYN-3 versie 5.1 nodig |
| 6 | |
| 7 | |
| 8 | == Activeren === |
| 9 | |
| 10 | * Stel de gewenste dominen in in `/etc/webint/SSL_DOMAINS`. 1 domein per regel: |
| 11 | |
| 12 | {{{ |
| 13 | [Syn-3] root@test.datux.nl ~# mcedit /etc/webint/SSL_DOMAINS |
| 14 | test.datux.nl |
| 15 | }}} |
| 16 | |
| 17 | * Vraag het initiele certificaat aan met het `syn3-acme-issue` commando: |
| 18 | |
| 19 | {{{ |
| 20 | [Syn-3] root@test.datux.nl ~# syn3-acme-issue |
| 21 | SYN-3: Issueing TEST certificate |
| 22 | Stopping /service/apache2/ ...OK |
| 23 | [Wed Mar 25 14:11:07 CET 2020] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory |
| 24 | [Wed Mar 25 14:11:08 CET 2020] Standalone mode. |
| 25 | [Wed Mar 25 14:11:08 CET 2020] Create account key ok. |
| 26 | [Wed Mar 25 14:11:08 CET 2020] Registering account |
| 27 | [Wed Mar 25 14:11:10 CET 2020] Registered |
| 28 | [Wed Mar 25 14:11:10 CET 2020] ACCOUNT_THUMBPRINT='EdyZNMe80AOVAZMsAFqRk2Np4ay3mUWnPKNaJq2xSZE' |
| 29 | [Wed Mar 25 14:11:10 CET 2020] Creating domain key |
| 30 | [Wed Mar 25 14:11:10 CET 2020] The domain key is here: /etc/acme/test/test.datux.nl/test.datux.nl.key |
| 31 | [Wed Mar 25 14:11:10 CET 2020] Single domain='test.datux.nl' |
| 32 | [Wed Mar 25 14:11:11 CET 2020] Getting domain auth token for each domain |
| 33 | [Wed Mar 25 14:11:12 CET 2020] Getting webroot for domain='test.datux.nl' |
| 34 | [Wed Mar 25 14:11:12 CET 2020] Verifying: test.datux.nl |
| 35 | [Wed Mar 25 14:11:12 CET 2020] Standalone mode server |
| 36 | [Wed Mar 25 14:11:16 CET 2020] Success |
| 37 | [Wed Mar 25 14:11:16 CET 2020] Verify finished, start to sign. |
| 38 | [Wed Mar 25 14:11:16 CET 2020] Lets finalize the order, Le_OrderFinalize: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/12897409/81101479 |
| 39 | [Wed Mar 25 14:11:18 CET 2020] Download cert, Le_LinkCert: https://acme-staging-v02.api.letsencrypt.org/acme/cert/fae2710c15cfa0f9b3bf829dc7456eb2de9e |
| 40 | [Wed Mar 25 14:11:19 CET 2020] Cert success. |
| 41 | -----BEGIN CERTIFICATE----- |
| 42 | MIIFNjCCBB6gAwIBAgITAPricQwVz6D5s7+CncdFbrLenjANBgkqhkiG9w0BAQsF |
| 43 | ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0yMDAzMjUx |
| 44 | ... |
| 45 | y/E8JgQOITv+3DPndSb/kEr+rf4E8ZO9a8JJIAtEwLuyOjHSxYIySFea21Kyk4If |
| 46 | b+8rz8+czgNDIDq1T866I4EyfbI6U0F4Eh5pqzW82rhxoB0+62Vox6KZhhh54/45 |
| 47 | IzwzVe1d9fYnnDDFpFfSfxKe+TGaIuK1p6BYgl5yoO5dGUAJnpslU2Wd |
| 48 | -----END CERTIFICATE----- |
| 49 | [Wed Mar 25 14:11:19 CET 2020] Your cert is in /etc/acme/test/test.datux.nl/test.datux.nl.cer |
| 50 | [Wed Mar 25 14:11:19 CET 2020] Your cert key is in /etc/acme/test/test.datux.nl/test.datux.nl.key |
| 51 | [Wed Mar 25 14:11:19 CET 2020] The intermediate CA cert is in /etc/acme/test/test.datux.nl/ca.cer |
| 52 | [Wed Mar 25 14:11:19 CET 2020] And the full chain certs is there: /etc/acme/test/test.datux.nl/fullchain.cer |
| 53 | Starting /service/apache2/ ...DONE |
| 54 | SYN-3: Issueing LIVE certificate |
| 55 | Stopping /service/apache2/ ....OK |
| 56 | [Wed Mar 25 14:11:20 CET 2020] Standalone mode. |
| 57 | [Wed Mar 25 14:11:21 CET 2020] Create account key ok. |
| 58 | [Wed Mar 25 14:11:21 CET 2020] Registering account |
| 59 | [Wed Mar 25 14:11:22 CET 2020] Registered |
| 60 | [Wed Mar 25 14:11:22 CET 2020] ACCOUNT_THUMBPRINT='FdPrS_aYthE1QzCudmNH9cq42dOo2TV4ur2rpnOgI5o' |
| 61 | [Wed Mar 25 14:11:22 CET 2020] Creating domain key |
| 62 | [Wed Mar 25 14:11:22 CET 2020] The domain key is here: /etc/acme/live/test.datux.nl/test.datux.nl.key |
| 63 | [Wed Mar 25 14:11:22 CET 2020] Single domain='test.datux.nl' |
| 64 | [Wed Mar 25 14:11:22 CET 2020] Getting domain auth token for each domain |
| 65 | [Wed Mar 25 14:11:24 CET 2020] Getting webroot for domain='test.datux.nl' |
| 66 | [Wed Mar 25 14:11:24 CET 2020] Verifying: test.datux.nl |
| 67 | [Wed Mar 25 14:11:24 CET 2020] Standalone mode server |
| 68 | [Wed Mar 25 14:11:28 CET 2020] Success |
| 69 | [Wed Mar 25 14:11:28 CET 2020] Verify finished, start to sign. |
| 70 | [Wed Mar 25 14:11:28 CET 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/81553945/2775105307 |
| 71 | [Wed Mar 25 14:11:30 CET 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/041ac68861d3d4feb7030d1aafb8c13a0595 |
| 72 | [Wed Mar 25 14:11:31 CET 2020] Cert success. |
| 73 | -----BEGIN CERTIFICATE----- |
| 74 | MIIFVDCCBDygAwIBAgISBBrGiGHT1P63Aw0ar7jBOgWVMA0GCSqGSIb3DQEBCwUA |
| 75 | MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD |
| 76 | ... |
| 77 | 7uY3aEZ+bfp8NH7xIkD/jpjoSUKYadvg86ZcoVc5bnFL7ekC8uBnogO2j29Y7Pb4 |
| 78 | glRCWdfbjGBxuOCLL7HAwHes7NxsQlDN |
| 79 | -----END CERTIFICATE----- |
| 80 | [Wed Mar 25 14:11:31 CET 2020] Your cert is in /etc/acme/live/test.datux.nl/test.datux.nl.cer |
| 81 | [Wed Mar 25 14:11:31 CET 2020] Your cert key is in /etc/acme/live/test.datux.nl/test.datux.nl.key |
| 82 | [Wed Mar 25 14:11:31 CET 2020] The intermediate CA cert is in /etc/acme/live/test.datux.nl/ca.cer |
| 83 | [Wed Mar 25 14:11:31 CET 2020] And the full chain certs is there: /etc/acme/live/test.datux.nl/fullchain.cer |
| 84 | [Wed Mar 25 14:11:31 CET 2020] Installing key to:/usr/webint/ssl/server.pem |
| 85 | [Wed Mar 25 14:11:31 CET 2020] Installing full chain to:/usr/webint/ssl/server.crt |
| 86 | Starting /service/apache2/ ...DONE |
| 87 | }}} |
| 88 | Er word eerst een test certificaat aangevraagd en daarna een echt certiciaat. |
| 89 | |
| 90 | Hierna is het certificaat actief. |
| 91 | |
| 92 | === Vernieuwen === |
| 93 | |
| 94 | Het vernieuwen gebeurd wekelijks automatisch door een cronjob. U kunt in de SYN-3 montoring zien of dit goed gegaan is. |
| 95 | |
| 96 | Als er wat mis gaat kunt u handmatig vernieuwen via `syn3-acme-renew` om te zien wat er gebeurd: |
| 97 | |
| 98 | {{{ |
| 99 | [Syn-3] root@test.datux.nl ~# syn3-acme-renew |
| 100 | SYN-3: Renewing live certificate |
| 101 | Stopping /service/apache2/ ...OK |
| 102 | [Wed Mar 25 14:11:42 CET 2020] ===Starting cron=== |
| 103 | [Wed Mar 25 14:11:42 CET 2020] Renew: 'test.datux.nl' |
| 104 | [Wed Mar 25 14:11:42 CET 2020] Skip, Next renewal time is: Sun May 24 15:11:31 2020 |
| 105 | [Wed Mar 25 14:11:42 CET 2020] Add '--force' to force to renew. |
| 106 | [Wed Mar 25 14:11:42 CET 2020] Skipped test.datux.nl |
| 107 | [Wed Mar 25 14:11:42 CET 2020] ===End cron=== |
| 108 | Starting /service/apache2/ ...DONE |
| 109 | [Syn-3] root@test.datux.nl ~# |
| 110 | |
| 111 | }}} |