I have some private services behind VPN(wireguard).
I generate certificate for them with certbot and dns chalange.but I have to renew them every three month.
how can I automate this?
Check if there is a DNS plugin for your DNS server. If one is not available, then you must replace the certificates manually.
If there is a plugin available, you will need to reissue your certificate to use automatic renewals.
DNS Plugins
Related
I'm using SSL configured as in https://ktor.io/docs/ssl.html but can't seem to find a way to handle when certbot renews the cert.
Is there a known/preferred way to automatically renew the cert without restarting the server?
I want to generate SSL certificate automatically on Kubernetes. My site is already up and running but it is on HTTP:// not on HTTPS:// so which is the best way to provide them and generate the SSL certificate automatically.
I am new to k8s and learning. If the first time I manually install it then also the next time if the pod gets recreated the certificate will be deleted.
So suggest me easy way to manage certificate manager on K8s
A few of options I can think of:
You can try the certificate manager with Letsencrypt certificates.
You can try an a Kubernetes Ingress with an ingress controller like nginx also with Letsencrypt and this described here.
You can try a Traefik ingress controller also with Letsencrypt.
Can I use a certificate from letsencrypt to sign local certificates?
I'm annoyed when accessing routers and APs at 192.168.x.x to get security warnings.
I could create my own root cert, and import it into all my browsers etc, and create certs for all the local servers.
But I'd rather have the chain device -> www.example.com -> letsencrypt -> root
Then also guests could use my local servers/services without this security error.
No, you can not because the certificate issued to you by letsencrypt will not have the keyusage certificate signing enabled. Without this attribute in the issuer, any browser or SSL client musth reject the certificate.
If this were possible, anyone could issue valid certificates for any server simply by having a valid certificate from a trusted CA
If you want to issue certificates for your local servers you will need to create your own CA and include the root certificate in the truststore of each client
Yes, you can... but not like that
Yes, you can get certificates for servers on a private network. The domain must be a real domain with public txt records, but the A, AAAA, and CNAME records can be private/non-routable (or in a private zone).
No, the way to do that isn't by using Let's Encrypt certificates to sign local certificates.
You can accomplish exactly what you want to accomplish using the DNS-01 challenge (setting txt records for your domain).
Who is your domain / dns provider?
Immediate, but Temporary Solution
If you want to test it out real quick, try https://greenlock.domains and choose DNS instead of HTTP for the "how do you want to do this" step.
Automatable Integration
If you want a configurable, automatable, deployable solution try greenlock.js (there are node plugins for Cloudflare, Route 53, Digital Ocean, and a few other DNS providers).
Both use Let's Encrypt under the hood. Certbot can also be used for either case and can use python plugins.
Possibly related...
P.S. You might also be interested in a service like Telebit, localtunnel, or ngrok.
I want to generate and install SSL certificate for a sub-domain.
The sub-domain is used with a different server (A record points to the IP) and it's where I want to add the certificate.
It's a shared hosting, with CPANEL, so it's easy to generate and install certificates, but I'm not sure how I should generate and install SSL with this setup, without going into the domain settings... if it's possible, any suggestions?
If not, please explain what should be done in such case..
This is Class 2 certificate as provided by letsencrypt? Only 2 requirements need be met:
DNS entry for specific address: sub.domain.xxx
... which points to a web server where you have access to the index directory.
tools like getssl https://github.com/srvrco/getssl then can obtain the certificate by putting down a key in s sub directory for validation.
If your cPanel installation is up to date you could request that cPanels AutoSSL be enabled. This would then automatically get a signed certificate approved by comodo and install it on any domains or sub domains that have it enabled on the server via the interface.
I'm trying to have https for a website which is hosted in AWS EC2. I have followed the steps mention in the following link.
https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04
But still its showing the privacy thing to all user who are visiting the website. How can make the certificate as trusted or how long it will take Amazon to make it a trusted one.
Please help me to solve this. I'm stuck with this for last 2 days. Answers will be appreciated and Thank you.
You can use AWS Certificate Manager to issue free SSL certificate signed by AWS Certificate Authority. However for this to work, you need to use a Load Balancer and attach the certificate to the Load Balancer which will forward the traffic to the EC2 instance.
Depending on your requirements you may wish to use SSL termination on an Elastic Load Balancer (ELB) instead.
This involves creating a free AWS certificate and an ELB. Attach both your instance the certificate to the ELB with HTTPS forwarded to port 80 on your instance.
Then just point your DNS name to the ELB. If you're using Route53 then you can just use an A-record alias.
Edit: If you want to automatically direct HTTP to HTTPS you'll need to check the X-Forwarded-Proto header in Apache's .htaccess file. More information here.
The certificate which you are using is a "Self Signed Certificate (https://en.wikipedia.org/wiki/Self-signed_certificate)".
In order to get rid of insecure certificate or privacy issues on HTTPS, you need to get your CSR signed from a trusted CA like Comodo, Godaddy etc.
Ref -
https://in.godaddy.com/help/apache-generate-csr-certificate-signing-request-5269
https://help.comodo.com/topic-437-1-843-10843-.html
OR
In case you want free verified SSL certificates, "letsencrypt" is the way to go.
https://letsencrypt.org/
You don't need to pay anyone for a certificate. Just use LetsEncrypt and their CertBot ACME client. The CertBot automates the task of issuing and renewing certificates.
LetsEncrypt is the leading free SSL certificate authority (CA) and their certs are as good as any paid cert.