wiki:howto/Certbot

Version 5 (modified by Edwin Eefting, 4 years ago) (diff)

--

Letsencrypt/Certbot activeren op SYN-3

Via Let's Encrypt is het mogelijk om automatisch en veilig een SSL certificaat te verkrijgen. Nadat u dit eenmaal opgezet heeft heeft u er geen omkijken meer aan.

  • U heeft minimaal SYN-3 versie 5.1 nodig

Activeren

  • Stel de gewenste dominen in in /etc/webint/SSL_DOMAINS. 1 domein per regel:
[Syn-3] root@test.datux.nl ~# mcedit /etc/webint/SSL_DOMAINS
test.datux.nl
  • Vraag het initiele certificaat aan met het syn3-acme-issue commando:
[Syn-3] root@test.datux.nl ~# syn3-acme-issue                                                                                                                                                                                                                                
SYN-3: Issueing TEST certificate
Stopping /service/apache2/ ...OK
[Wed Mar 25 14:11:07 CET 2020] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Wed Mar 25 14:11:08 CET 2020] Standalone mode.
[Wed Mar 25 14:11:08 CET 2020] Create account key ok.
[Wed Mar 25 14:11:08 CET 2020] Registering account
[Wed Mar 25 14:11:10 CET 2020] Registered
[Wed Mar 25 14:11:10 CET 2020] ACCOUNT_THUMBPRINT='EdyZNMe80AOVAZMsAFqRk2Np4ay3mUWnPKNaJq2xSZE'
[Wed Mar 25 14:11:10 CET 2020] Creating domain key
[Wed Mar 25 14:11:10 CET 2020] The domain key is here: /etc/acme/test/test.datux.nl/test.datux.nl.key
[Wed Mar 25 14:11:10 CET 2020] Single domain='test.datux.nl'
[Wed Mar 25 14:11:11 CET 2020] Getting domain auth token for each domain
[Wed Mar 25 14:11:12 CET 2020] Getting webroot for domain='test.datux.nl'
[Wed Mar 25 14:11:12 CET 2020] Verifying: test.datux.nl
[Wed Mar 25 14:11:12 CET 2020] Standalone mode server
[Wed Mar 25 14:11:16 CET 2020] Success
[Wed Mar 25 14:11:16 CET 2020] Verify finished, start to sign.
[Wed Mar 25 14:11:16 CET 2020] Lets finalize the order, Le_OrderFinalize: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/12897409/81101479
[Wed Mar 25 14:11:18 CET 2020] Download cert, Le_LinkCert: https://acme-staging-v02.api.letsencrypt.org/acme/cert/fae2710c15cfa0f9b3bf829dc7456eb2de9e
[Wed Mar 25 14:11:19 CET 2020] Cert success.
-----BEGIN CERTIFICATE-----
MIIFNjCCBB6gAwIBAgITAPricQwVz6D5s7+CncdFbrLenjANBgkqhkiG9w0BAQsF
ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0yMDAzMjUx
...
y/E8JgQOITv+3DPndSb/kEr+rf4E8ZO9a8JJIAtEwLuyOjHSxYIySFea21Kyk4If
b+8rz8+czgNDIDq1T866I4EyfbI6U0F4Eh5pqzW82rhxoB0+62Vox6KZhhh54/45
IzwzVe1d9fYnnDDFpFfSfxKe+TGaIuK1p6BYgl5yoO5dGUAJnpslU2Wd
-----END CERTIFICATE-----
[Wed Mar 25 14:11:19 CET 2020] Your cert is in  /etc/acme/test/test.datux.nl/test.datux.nl.cer 
[Wed Mar 25 14:11:19 CET 2020] Your cert key is in  /etc/acme/test/test.datux.nl/test.datux.nl.key 
[Wed Mar 25 14:11:19 CET 2020] The intermediate CA cert is in  /etc/acme/test/test.datux.nl/ca.cer 
[Wed Mar 25 14:11:19 CET 2020] And the full chain certs is there:  /etc/acme/test/test.datux.nl/fullchain.cer 
Starting /service/apache2/ ...DONE
SYN-3: Issueing LIVE certificate
Stopping /service/apache2/ ....OK
[Wed Mar 25 14:11:20 CET 2020] Standalone mode.
[Wed Mar 25 14:11:21 CET 2020] Create account key ok.
[Wed Mar 25 14:11:21 CET 2020] Registering account
[Wed Mar 25 14:11:22 CET 2020] Registered
[Wed Mar 25 14:11:22 CET 2020] ACCOUNT_THUMBPRINT='FdPrS_aYthE1QzCudmNH9cq42dOo2TV4ur2rpnOgI5o'
[Wed Mar 25 14:11:22 CET 2020] Creating domain key
[Wed Mar 25 14:11:22 CET 2020] The domain key is here: /etc/acme/live/test.datux.nl/test.datux.nl.key
[Wed Mar 25 14:11:22 CET 2020] Single domain='test.datux.nl'
[Wed Mar 25 14:11:22 CET 2020] Getting domain auth token for each domain
[Wed Mar 25 14:11:24 CET 2020] Getting webroot for domain='test.datux.nl'
[Wed Mar 25 14:11:24 CET 2020] Verifying: test.datux.nl
[Wed Mar 25 14:11:24 CET 2020] Standalone mode server
[Wed Mar 25 14:11:28 CET 2020] Success
[Wed Mar 25 14:11:28 CET 2020] Verify finished, start to sign.
[Wed Mar 25 14:11:28 CET 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/81553945/2775105307
[Wed Mar 25 14:11:30 CET 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/041ac68861d3d4feb7030d1aafb8c13a0595
[Wed Mar 25 14:11:31 CET 2020] Cert success.
-----BEGIN CERTIFICATE-----
MIIFVDCCBDygAwIBAgISBBrGiGHT1P63Aw0ar7jBOgWVMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
...
7uY3aEZ+bfp8NH7xIkD/jpjoSUKYadvg86ZcoVc5bnFL7ekC8uBnogO2j29Y7Pb4
glRCWdfbjGBxuOCLL7HAwHes7NxsQlDN
-----END CERTIFICATE-----
[Wed Mar 25 14:11:31 CET 2020] Your cert is in  /etc/acme/live/test.datux.nl/test.datux.nl.cer 
[Wed Mar 25 14:11:31 CET 2020] Your cert key is in  /etc/acme/live/test.datux.nl/test.datux.nl.key 
[Wed Mar 25 14:11:31 CET 2020] The intermediate CA cert is in  /etc/acme/live/test.datux.nl/ca.cer 
[Wed Mar 25 14:11:31 CET 2020] And the full chain certs is there:  /etc/acme/live/test.datux.nl/fullchain.cer 
[Wed Mar 25 14:11:31 CET 2020] Installing key to:/usr/webint/ssl/server.pem
[Wed Mar 25 14:11:31 CET 2020] Installing full chain to:/usr/webint/ssl/server.crt
Starting /service/apache2/ ...DONE

Er word eerst een test certificaat aangevraagd en daarna een echt certificaat.

Hierna is het certificaat actief.

Vernieuwen

Het vernieuwen gebeurd wekelijks automatisch door een cronjob. U kunt in de SYN-3 montoring zien of dit goed gegaan is.

Als er wat mis gaat kunt u handmatig vernieuwen via syn3-acme-renew om te zien wat er gebeurd:

[Syn-3] root@test.datux.nl ~# syn3-acme-renew                                                                                                                                                                                                                                
SYN-3: Renewing live certificate
Stopping /service/apache2/ ...OK
[Wed Mar 25 14:11:42 CET 2020] ===Starting cron===
[Wed Mar 25 14:11:42 CET 2020] Renew: 'test.datux.nl'
[Wed Mar 25 14:11:42 CET 2020] Skip, Next renewal time is: Sun May 24 15:11:31 2020
[Wed Mar 25 14:11:42 CET 2020] Add '--force' to force to renew.
[Wed Mar 25 14:11:42 CET 2020] Skipped test.datux.nl
[Wed Mar 25 14:11:42 CET 2020] ===End cron===
Starting /service/apache2/ ...DONE
[Syn-3] root@test.datux.nl ~#