I've several $DOMAIN in different plesk servers (all above v.11).
I've a script that renew the certificates for some of them.
I need to know how can I set, via CLI, the updated certificate to be the default one for $DOMAIN.
There is a -default flag for /usr/local/psa/bin/certificate utility, but is not valid for domain, rather for admin pool (so the plesk server itself).
So far, I go ahead and from the web interface I set the newly created certificate for each domain.
This is the script I use (after having updated the SSL certificates via certbot script):
/usr/local/psa/bin/certificate \
-c "${DOMAIN}-$(date +%Y-%m-%d)" \
-domain ${DOMAIN} \
-csr-file /etc/ssl/certbot/${DOMAIN}/${DOMAIN}.csr \
-cacert-file /etc/ssl/certbot/${DOMAIN}.ca \
-cert-file /etc/ssl/certbot/${DOMAIN}.crt \
-key-file /etc/ssl/certbot/${DOMAIN}.key
I would expect that the certificate named "${DOMAIN}-$(date +%Y-%m-%d)" is the default one for $DOMAIN.
How can I accomplish that via script, and not via web interface?
I answer to my own question.
The problem is that I was creating a new certificate, while there's no need to create one, rather update the existing certificate.
So, the script should be updated as follow:
/usr/local/psa/bin/certificate \
-u "$CERTIFICATE_NAME_IN_USE" \
-domain ${DOMAIN} \
-csr-file /etc/ssl/certbot/${DOMAIN}/${DOMAIN}.csr \
-cacert-file /etc/ssl/certbot/${DOMAIN}.ca \
-cert-file /etc/ssl/certbot/${DOMAIN}.crt \
-key-file /etc/ssl/certbot/${DOMAIN}.key
The variable of $CERTIFICATE_NAME_IN_USE can be easily get with the following command:
/usr/local/psa/bin/certificate -l -domain ${DOMAIN} | grep ${DOMAIN} | awk '$6 != "0" {print $5}'
Hope this helps to someone else.
Related
I have a private bucket that has a single zip file, a need to download it but i can't use aws cli or aws cmd. Can i do it using wget ou curl?
Yes, in theory you can make a HTTP request using the Amazon S3 REST API but for that to work you need to authenticate correctly which you can do for example with a Authentication Header which you must then pass to curl or wget.
The problem is though that you need to write code to create those valid signatures you need to provide in the Authentication Header so it might be a bit of a hassle.
I managed to do this with this script. If you call it download.sh assuming you have a bucket called my-bucket and a file in it called file.zip, and your aws key environment variables set, you should be able to download the file by calling.
./download.sh file.zip my-bucket
I adapted this from a similar script to upload a file I found here
#!/usr/bin/env bash
# Download a file from s3 without any 3rd party tools
# thanks https://www.gyanblog.com/aws/how-upload-aws-s3-curl/
file_path=$1
bucket=$2
set -eu pipefail
# about the file
filepath="/${bucket}/${file_path}"
# metadata
contentType="application/octet-stream"
dateValue=`date -R`
signature_string="GET\n\n${contentType}\n${dateValue}\n${filepath}"
#s3 keys
s3_access_key=$AWS_ACCESS_KEY_ID
s3_secret_key=$AWS_SECRET_ACCESS_KEY
#prepare signature hash to be sent in Authorization header
signature_hash=`echo -en ${signature_string} | openssl sha1 -hmac ${s3_secret_key} -binary | base64`
# actual curl command to do PUT operation on s3
curl -sSo ${file_path} \
-H "Host: ${bucket}.s3.amazonaws.com" \
-H "Date: ${dateValue}" \
-H "Content-Type: ${contentType}" \
-H "Authorization: AWS ${s3_access_key}:${signature_hash}" \
https://${bucket}.s3.amazonaws.com/${file_path}
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I am just simply trying to add the domain test.example.com to the certificate that already exists for example.com. How do I add a domain to my existing certificate and replace the old certificate?
I have tried these few commands
./letsencrypt-auto certonly --cert-path /etc/letsencrypt/archive/example.com --expand -d test.example.com
./letsencrypt-auto certonly -d example.com --expand -d test.example.com
Result: both created a brand new cert in a new folder test.example.com-0001
./letsencrypt-auto certonly --renew-by-default --expand -d test.example.com
Result: error folder test.example.com already exists.
./letsencrypt-auto renew --expand -d orange.fidka.com
Result: error, I can only renew if my certificate is expired.
You need to specify all of the names, including those already registered.
I used the following command originally to register some certificates:
/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ \
--email me#example.com \
--expand -d example.com,www.example.com
... and just now I successfully used the following command to expand my registration to include a new subdomain as a SAN:
/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ \
--expand -d example.com,www.example.com,click.example.com
From the documentation:
--expand "If an existing cert covers some subset of the requested names, always expand and replace it with the additional names."
Don't forget to restart the server to load the new certificates if you are running nginx.
Apache on Ubuntu, using the Apache plugin:
sudo certbot certonly --cert-name example.com -d m.example.com,www.m.example.com
The above command is vividly explained in the Certbot user guide on changing a certificate's domain names. Note that the command for changing a certificate's domain names applies to adding new domain names as well.
Edit
If running the above command gives you the error message
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
follow these instructions from the Let's Encrypt Community
This is how i registered my domain:
sudo letsencrypt --apache -d mydomain.com
Then it was possible to use the same command with additional domains and follow the instructions:
sudo letsencrypt --apache -d mydomain.com,x.mydomain.com,y.mydomain.com
You can replace the certificate by just running the certbot again with ./certbot-auto certonly
You will be prompted with this message if you try to generate a certificate for a domain that you have already covered by an existing certificate:
-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/<domain>.conf)
It contains these names: <domain>
You requested these names for the new certificate: <domain>,
<the domain you want to add to the cert>.
Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
Just chose Expand and replace it.
I was able to setup a SSL certificated for a domain AND multiple subdomains by using using --cert-name combined with --expand options.
See official certbot-auto documentation at https://certbot.eff.org/docs/using.html
Example:
certbot-auto certonly --cert-name mydomain.com.br \
--renew-by-default -a webroot -n --expand \
--webroot-path=/usr/share/nginx/html \
-d mydomain.com.br \
-d www.mydomain.com.br \
-d aaa1.com.br \
-d aaa2.com.br \
-d aaa3.com.br
this worked for me
sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d
domain.com -d www.domain.com
I am on artifactory version 4.6 and have the following requirement on the docker registry.
Allow anonymous pulls on docker repository
Force authentication on the SAME docker repository
I know this is avaliable out of the box on the later versions of artifactory. However upgrading isnt an option for us for a while.
Does the following work around work?
Create a virtual docker repository on port 8443 and don't force authentication , call it docker-virtual
Create a local docker repository and force authentication, call it docker-local on port 8444
Configure 'docker-virtual' with the default deployment directory as 'docker-local'
docker pull docker-virtual should work
docker push docker-virtual should ask for credentials
Upon failure , I should be able to docker login docker-virtual
and docker push docker-virtual/myImage
Not sure about the artifactory side, but perhaps the following Docker advice helps.
You can start run two registries, one RW with authentication, and a second RO without any authentication, in Docker:
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/certs:/certs:ro \
-v `pwd`/auth/htpasswd:/auth/htpasswd:ro \
-v `pwd`/registry:/var/lib/registry \
-e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/host-cert.pem" \
-e "REGISTRY_HTTP_TLS_KEY=/certs/host-key.pem" \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=My Registry" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
-e "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry" \
registry:2
docker run -d -p 5001:5000 --restart=always --name registry-ro \
-v `pwd`/certs:/certs:ro \
-v `pwd`/auth/htpasswd:/auth/htpasswd:ro \
-v `pwd`/registry:/var/lib/registry:ro \
-e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/host-cert.pem" \
-e "REGISTRY_HTTP_TLS_KEY=/certs/host-key.pem" \
-e "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry" \
registry:2
Note the volume settings for /var/lib/registry in each container. Then to pull from the anonymous registry, you'd just need to change the port. Since the filesystem is RO, any attempt to push to 5001 will fail.
The closest thing you can achieve is failing on docker push without credentials (while succeeding with pull).
No idea if this works with artifactory sorry.... you could try this handy project for docker registry auth.
Configure the registry to use this https://hub.docker.com/r/cesanta/docker_auth/
# registry config.yml
...
auth:
token:
# can be the same as your docker registry if you use nginx to proxy /auth to docker_auth
# https://docs.docker.com/registry/recipes/nginx/
realm: "example.com:5001/auth"
service: "Docker registry"
issuer: "Docker Registry auth server"
rootcertbundle: /certs/domain.crt
And allow anonymous with the corresponding ACL
# cesanta/docker_auth auth_config.yml
...
users:
# Password is specified as a BCrypt hash. Use htpasswd -B to generate.
"admin":
password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC" # badmin
"": {} # Allow anonymous (no "docker login") access.
ldap_auth:
# See: https://github.com/cesanta/docker_auth/blob/master/examples/ldap_auth.yml
acl:
# See https://github.com/cesanta/docker_auth/blob/master/examples/reference.yml#L178
- match: {account: "/.+/"}
actions: ["*"]
comment: "Logged in users do anything."
- match: {account: ""}
actions: ["pull"]
comment: "Anonymous users can pull anything."
# Access is denied by default.
The following command leads to a series of reasonable prompts for information such as company information, contact info, etc... I'd like to be able to run it but pass that information as either parameters or a config file but I can't find out how from the docs (https://certbot.eff.org/docs/using.html#command-line-options). Any ideas?
letsencrypt certonly \
--webroot -w /letsencrypt/challenges/ \
--text --renew-by-default --agree-tos \
$domain_args \
--email=$EMAIL
Note that I am not trying to renew but to generate fresh new certificates.
Thank you
You should pass the --noninteractive flag to letsencrypt. According to the document that you linked to, that will produce an error telling you which other flags are necessary.
When using ployst/letsencrypt the initial certificate creation can be done using their internal scripts. Those scripts already pass all the right arguments to make this an automated process and not an interactive one. The documentation has the following two steps that both create the certificate and apply it as a secret.
If your environment variables are already set properly, you don't even have to pass -c 'EMAIL=.... etc.
Generate a new set of certs
Once this container is running you can generate new certificates
using:
kubectl exec -it <pod> -- bash -c 'EMAIL=fred#fred.com DOMAINS=example.com foo.example.com ./fetch_certs.sh'
Save the set of certificates as a secret
kubectl exec -it <pod> -- bash -c 'DOMAINS=example.com foo.example.com ./save_certs.sh'
I've problems adding an SSH key to my gitlab server trough the API (It works well trough the webpage).
Gitlab information:
I came across this issue (which was fixed here) which was related to an "wrong" openssh implementation. They've fixed this in milestone 7.10. Only thing... My server has openssh 6.6 installed:
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3, OpenSSL 1.0.1f 6 Jan 2014
Now, I don't know if that fix is backwards compatible or not, but maybe good to mention.
Also, the logs show no warning or errors or whatsoever. The /tmp/gitlab_key* files are generated on the server:
The problem I'm facing is that gitlab can't create the fingerprint trough the API. This is the responce I get from the API:
{
"message": {
"fingerprint": ["cannot be generated"]
}
}
So right now I have no idea what the problem could be. I've been struggling with this for almost a week now, so I really hope that his problem could be fixed.
-just for the record, here's the script I'm using to add the ssh-key trough the API
#!/bin/bash
jsonFile="jsonResponce"
echo `curl http://gitserver/api/v3/session --data 'login=****&password=****'` > $jsonFile
userToken=$(jq '.private_token' $jsonFile)
finalUserToken=$(echo "$userToken" | tr -d '"')
echo "user token: $finalUserToken"
# Below key is for testing, will use output of cat ~/.ssh/id_rsa.pub later on
# sshKey="ssh-rsa AAAAB3N***** ****#***.com
# curl --data "private_token=$userToken&title=keyName&key=$sshKey" "http://gitserver/api/v3/user/keys"
rm $jsonFile
id_rsa.pub is base64 encoded file, it contains + character
http post with application/x-www-form-urlencoded, need encode it's content preventing + being convert to (space)
try
curl --data-urlencode "key=$key_pub" --data-urlencode "title=$hostname" \
http://gitlabserver/api/v3/user/keys?private_token=$Token
see: this
Improving on #Mathlight's answer the following snippet uploads public ssh key to gitlab.com
curl -X POST -F "private_token=${GITLAB_TOKEN}" -F "title=$(hostname)" -F "key=$(cat ~/.ssh/id_rsa.pub)" "https://gitlab.com/api/v3/user/keys"
OP here
In the mean time I've updated the server to version 8.8 and changed the curl code a bit and now it's working like a charm:
curl -X POST -F "private_token=${userToken}" -F "title=${sshName}" -F "key=${sshKey}" "${gitServer}/user/keys"
Just in case anybody needs this in the future...