Results 1 to 2 of 2
  1. #1
    Untangler
    Join Date
    Aug 2016
    Posts
    81

    Default Automatic update of letsencrypt certificate (with some extra info on subdomains)

    ******************************************
    This part is skippable, if you don't want backstory
    ******************************************

    So I decided to get all official with a domain and honest to goodness SSL certificate. I went with letsencrypt because the price was right, but I found that it, admittedly, had some initial inconveniences.

    One is that I wanted a cert that would be trusted for all my various servers for my internal use (I'm set up so that my internal DNS/ DHCP domain matches my public). Since LE doesn't offer wildcards, I had to add each subdomain to the certificate request, but that also means that, externally, LE needs to be able to talk to a server answering on ports 80 & 443 using public DNS (or you need a wwwroot for each subdomain). Since most of my subdomains aren't intended to route from outside my network, I have a www server set up in house w/ only apache running that gets forwarded 80 & 443 just to work w/ LE.

    ******************************************
    Here's the meat and potatoes
    ******************************************
    So at this point I have my handy cert sitting in a directory on my webserver. Initially I concatenated the cert and keyfile and then uploaded it via the GUI, but I wasn't keen on doing that every 60-90 days, so I SSHd into my Untangle box and did a little scripting.
    Basically, my script grabs the fresh certs (I have an unpassworded keypair that I use for in house things like this. Neither my Untangle nor my webserver answer to SSH from WAN) via scp. concatenates the keyfile to the cert, makes a backup of apache.pem in both its locations, copies the new one in their places and restarts apache.
    This obviously works alongside the webserver having its own cron job that keeps the cert renewed. Since every letsencrypt tutorial covers that, it's beyond the scope of this post.

    TL;DR
    Here's my script, it does rely on the server that I'm scp-ing to having the cert (and renewing them) and an unpassworded keypair (though you could use password auth and pass it as a parameter to scp):
    Code:
    #!/bin/bash
    rm -rf /root/<domain_name>/* # it should be obvious, but I previously made a directory named for my public domain
    scp root@192.168.2.7:/etc/letsencrypt/live/<domain_name>/* /root/<domain_name>/ # this line pulls the current certs from the webserver
    touch /root/<domain_name>/apache.pem # creates the combined cert file that we'll be using at the end
    cat /root/<domain_name>/cert.pem > root/<domain_name>/apache.pem # reads the actual cert into the combined file
    cat /root/<domain_name>/privkey.pem >> /root/<domain_name>/apache.pem # adds the keyfile, because that's what Untangle (or apache) wants
    # backup current certs
    mv -f /usr/share/untangle/settings/untangle-certificates/apache.pem /usr/share/untangle/settings/untangle-certificates/apache.pem.bak
    mv -f /etc/apache2/ssl/apache.pem /etc/apache2/ssl/apache.pem.bak
    # copy new cert into place
    cp /root/<domain_name>/apache.pem /etc/apache2/ssl/
    cp /root/<domain_name>/apache.pem /usr/share/untangle/settings/untangle-certificates/
    service apache2 restart # restart web server
    Finally make the script executable, and add it to cron. I have my webserver attempting cert renewal Sun and Wed and this script running a half hour later. I could add logic so it only runs if there's actually a renewed cert, but don't see the harm in it running twice a week regardless.

    I'm all ears as to why I shouldn't do this, but I no longer have broken SSL on the https admin sites, and it shouldn't require any manual intervention to keep it that way. Also, being new to certs in general, should I be using the fullchain.pem that I get from LE instead of just the cert?


    Mods:
    I found scarce little concerning letsencrypt certs. If I'm mistaken, and this is basically a dupe, feel free to lock/ merge. If its not... I'd love to make the Wiki

  2. #2
    Untangler
    Join Date
    Aug 2016
    Posts
    81

    Default

    So, I got thinking about the unnecessary bouncing of services, and realized that the addition of one line would add a lot of intelligence to my script.

    Code:
    #!/bin/bash
    rm -rf /root/thezimms.us/*
    scp root@192.168.2.252:/etc/letsencrypt/live/thezimms.us/* /root/thezimms.us/
    touch /root/thezimms.us/apache.pem
    cat /root/thezimms.us/cert.pem > /root/thezimms.us/apache.pem
    cat /root/thezimms.us/privkey.pem >> /root/thezimms.us/apache.pem
    if ! cmp /root/thezimms.us/apache.pem /etc/apache2/ssl/apache.pem
    then
            mv -f /usr/share/untangle/settings/untangle-certificates/apache.pem /usr/share/untangle/settings/untangle-certificates/apache.pem.bak
            mv -f /etc/apache2/ssl/apache.pem /etc/apache2/ssl/apache.pem.bak
            cp /root/thezimms.us/apache.pem /etc/apache2/ssl/
            cp /root/thezimms.us/apache.pem /usr/share/untangle/settings/untangle-certificates/
            echo '==================================' >> /var/log/ssl-renew.log
            echo $(date) >> /var/log/ssl-renew.log
            echo '==================================' >> /var/log/ssl-renew.log
            echo "SSL Certificate has been renewed."
            service apache2 restart
    fi
    Just like that it now checks that the certs are different before copying the new one into place and bouncing apache. I've also added some logging just so I can see when the cert actually updates.

    Happy hacking!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2