Difference between revisions of "CertGetter"
Jump to navigation
Jump to search
(Created page with "Proper SSL certificates can only be assigned to machines with Internet accessible FQDNs (Fully Qualified Domain Names). On an internal network, this causes all sorts of annoy...") |
(→Usage) |
||
Line 7: | Line 7: | ||
[https://certbot.eff.org/docs/ Certbot Documentation] | [https://certbot.eff.org/docs/ Certbot Documentation] | ||
− | = Setting Up = | + | =Setting Up= |
− | |||
− | |||
− | |||
− | = Usage = | + | *Create a [[SBN - Baseline Server Notes|Baseline Server]] |
− | * [[CertGetter - Assign port 80|Assign port 80]] to this machine on your firewall | + | *Install certbot |
− | * [[CertGetter - Assign DNS|Assign DNS]] for the name of the machine you're obtaining certs for | + | **<code>sudo apt-get install certbot</code> |
− | * Wait for the DNS entry to propagate | + | |
− | * Run certbot | + | =Usage= |
− | ** <code>sudo certbot certonly --standalone --dry-run</code> | + | |
− | *** (Always test first with <code>--dry-run</code>) | + | *[[CertGetter - Assign port 80|Assign port 80]] to this machine on your firewall |
− | *** Then run it again if all is ok but without <code>--dry-run</code> | + | *[[CertGetter - Assign DNS|Assign DNS]] for the name of the machine you're obtaining certs for |
− | * You will find the resulting certs in <code>/etc/letsencrypt/live/</code> in a subfolder matching the machine name you gave certbot. | + | *Wait for the DNS entry to propagate |
− | * '''fullchain.pem''' is the certificate | + | **You can repeatedly try <code>systemd-resolve ''machinename.yourdomain.net''</code> until it shows your outside address... |
− | * '''privkey.pem''' is the key | + | **(Tho, you ''might'' need to do this from outside your local network.) |
− | * Then simply copy '''fullchain.pem''' & '''privkey.pem''' (following the [[CertGetter - procedures for the OS involved|procedures for the OS involved]]) the cert to the machine in need. | + | *Run certbot |
− | * It is a good idea to [[CertGetter - Assign port 80|disconnect port 80]] from this machine when not in use. (especially if you have an actual webserver... | + | **<code>sudo certbot certonly --standalone --dry-run</code> |
+ | ***(Always test first with <code>--dry-run</code>) | ||
+ | ***Then run it again if all is ok but without <code>--dry-run</code> | ||
+ | *You will find the resulting certs in <code>/etc/letsencrypt/live/</code> in a subfolder matching the machine name you gave certbot. | ||
+ | *'''fullchain.pem''' is the certificate | ||
+ | *'''privkey.pem''' is the key | ||
+ | *Then simply copy '''fullchain.pem''' & '''privkey.pem''' (following the [[CertGetter - procedures for the OS involved|procedures for the OS involved]]) the cert to the machine in need. | ||
+ | *It is a good idea to [[CertGetter - Assign port 80|disconnect port 80]] from this machine when not in use. (especially if you have an actual webserver... |
Revision as of 15:53, 20 June 2020
Proper SSL certificates can only be assigned to machines with Internet accessible FQDNs (Fully Qualified Domain Names). On an internal network, this causes all sorts of annoying problems since modern browsers actively oppose insecure connections (& even a self-signed certificate is considered insecure.)
If your internal network is set up to use your actual domain, This is a way to get certs for machines that are not accessible from the outside world.
These certs will expire & cannot be renewed automatically, but can be renewed using this same basic procedure. (simply running it again) You can also renew all of the certs this machine has obtained with sudo certbot renew
Setting Up
- Create a Baseline Server
- Install certbot
sudo apt-get install certbot
Usage
- Assign port 80 to this machine on your firewall
- Assign DNS for the name of the machine you're obtaining certs for
- Wait for the DNS entry to propagate
- You can repeatedly try
systemd-resolve machinename.yourdomain.net
until it shows your outside address... - (Tho, you might need to do this from outside your local network.)
- You can repeatedly try
- Run certbot
sudo certbot certonly --standalone --dry-run
- (Always test first with
--dry-run
) - Then run it again if all is ok but without
--dry-run
- (Always test first with
- You will find the resulting certs in
/etc/letsencrypt/live/
in a subfolder matching the machine name you gave certbot. - fullchain.pem is the certificate
- privkey.pem is the key
- Then simply copy fullchain.pem & privkey.pem (following the procedures for the OS involved) the cert to the machine in need.
- It is a good idea to disconnect port 80 from this machine when not in use. (especially if you have an actual webserver...