Difference between revisions of "NetMan - SSL Certs"
Line 60: | Line 60: | ||
*<code>sudo certbot certonly --standalone --dry-run</code> | *<code>sudo certbot certonly --standalone --dry-run</code> | ||
− | I've built a VM named [[ | + | I've built a VM named [[CertGetter]] |
*Basic, minimal Linux machine with certbot installed. | *Basic, minimal Linux machine with certbot installed. |
Revision as of 14:08, 20 June 2020
Contents
On an Apache based server
From /usr/share/doc/apache2/README.Debian.gz
Enabling SSL
To enable SSL, type (as user root):
sudo a2ensite default-ssl
sudo a2enmod ssl
If you want to use self-signed certificates, you should install the ssl-cert
package (see below). Otherwise, just adjust the SSLCertificateKeyFile and SSLCertificateFile directives in '/etc/apache2/sites-available/default-ssl.conf' to point to your SSL certificate. Then restart apache:
sudo systemctl restart apache2
The SSL key file should only be readable by root; the certificate file may be globally readable. These files are read by the Apache parent process which runs as root, and it is therefore not necessary to make the files readable by the www-data user.
Creating self-signed certificates
If you install the ssl-cert package, a self-signed certificate will be automatically created using the hostname currently configured on your computer. You can recreate that certificate (e.g. after you have changed '/etc/hosts' or DNS to give the correct hostname) as user root with:
make-ssl-cert generate-default-snakeoil --force-overwrite
To create more certificates with different host names, you can use
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/cert-file.crt
This will ask you for the hostname and place both SSL key and certificate in the file '/path/to/cert-file.crt'. Use this file with the SSLCertificateFile directive in the Apache config (you don't need the SSLCertificateKeyFile in this case as it also contains the key). The file '/path/to/cert-file.crt' should only be readable by root. A good directory to use for the additional certificates/keys is '/etc/ssl/private'.
Getting proper certificates onto the machine
This requires that the server have a legit FQDN that works.
But, it's pretty straightforward.
(if ya wanna get fancier... There's a Documentation Page.)
A trick or two...
- Add certification for the root of the domain (i.e.: no "www.")
- sudo /usr/local/bin/certbot-auto certonly -d www.FOOBAR.net -d FOOBAR.net
- Create certificates for other machines on the network
- Still working on this one...scroll a little bit further...
SSL for the rest of the network
Getting the certs for a manual install
Don't forget to do all your testing with --dry-run
on the command line... :)
To use these instructions, you'll need to temporarily make a machine appear as your webserver to the outside world.
sudo apt-get install certbot
- Configure the name you want to give the machine in your outside DNS
- confirm DNS is updated (might take a little while...)
systemd-resolve foo.bar.net
- Might have to do this from outside the local network...
- Temporarily reconfigure your router to make the machine look, to the outside world, like it's your webserver on port 80.
- turn off any port forward currently set for port 80
- create a port forward for port 80 that points to the IP of the machine you're working on
sudo certbot certonly --standalone --dry-run
I've built a VM named CertGetter
- Basic, minimal Linux machine with certbot installed.
- It can easily be assigned port 80 on the firewall
- Used to download certs for any particular machine on the network
- Then simply copy (following the procedures for the OS involved) the cert to the machine in need.
Installing manual certs on an ESXi server
PIKEDOM.COM has some very good instructions.
Something to know if you got your certs from certbot:
- The file you're replacing
rui.crt
with is eithercert.pem
orfullchain.pem
(depending on whether you've set up with one or more than one domain in your certs. - The file you're replacing
rui.key
with is eitherprivkey.pem
. - Both of the files from certbot may have a number attached to the end of the filename itself.
So...
SSH into the server...
cd /etc/vmware/ssl
mv rui.crt orig.rui.crt
mv rui.key orig.rui.key
vi rui.crt
- Paste in the content of
fullchain.pem
- Paste in the content of
vi rui.key
- Paste in the content of
privkey.pem
- Paste in the content of
reboot