Context Navigation

← Previous Change
Wiki History
Next Change →

Changes between Initial Version and Version 1 of ApacheGetsslNeuesCert

Timestamp:: Aug 1, 2020, 4:57:39 PM (5 years ago)
Author:: Johannes Lode
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

ApacheGetsslNeuesCert

                       v1
+= getssl einrichten
+**Achtung:** DNS-Einrichtung muss schon funktionieren, damit `getssl` funktioniert.
+ a. für einen Web-Host mit eigenem SSL-Cert:
+. in das Verzeichnis `~root/.getssl` wechseln
+. Host-/Domain-Verzeichnis anlegen: `mkdir twiki.mtronig.de`
+. Konfigurationsdatei `twiki.mtronig.de/getssl.cfg` erstellen:
+{{{
+# Uncomment and modify any variables you need
+# see https://github.com/srvrco/getssl/wiki/Config-variables for details
+# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
+#
+# The staging server is best for testing
+#CA="https://acme-staging-v02.api.letsencrypt.org/directory"
+# This server issues full certificates, however has rate limits
+#CA="https://acme-v02.api.letsencrypt.org"
+#PRIVATE_KEY_ALG="rsa"
+# Additional domains - this could be multiple domains / subdomains in a comma separated list
+# Note: this is Additional domains - so should not include the primary domain.
+#SANS="trac.mtronig.de"
+# Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
+# If these start with ssh: then the next variable is assumed to be the hostname and the rest the location.
+# An ssh key will be needed to provide you with access to the remote server.
+# Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.
+# If left blank, the username on the local server will be used to authenticate against the remote server.
+# If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location
+# These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"
+# where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
+#ACL=('/var/www/twiki.mtronig.de/web/.well-known/acme-challenge'
+#     'ssh:server5:/var/www/usvn.vpn21.net/web/.well-known/acme-challenge'
+#     'ssh:sshuserid@server5:/var/www/usvn.vpn21.net/web/.well-known/acme-challenge'
+#     'ftp:ftpuserid:ftppassword:usvn.vpn21.net:/web/.well-known/acme-challenge')
+#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
+#USE_SINGLE_ACL="false"
+# Location for all your certs, these can either be on the server (full path name)
+# or using ssh /sftp as for the ACL
+DOMAIN_CERT_LOCATION="/var/www/twiki.mtronig.de/ssl/server.crt"
+DOMAIN_KEY_LOCATION="/var/www/twiki.mtronig.de/ssl/server.key_decrypted"
+CA_CERT_LOCATION="/var/www/twiki.mtronig.de/ssl/ca-bundle.pem"
+#DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
+#DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
+# The command needed to reload apache / nginx or whatever you use
+#RELOAD_CMD=""
+# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
+# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
+# will be checked for certificate expiry and also will be checked after
+# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
+#SERVER_TYPE="https"
+#CHECK_REMOTE="true"
+}}}
+. `getssl` Konfiguration testen: `getssl twiki.mtronig.de`; \\ ggf. den Test forcieren: `getssl -f twiki.mtronig.de` \\
+   Das Ergebnis soll so aussehen:
+{{{
+# getssl -f twiki.mtronig.de
+Registering account
+Verify each domain
+Verifying twiki.mtronig.de
+twiki.mtronig.de is already validated
+Verification completed, obtaining certificate.
+Requesting Finalize Link
+Requesting Order Link
+Requesting certificate
+Full certificate saved in /root/.getssl/twiki.mtronig.de/fullchain.crt
+Certificate saved in /root/.getssl/twiki.mtronig.de/twiki.mtronig.de.crt
+copying domain certificate to /var/www/twiki.mtronig.de/ssl/server.crt
+copying private key to /var/www/twiki.mtronig.de/ssl/server.key_decrypted
+copying CA certificate to /var/www/twiki.mtronig.de/ssl/ca-bundle.pem
+reloading SSL services
+ * Gracefully restarting apache2 ...                               [ ok ]
+twiki.mtronig.de - certificate installed OK on server
+certificate obtained for twiki.mtronig.de
+# _
+}}}
+. "staging"-Konfiguration auf volle Konfiguration umstellen, indem die Zeile `CA="https://acme-staging-v02.api..."` deaktiviert wird (darf schon inaktiv sein, weil die globale Konfiguration für getssl diese CA vorgibt) und stattdessen die Zeile `CA="https://acme-v02.api.letsencrypt.org"` aktiviert wird.
+. Produktiv-Zertifikat holen: \\ `getssl twiki.mtronig.de` \\ Das Ergebnis soll etwa so aussehen:
+{{{
+# getssl twiki.mtronig.de
+Registering account
+Verify each domain
+Verifying twiki.mtronig.de
+copying challenge token to /var/www/letsencrypt/Yfh65tFtentC8QnrHM3eSH3WFfOmmcVTNlJk3XGYaRk
+sending request to ACME server saying we're ready for challenge
+checking if challenge is complete
+Pending
+checking if challenge is complete
+Verified twiki.mtronig.de
+Verification completed, obtaining certificate.
+Requesting Finalize Link
+Requesting Order Link
+Requesting certificate
+Full certificate saved in /root/.getssl/twiki.mtronig.de/fullchain.crt
+Certificate saved in /root/.getssl/twiki.mtronig.de/twiki.mtronig.de.crt
+copying domain certificate to /var/www/twiki.mtronig.de/ssl/server.crt
+copying private key to /var/www/twiki.mtronig.de/ssl/server.key_decrypted
+copying CA certificate to /var/www/twiki.mtronig.de/ssl/ca-bundle.pem
+reloading SSL services
+ * Gracefully restarting apache2 ...                                [ ok ]
+twiki.mtronig.de - certificate installed OK on server
+certificate obtained for twiki.mtronig.de
+# _
+}}}
+. //fertig - freu! //