Difference between revisions of "SBN - Copying Certs"
Jump to navigation
Jump to search
Line 10: | Line 10: | ||
#<s>Install certbot on the machine you're putting the certs onto & create the <code>live</code> directory where the certs will live. (Unverified Note: You might not actually need to install certbot on the proxied machine.</s> You '''CAN''' just create the /etc/letsencrypt directory, then the live directory... (You can ALSO make that directory writeable by a normal user which allows for using SCP to insert the certs directly.) | #<s>Install certbot on the machine you're putting the certs onto & create the <code>live</code> directory where the certs will live. (Unverified Note: You might not actually need to install certbot on the proxied machine.</s> You '''CAN''' just create the /etc/letsencrypt directory, then the live directory... (You can ALSO make that directory writeable by a normal user which allows for using SCP to insert the certs directly.) | ||
#*<code>ssh Machine</code> | #*<code>ssh Machine</code> | ||
− | #*<code>sudo | + | #*<code>sudo mkdir /etc/letsencrypt</code> |
#*<code>sudo mkdir /etc/letsencrypt/live</code> | #*<code>sudo mkdir /etc/letsencrypt/live</code> | ||
+ | #*<code>sudo chmod ugo+wX /etc/letsencrypt/live</code> | ||
#Sign into your proxy server & make sure you can SSH into the target machine from there. | #Sign into your proxy server & make sure you can SSH into the target machine from there. | ||
#*<code>ssh webserver</code> | #*<code>ssh webserver</code> |
Latest revision as of 11:38, 16 August 2021
To copy certs for a machine from your proxy server (Replace Machine.Domain.TLD with the proper name for your machine...) (&, of course, user & WebServer may need adjusting...)
In this example,
- Machine.Domain.TLD is the full name of the machine you're copying the certs to.
- WebServer is the name of your web/proxy server
Install certbot on the machine you're putting the certs onto & create theYou CAN just create the /etc/letsencrypt directory, then the live directory... (You can ALSO make that directory writeable by a normal user which allows for using SCP to insert the certs directly.)live
directory where the certs will live. (Unverified Note: You might not actually need to install certbot on the proxied machine.ssh Machine
sudo mkdir /etc/letsencrypt
sudo mkdir /etc/letsencrypt/live
sudo chmod ugo+wX /etc/letsencrypt/live
- Sign into your proxy server & make sure you can SSH into the target machine from there.
ssh webserver
ssh Machine
- then exit when you've succeeded (this tells webserver how to get there...)
- Then you can use scp to copy the certs.
sudo scp -r /etc/letsencrypt/live/Machine.Domain.TLD user@Machine:~sudo scp -r /etc/letsencrypt/live/Machine.Domain.TLD user@Machine:/etc/letsencrypt/live
- Then ssh back into the target machine
& move the certs into their proper locationsudo mv Machine.Domain.TLD /etc/letsencrypt/live/
- And tell Apache about the certs
sudo vi /etc/apache2/sites-available/default-ssl.conf
SSLCertificateFile /etc/letsencrypt/live/Machine.Domain.TLD
/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/Machine.Domain.TLD
/privkey.pem
replaces:
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Restart Apache:
sudo systemctl restart apache2