dehydrated is a client or program to obtain valid certificates from an entity on the internet, for your web server, and also for the other services, it is the supposed "lock on the address bar" according to the ignorants, as shown in the following screen:
This will also be used for other services, such as XMPP, IMAP, HTTPS, etc ... as it can be built in several multidomains, but with the opposite that in the case of "dehydrated" each machine that runs the service must run its own instance of "dehydrated" ... unless you use complicated "hooks".
http-01 VS dns-01: each machine running the service with cert file must
execute your own instance of 'dehydrated' if you use the
unless you use the `dns-01` and complicated `hooks`.
this last one checks certain special domains in the own dns, simpler
is the first and fastest to implement, both require having or controlling
of the web service or control of the dns service where the program is executed.
Requirements:
- use
dehydratedper machine that will handle a cert file in respective service - a valit domain, in this guide we will use:
venenuxdom.com - valit subdomains if appliet:
www.venenuxdom.comimap.venenuxdom.comsmtp.venenuxdom.com - a valilt DNS registry with 12 hours at least with records of
venenuxdom.com
These requirements mean that the machine where venenuxdom.com is located is the same as the other sub-domains, if any sub-domain is not hosted or owned by that machine, it should not be used, by example we have those address:
otro.venenuxdom.comin machine ip 192.1.1.40 -> not applywww.venenuxdom.comin machine ip 192.1.1.50 -> apply and validvenenuxdom.comin machine ip 192.1.1.50 -> where dehydrated will exec!imap.venenuxdom.comin machine ip 192.1.1.50 -> apply and valid
Installation of programs
We will execute a package that, because it has fixed and clean dependencies, works in all the Debians, to date, this are a true program, because it does not have exquisite neither specific dependencies of versions:
apt-get install openssl curl wget bash
wget http://http.us.debian.org/debian/pool/main/d/dehydrated/dehydrated_0.6.2-2+deb10u1~bpo9+1_all.deb
dpkg -i dehydrated_0.6.2-2+deb10u1~bpo9+1_all.deb
This package are a
buster release but dont worry due only has bash, openssl and curl dependences so will exec in any older or newer debian release or Devuan inclusivellyConfiguration of main files
The configuration needs parameters for the account identification, the domain to which the certificate is created for that machine (since the machine where it runs is the one that will need the certificate).
cat > /etc/dehydrated/domains.txt << EOF
venenuxdom.com mail.venenuxdom.com smtp.venenuxdom.com imap.venenuxdom.com www.venenuxdom.com mx.venenuxdom.com
EOF
cat > /etc/dehydrated/conf.d/00_defaultaccount.sh << EOF
WELLKNOWN="/var/lib/dehydrated/acme-challenges/"
CONTACT_EMAIL="root@venenuxdom.com"
EOF
mkdir /var/lib/dehydrated/certs
dehydrated --register --accept-terms --challenge http-01Configuration by http-01 verification
he configuration will use the
http-01 method which is testing http being the DNS already active and valid, so you simply need the certificate's web server to be running and to be dehydrated on the same machine as the web server.
IMPORTANT NOTE: the following commands can be executed whether or not apache or lighttpd is installed, at least one of them must be installed. Take in consideration for apache 2.2 it's "conf.d" but for 2.4 its "conf-available" the path of file:
cat > /etc/lighttpd/conf-available/15-dehydrated.conf << EOF
alias.url += (
"/.well-known/acme-challenge/" => "/var/lib/dehydrated/acme-challenges/",
)
EOF
lighty-enable-mod dehydrated
/usr/sbin/service lighttpd restart
cat > /etc/apache2/conf-available/dehydrated.conf << EOF
Alias /.well-known/acme-challenge /var/lib/dehydrated/acme-challenges/
Exec: Obtaining the cert files
Once configure everything we need to exec and cert files will be at
/var/lib/dehydrated/certs/ with a directory per certificated as was pout in the domains.txt file.
IMPORTANT NOTE here we need a additional step, a "combined" cert extra file for services like
courier or lighttpd will be need.dehydrated --cron --challenge http-01
cat /var/lib/dehydrated/certs/venenuxdom.com/cert.pem /var/lib/dehydrated/certs/venenuxdom.com/privkey.pem > /var/lib/dehydrated/certs/venenuxdom.com/privcert-lasted.pem
ln -sf privcert-lasted.pem /var/lib/dehydrated/certs/venenuxdom.com/privcert.pem
chown daemon:www-data /var/lib/dehydrated/certs/*.pem
chmod 640 /var/lib/dehydrated/certs/*.pem
cp /var/lib/dehydrated/certs/venenuxdom.com/privcert-lasted.pem /etc/courier/privcert.pem
chown daemon:root /etc/courier/*.pem
chmod 640 /etc/courier/*.pem
At this point we have all the "pem's" files need.
How to use the cert files:
All the involved services must be updated and restarted, of course that can be automatized, for that see the next section below "automation and hooks".
lighttp
sed -i -r 's#.*ssl.pemfile =.*#ssl.pemfile = "/var/lib/dehydrated/certs/venenuxdom.com/privcert.pem"#g' /etc/lighttpd/conf-available/10-ssl.conf
/usr/sbin/lighty-enable-mod ssl
/usr/sbin/service lighttpd restartapache
sed -s -i -r 's|\tSSLCertificateFile.*|\tSSLCertificateFile /var/lib/dehydrated/certs/venenuxdom.com/cert.pem|g' /etc/apache2/sites-available/default-ssl
sed -s -i -r 's|\tSSLCertificateKeyFile.*|\tSSLCertificateKeyFile /var/lib/dehydrated/certs/venenuxdom.com/privkey.pem|g' /etc/apache2/sites-available/default-ssl
sed -s -i -r 's|\tSSLCertificateChainFile.*|\tSSLCertificateChainFile /var/lib/dehydrated/certs/venenuxdom.com/chain.pem|g' /etc/apache2/sites-available/default-ssl
sed -s -i -r 's|\tSSLCACertificateFile.*|\tSSLCACertificateFile /var/lib/dehydrated/certs/venenuxdom.com/fullchain.pem|g' /etc/apache2/sites-available/default-ssl
/usr/sbin/a2enmod ssl
/usr/sbin/service lighttpd restartcourier
cp /var/lib/dehydrated/certs/venenuxdom.com/privcert-lasted.pem /etc/courier/privcert.pem
chown daemon:root /etc/courier/*.pem
chmod 640 /etc/courier/*.pem
sed -i -r 's|^TLS_CERTFILE.*|TLS_CERTFILE=/etc/courier/privcert.pem|g' /etc/courier/esmtpd
sed -i -r 's|^TLS_CERTFILE.*|TLS_CERTFILE=/etc/courier/privcert.pem|g' /etc/courier/esmtpd-ssl
sed -i -r 's|^TLS_CERTFILE.*|TLS_CERTFILE=/etc/courier/privcert.pem|g' /etc/courier/imapd-ssl
for i in /etc/init.d/courier*; do $i restart; doneprosody
sed -i -r 's#key =.*#key = "/var/lib/dehydrated/certs/venenuxdom.com/privkey.pem";#g' /etc/conf.avail/venenuxdom.com.cfg.lua
sed -i -r 's#certificate =.*#certificate = "/var/lib/dehydrated/certs/venenuxdom.com/cert.pem";#g' /etc/conf.avail/venenuxdom.com.cfg.lua
/usr/sbin/service prosody restartpostfix
smtpd_tls_cert_file = /etc/dehydrated/certs/domain.tld/fullchain.pem /etc/postfix/main.cf
smtpd_tls_key_file = /etc/dehydrated/certs/domain.tld/privkey.pem /etc/postfix/main.cf
smtpd_use_tls=yes /etc/postfix/main.cf
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache /etc/postfix/main.cf
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache /etc/postfix/main.cf
systemctl restart postfixAutomation with cron and hooks
You mus use cron to automatize those renewal of, use the monthly path to make a check each month:cat > /etc/cron.monthly/dehydrated << EOF
#!/bin/sh
test -x /usr/bin/dehydrated || exit 0
/usr/bin/dehydrated -x --cron --cleanup --challenge http-01 --accept-terms
test -x /etc/init.d/lighttpd || exit 0
/usr/sbin/service lighttpd restart
test -x /etc/init.d/nginx || exit 0
/usr/sbin/nginx lighttpd restart
EOF
chmod 755 etc/cron.monthly/dehydrated
With this each month will be check renewal of the cert files..
All the services cert file renovation can be automated,
dehydrated supports hooks on each process, and with a trick can be multiple hooks, this can be don with the following trick and a directory of hooks:mkdir /var/lib/dehydrated/hooks.d
cat > /var/lib/dehydrated/hooks.sh << EOF
#!/usr/bin/env bash
# Simple script which allows the use of multiple hooks
for file in /var/lib/dehydrated/hooks.d/*
do
\${file} "\$@"
done
EOF
chmod +x /var/lib/dehydrated/hooks.sh
So then all the hooks must be put into the
/var/lib/dehydrated/hooks.d
directory and all must have .sh extension, also must be/have exec mark.There will be the lighttpd hook to renew the combined cert file (not generated by let's encrypt neither dehydrated), put then into the hooks directory as
/var/lib/dehydrated/hooks.d/generatecombined.sh: and after write it make it exec with chmod and 755 permission:#!/usr/bin/env bash
deploy_cert() {
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
echo "Executing deploy_cert hook $0"
echo " + Creating privcert.pem (a combined privkey.pem + cert.pem)"
cd "$(dirname "${CERTFILE}")" && {
cat "${KEYFILE}" "${CERTFILE}" > "privcert-${TIMESTAMP}.pem" && \
ln -sf "privcert-${TIMESTAMP}.pem" "privcert.pem" && {
# Loop over all files of this type
for filename in "privcert-"*".pem"; do
# Check if current file is in use, remove if unused
if [[ ! "${filename}" = "privcert-${TIMESTAMP}.pem" ]]; then
echo " + Removing unused combined certificate file: ${filename}"
rm "${filename}"
fi
done
}
}
}
HANDLER="$1"; shift
if [[ "${HANDLER}" = "deploy_cert" ]]; then
"$HANDLER" "$@"
fi
this will created a chain pem file with both the priv key and the cer pub pem on each renewal. Remenber to stored in the hook.d directory as lighttpd.sh and will be procesed.
No hay comentarios.:
Publicar un comentario
no stupid winbuntu users allowed!