§2024-06-05
-
using CertBolt
- Install certnot
1.01. Install snapd
$ sudo apt update && sudo apt install snapd
1.02. Install certbot
$ sudo snap install --classic certbot
1.03. prepare cerbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
$ certbot --version
certbot 2.10.0
$ certbot --help
...
manage certificates:
certificates Display information about certificates you have from Certbot
revoke Revoke a certificate (supply --cert-name or --cert-path)
delete Delete a certificate (supply --cert-name)
reconfigure Update a certificate's configuration (supply --cert-name)
1.04. certbot delete --cert-name munetaka.me
alexlai@pi3HAProxy:~$ certbot delete --cert-name munetaka.me
The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-k5kek0lr/log or re-run Certbot with -v for more details.
alexlai@pi3HAProxy:~$ sudo certbot delete --cert-name munetaka.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificate(s) are selected for deletion:
* munetaka.me
WARNING: Before continuing, ensure that the listed certificates are not being
used by any installed server software (e.g. Apache, nginx, mail servers).
Deleting a certificate that is still being used will cause the server software
to stop working. See https://certbot.org/deleting-certs for information on
deleting certificates safely.
Are you sure you want to delete the above certificate(s)?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
No certificate found with name munetaka.me (expected /etc/letsencrypt/renewal/munetaka.me.conf).
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
alexlai@pi3HAProxy:~$ sudo ls /var/log/letsencrypt/
letsencrypt.log letsencrypt.log.1
alexlai@pi3HAProxy:~$ sudo tail /var/log/letsencrypt/letsencrypt.log
File "/snap/certbot/3698/lib/python3.8/site-packages/certbot/_internal/main.py", line 1327, in delete
cert_manager.delete(config)
File "/snap/certbot/3698/lib/python3.8/site-packages/certbot/_internal/cert_manager.py", line 115, in delete
storage.delete_files(config, certname)
File "/snap/certbot/3698/lib/python3.8/site-packages/certbot/_internal/storage.py", line 361, in delete_files
renewal_filename = renewal_file_for_certname(config, certname)
File "/snap/certbot/3698/lib/python3.8/site-packages/certbot/_internal/storage.py", line 70, in renewal_file_for_certname
raise errors.CertStorageError(
certbot.errors.CertStorageError: No certificate found with name munetaka.me (expected /etc/letsencrypt/renewal/munetaka.me.conf).
2024-06-05 04:31:17,673:ERROR:certbot._internal.log:No certificate found with name munetaka.me (expected /etc/letsencrypt/renewal/munetaka.me.conf).
alexlai@pi3HAProxy:~$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): alexlai@munetaka.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): munetaka.me
Requesting a certificate for munetaka.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Could not bind TCP port 80 because it is already in use by another process on
this system (such as a web server). Please stop the program in question and then
try again.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(R)etry/(C)ancel: R
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/munetaka.me/fullchain.pem
Key is saved at: /etc/letsencrypt/live/munetaka.me/privkey.pem
This certificate expires on 2024-09-02.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
on munetaka.me the certificate is specifically for nginx, delete and restart
[root@pi2NginxMuNeTaka letsencrypt]# sudo certbot revoke --cert-name munetaka.me --reason keycompromise <-- remove old munetaka.me
[root@pi2NginxMuNeTaka letsencrypt]# certbot delete --cert-name munetaka.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificate(s) are selected for deletion:
* munetaka.me
WARNING: Before continuing, ensure that the listed certificates are not being
used by any installed server software (e.g. Apache, nginx, mail servers).
Deleting a certificate that is still being used will cause the server software
to stop working. See https://certbot.org/deleting-certs for information on
deleting certificates safely.
Are you sure you want to delete the above certificate(s)?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Deleted all files relating to certificate munetaka.me.
[root@pi2NginxMuNeTaka letsencrypt]# rm -rf /etc/letsencrypt/live/*
[root@pi2NginxMuNeTaka letsencrypt]# certbot certonly --standalone -d munetaka.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for munetaka.me
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/munetaka.me/fullchain.pem
Key is saved at: /etc/letsencrypt/live/munetaka.me/privkey.pem
This certificate expires on 2024-09-02.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@pi2NginxMuNeTaka letsencrypt]# alexlai@pi3HAProxy:~$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): alexlai@munetaka.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): munetaka.me
Requesting a certificate for munetaka.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Could not bind TCP port 80 because it is already in use by another process on
this system (such as a web server). Please stop the program in question and then
try again.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(R)etry/(C)ancel: R
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/munetaka.me/fullchain.pem
Key is saved at: /etc/letsencrypt/live/munetaka.me/privkey.pem
This certificate expires on 2024-09-02.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
lrwxrwxrwx 1 root root 35 Jun 4 13:39 cert.pem -> ../../archive/munetaka.me/cert1.pem
lrwxrwxrwx 1 root root 36 Jun 4 13:39 chain.pem -> ../../archive/munetaka.me/chain1.pem
lrwxrwxrwx 1 root root 40 Jun 4 13:39 fullchain.pem -> ../../archive/munetaka.me/fullchain1.pem
lrwxrwxrwx 1 root root 38 Jun 4 13:39 privkey.pem -> ../../archive/munetaka.me/privkey1.pem
-rw-r--r-- 1 root root 692 Jun 4 13:39 README
[root@pi2NginxMuNeTaka letsencrypt]# ls -l /etc/letsencrypt/archive/munetaka.me
total 16
-rw-r--r-- 1 root root 1480 Jun 4 13:39 cert1.pem
-rw-r--r-- 1 root root 1826 Jun 4 13:39 chain1.pem
-rw-r--r-- 1 root root 3306 Jun 4 13:39 fullchain1.pem
-rw------- 1 root root 241 Jun 4 13:39 privkey1.pem
2.0. enable https://munetaka.me:443 --> https://munetaka.me:8088
2.01. backup /etc/haprocy/haproxy.conf
root@pi3HAProxy:/etc/nginx/sites-enabled# cp -v /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.http
'/etc/haproxy/haproxy.cfg' -> '/etc/haproxy/haproxy.cfg.http'
2.02 for HAproxy you have to combine keys
root@pi3HAProxy:/etc/nginx/sites-enabled# sudo cat /etc/letsencrypt/live/munetaka.me/fullchain.pem /etc/letsencrypt/live/munetaka.me/privkey.pem > /etc/letsencrypt/live/munetaka.me/haproxy.pem
root@pi3HAProxy:/etc/nginx/sites-enabled# sudo chmod 600 /etc/letsencrypt/live/munetaka.me/haproxy.pem
root@pi3HAProxy:/etc/nginx/sites-enabled# ls -l /etc/letsencrypt/live/munetaka.me/
total 8
-rw-r--r-- 1 root root 692 Jun 5 04:40 README
lrwxrwxrwx 1 root root 35 Jun 5 04:40 cert.pem -> ../../archive/munetaka.me/cert1.pem
lrwxrwxrwx 1 root root 36 Jun 5 04:40 chain.pem -> ../../archive/munetaka.me/chain1.pem
lrwxrwxrwx 1 root root 40 Jun 5 04:40 fullchain.pem -> ../../archive/munetaka.me/fullchain1.pem
-rw------- 1 root root 3547 Jun 5 04:55 haproxy.pem
lrwxrwxrwx 1 root root 38 Jun 5 04:40 privkey.pem -> ../../archive/munetaka.me/privkey1.pem
2.03. edit 1/etc/haproxy/haproxy.cfg as
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http_80_front
# bind *:443 ssl crt /etc/letsencrypt/live/munetaka.me/fullchain.pem key /etc/letsencrypt/live/munetaka.me/privkey.pem
bind *:443 ssl crt /etc/letsencrypt/live/munetaka.me/haproxy.pem
default_backend http_8088_back
backend http_8088_back
server nginx_server 127.0.0.1:8088 ssl verify none
2.03. check and restart haproxy
root@pi3HAProxy:/etc/nginx/sites-enabled# haproxy -c -f /etc/haproxy/haproxy.cfg
Configuration file is valid
root@pi3HAProxy:/etc/nginx/sites-enabled# systemctl restart haproxy
root@pi3HAProxy:/etc/nginx/sites-enabled# systemctl status haproxy
3.0. make http:muneta.me:8088 to run in https:muneta.me:8088
3.01. backup /etc/sites-avaliable/upstream-8088
# cp -v /etc/nginx/sites-available/upstream-8088 /etc/nginx/sites-available/upstream-8088.http
'/etc/nginx/sites-available/upstream-8088' -> '/etc/nginx/sites-available/upstream-8088.http'
3.02. /etc/nginx/sites-available/upstream-8088 as,
server {
listen 8088 ssl;
server_name localhost;
ssl_certificate /etc/letsencrypt/live/munetaka.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/munetaka.me/privkey.pem;
location / {
root /usr/share/nginx/html/;
index index.html;
}
}
``
3.03 check
oot@pi3HAProxy:/etc/nginx/sites-enabled# nano /etc/nginx/sites-available/upstream-8088 root@pi3HAProxy:/etc/nginx/sites-enabled# systemctl restart nginx root@pi3HAProxy:/etc/nginx/sites-enabled# systemctl status nginx
3.04 check with https://munetaka.me and https://munetaka.me:8088
お終い