Difference between revisions of "SBN - Copying Certs"

From The TinkerNet Wiki
Jump to navigation Jump to search
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
To copy certs for a machine from your proxy server (Replace '''Machine.Domain.TLD''' with the proper name for your machine...) (&, of course, '''user''' & '''webserver''' may need adjusting...)
+
To copy certs for a machine from your proxy server (Replace '''Machine.Domain.TLD''' with the proper name for your machine...) (&, of course, '''user''' & '''WebServer''' may need adjusting...)
  
#Install certbot on the machine you're putting the certs onto & create the <code>live</code> directory where the certs will live.
+
In this example,
#*<code>sudo apt in  all certbot</code>
+
 
 +
*'''Machine.Domain.TLD''' is the full name of the machine you're copying the certs to.
 +
*'''WebServer''' is the name of your web/proxy server
 +
 
 +
<br />
 +
 
 +
#<s>Install certbot on the machine you're putting the certs onto & create the <code>live</code> directory where the certs will live. (Unverified Note: You might not actually need to install certbot on the proxied machine.</s>  You '''CAN''' just create the /etc/letsencrypt directory, then the live directory... (You can ALSO make that directory writeable by a normal user which allows for using SCP to insert the certs directly.)
 +
#*<code>ssh  Machine</code>
 +
#*<code>sudo mkdir /etc/letsencrypt</code>
 
#*<code>sudo mkdir /etc/letsencrypt/live</code>
 
#*<code>sudo mkdir /etc/letsencrypt/live</code>
 +
#*<code>sudo chmod ugo+wX /etc/letsencrypt/live</code>
 
#Sign into your proxy server & make sure you can SSH into the target machine from there.
 
#Sign into your proxy server & make sure you can SSH into the target machine from there.
#*<br />
+
#*<code>ssh webserver</code>
 
#**<code>ssh Machine</code>
 
#**<code>ssh Machine</code>
#**then exit when you've succeeded (this tells CertGetter how to get there...)
+
#**then exit when you've succeeded (this tells '''webserver''' how to get there...)
 
#Then you can use '''scp''' to copy the certs.
 
#Then you can use '''scp''' to copy the certs.
#*<code>sudo scp -r /etc/letsencrypt/live/Machine.Domain.TLD user@Machine:~</code>
+
#*<code><s>sudo scp -r /etc/letsencrypt/live/Machine.Domain.TLD user@Machine:~</s></code>
#Then ssh back into the proxy server & move the certs into their proper location
+
#*<code>sudo scp -r /etc/letsencrypt/live/Machine.Domain.TLD user@Machine:/etc/letsencrypt/live</code>
#*<code>sudo mv Machine.Domain.TLD /etc/letsencrypt/live/</code>
+
#Then ssh back into the target machine <s>& move the certs into their proper location</s>
 +
#*<code><s>sudo mv Machine.Domain.TLD /etc/letsencrypt/live/</s></code>
 +
#And tell Apache about the certs
 +
#*<code>sudo vi /etc/apache2/sites-available/default-ssl.conf</code>
 +
 
 +
SSLCertificateFile /etc/letsencrypt/live/<code>Machine.Domain.TLD</code>/fullchain.pem
 +
SSLCertificateKeyFile /etc/letsencrypt/live/<code>Machine.Domain.TLD</code>/privkey.pem
 +
 
 +
replaces:
 +
 
 +
SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
 +
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 +
 
 +
Restart Apache:
 +
 
 +
*<code>sudo systemctl restart apache2</code>

Latest revision as of 11:38, 16 August 2021

To copy certs for a machine from your proxy server (Replace Machine.Domain.TLD with the proper name for your machine...) (&, of course, user & WebServer may need adjusting...)

In this example,

  • Machine.Domain.TLD is the full name of the machine you're copying the certs to.
  • WebServer is the name of your web/proxy server


  1. Install certbot on the machine you're putting the certs onto & create the live directory where the certs will live. (Unverified Note: You might not actually need to install certbot on the proxied machine. You CAN just create the /etc/letsencrypt directory, then the live directory... (You can ALSO make that directory writeable by a normal user which allows for using SCP to insert the certs directly.)
    • ssh Machine
    • sudo mkdir /etc/letsencrypt
    • sudo mkdir /etc/letsencrypt/live
    • sudo chmod ugo+wX /etc/letsencrypt/live
  2. Sign into your proxy server & make sure you can SSH into the target machine from there.
    • ssh webserver
      • ssh Machine
      • then exit when you've succeeded (this tells webserver how to get there...)
  3. Then you can use scp to copy the certs.
    • sudo scp -r /etc/letsencrypt/live/Machine.Domain.TLD user@Machine:~
    • sudo scp -r /etc/letsencrypt/live/Machine.Domain.TLD user@Machine:/etc/letsencrypt/live
  4. Then ssh back into the target machine & move the certs into their proper location
    • sudo mv Machine.Domain.TLD /etc/letsencrypt/live/
  5. And tell Apache about the certs
    • sudo vi /etc/apache2/sites-available/default-ssl.conf
SSLCertificateFile /etc/letsencrypt/live/Machine.Domain.TLD/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/Machine.Domain.TLD/privkey.pem

replaces:

SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Restart Apache:

  • sudo systemctl restart apache2