Thanks in advance for your time and response.
I have generated a certificate using certbot.
certbot -d *.mycompany.com --manual --preferred-challenges dns certonly
I create the TXT record in my (Amazon Rt53) dns and have created the private and public keys.
I then convert it to .pfx
openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out mycompany.pfx
I use the resulting mycompany.pfx in RD gateway and elsewhere in multiple servers (since I have a *.mycompany.com).
Obviously letencrypt expires in 90 days. So I renew the certificate by issuing the same command
certbot -d *.mycompany.com --manual --preferred-challenges dns certonly
I get the new keys.
I now have to go to the RD gateway server and re-import the new .pfx certificate.
I have to do this for each server where I have used the certificate.
Is this the way this is supposed to work ? Is there an automated step that I am missing whereby
I renew and
all the servers where I have used the certificate renews
automatically?
Automatic renewal of letsencrypt certificates or certbot certificates.
Certbot can be configured to renew your certificates automatically before they expire.
You can set cron job to renew certificates automatically.
Go to your server and run sudo crontab -e. It will open window add following command.
0 0 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /home/centos/certbot/certbot-auto renew >> /var/log/auto-renewal-cron 2>&1
You can get cron command by selecting system & software based on your OS like below screenshot: https://certbot.eff.org/lets-encrypt/osx-apache.html
Related
I'm trying to generate a wildcard PFX certificate for my domain example.com with Let's Entrypt, then using certbot and finally converting .pem to pfx using OpenSSL.
The problem is that it seems the final PFX file doesn't meet security browser requiements and the key doesn't have at least 2048 characters, but this is really strange as Certbot by default works at 2048 bits for RSA keys (already tried forcing to 4096 but I get the same result).
This is the procedure I followed:
from Certbot (installed via Anaconda Python) I ran
call C:\ProgramData\Anaconda3\Scripts\activate.bat
certbot certonly --dns-cloudflare --dns-cloudflare-credentials "C:\Users\administrator.EXAMPLE\Desktop\certificati\cloudflare.ini" --dns-cloudflare-propagation-seconds 30 -d *.example.com --email example#example.com
After, from OpenSSL I ran
openssl pkcs12 -export -out "C:\Users\administrator.EXAMPLE\Desktop\certificati\EXAMPLE.com.pfx" -inkey "C:\Certbot\live\EXAMPLE.com\privkey.pem" -in "C:\Certbot\live\EXAMPLE.com\fullchain.pem" -password pass:TEST2023!
From Sangfor VDI interface an alert appears when I try to import the certificate and if I test to access the FQDN from Chrome for example, the domain cannot be loaded due to SSL mismatch.
certbot certonly --rsa-key-size 2048 --key-type rsa --dns-cloudflare --dns-cloudflare-credentials "C:\Users\administrator.EXAMPLE\Desktop\certificati\cloudflare.ini" --dns-cloudflare-propagation-seconds 30 -d *.example.com --email example#example.com
I was using certificate which expired. I requested new one with new private key and request file.
But when I add new certificate to ISPConfig vhost, even after running
/usr/local/ispconfig/server/server.sh
the new certificate wont be accepted by ISPConfig and is still using the old one which expired, so my site is not working with HTTPS. Is there possibility that ISPConfig have this old certificate stored somewhere?
I also deleted content of SSL folder in my vhost but did not worked either.
Site is working with generated Let's Encrypt certificate.
I also faced the same error and I fixed it by applying the second method. I've mentioned both methods for you. Please try any to renew your SSL Certificate.
Method 1:
Create a new ISPConfig 3 SSL Certificate with OpenSSL
Login to your server on the shell as a root user. Before we create a new SSL Cert, backup the current ones. SSL Certs are security-sensitive so I'll store the backup in the /root/ folder.
# tar pcfz /root/ispconfig_ssl_backup.tar.gz /usr/local/ispconfig/interface/ssl
# chmod 600 /root/ispconfig_ssl_backup.tar.gz
Now create a new SSL Certificate key, Certificate Request (csr) and a self-signed certificate.
# cd /usr/local/ispconfig/interface/ssl
# openssl genrsa -des3 -out ispserver.key 4096
# openssl req -new -key ispserver.key -out ispserver.csr
# openssl x509 -req -days 3650 -in ispserver.csr \
-signkey ispserver.key -out ispserver.crt
# openssl rsa -in ispserver.key -out ispserver.key.insecure
# mv ispserver.key ispserver.key.secure
# mv ispserver.key.insecure ispserver.key
Restart Apache to load the new SSL Certificate.
# service apache2 restart
Method 2:
Renew the SSL Certificate with the ISPConfig installer
The alternative way to get a new SSL Certificate is to use the ISPConfig update script.
Download ISPConfig to the /tmp folder, unpack the archive and start the update script.
# cd /tmp
# wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
# tar xvfz ISPConfig-3-stable.tar.gz
# cd ispconfig3_install/install
# php -q update.php
The update script will ask the following question during the update:
Create new ISPConfig SSL certificate (yes,no) [no]:
Answer "yes" here and the SSL Certificate creation dialog will start.
Thank you!
Is there anyoune out there who got a running arangoDB database working with a letsencrypt certificate? I just can't find out to geht this running.
ArangoDB is running on a digitalOcean droplet and I could get it running togehter with a self-signed certificate following this tutorial. So arangoDB is sucessfully running on port: 8530
Now my approach was replacing the self-signed certificate with a letsencrypt cert.
So I added a subdomain in DigitalOcean to the droplet. e.g.: db.example.com an then generated the cert-files:
sudo -H ./letsencrypt-auto certonly --standalone -d db.example.com
You will end up with 4 files: cert.pem chain.pem fullchain.pem privkey.pem
As I understood, these files are:
Private Key --------> privkey.pem
Public Key ---------> cert.pem
Certificate Chain --> chain.pem
As described in the tutorial I mentioned, you nee the certificate and the key in one file. So i did
cat chain.pem privkey.pem | sudo tee server.pem
to have a file containing the certificate and the private key.
Then I modified the file /etc/arangodb3/arangod.conf to let arango know where the keyfile is and modified the ssl section:
[ssl]
keyfile = /etc/letsencrypt/live/db.example.com/server.pem
But after restarting arango, the server is not available. When trying to connect the browser to: https://db.example.com:8530. Firewall settings for the droplet should all be ok, because I could access this address with the self-signed cetificate before.
I then tried to modify the endpoint in /etc/arangodb3/arangod.conf from
endpoint = ssl://0.0.0.0:8530
to
endpoint = ssl://db.example.com:8530
and also
tcp://db.example.com:8530
None of it was working. Has somebody out there an idea what I am doing wrong?
Please use the ip of the interface you want to use when specifying the endpoint e.g. endpoint = ssl://42.23.13.37:8530 (ip address should list your interfaces along with addresses in use). Then it could help to use the fullchain.pem to create the server.prm (cat fullchain.pem privkey.pem > server.pem). Make sure the resulting server.pem is accessible and readable by the arangodb user. If the server is still not starting correctly please provide logs of the server. To access the logs use systemctl -fu arangodb3.service or follow the logs with tail -f <logfile> if you use some custom location for logging.
I have just tested a setup with letsencrypt certificates and it was working after ensuring all above points.
I'm trying to install ssl certificates created using the ZeroSSL.com page for Let's Encrypt, into the Google Cloud Platform.
I followed the FREE SSL Certificate Wizard to do so.
The ZeroSSL page generates four files in the process:
domain-crt.txt
domain-key.txt
account-key.txt
domain-csr.txt
The google Cloud Platform asks for two files:
PEM encoded X.509 public key certificate
Unencrypted PEM encoded RSA private key
I've made all the combinations, and followed all suggestion I could find in the web, but I had no success.
I asked this to the zeroSSL people, and Alexander answers me with the solution.
SSL Certificate Wizard generates a longer more secure 4096 bits key by default, but Google only accepts 2048 bits key. So you should generate the new CSR separately first by using CSR Generator at https://zerossl.com/free-ssl/#csr and making sure you select 2048 bits. Then download the produced key and CSR (please note that this is the domain key, not the LE key) and then use the same LE key as you used originally and this new CSR with the SSL Certificate Wizard.
At the last Wizard step, you might need to split the domain-crt.txt file in two. The first part between ---BEGIN CERTIFICATE----- and ---END CERTIFICATE----- will go into "Public key certificate" field.
Finally, the content of domain-key.txt should be pasted into "Private key" field.
You can do this from the command line for free:
Install Certbot client:
$ sudo brew install wget
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x ./certbot-auto
$ ./certbot-auto --help
Then, to generate cert:
$ cd certbot (if not already there)
$ sudo ./certbot-auto certonly --debug -a manual -d www.yoursite.com -d yoursite.com (<--if you want naked too.)
You should get to a screen telling you the challenge url and response needed to verify domain. Add each & deploy. Leave each url working. (They will be needed for renewing.)
If you do both naked and www, you will need to do the challenge urls twice, once for each subdomain. Finally, you should get this message:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.yoursite.com/fullchain.pem. Your cert will
expire on 2016-xx-07. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew all of your certificates, run
"certbot-auto renew"
Change directory to where pem files are placed:
$ cd /private/etc/letsencrypt/live/www.yoursite.com
Create unencrypted key (this is the one you upload to GAE. If fails, use the original privkey.pem):
$ sudo openssl rsa -in privkey.pem -out unencrypted_key.pem
Go to: https://console.cloud.google.com/appengine/settings/certificates?project=yoursite. Click on Upload a new SSL certificate
Open these PEM files in a text editor, and copy/paste the contents in the fields. (fullchain.pem is the public key. unencrypted_key.pem is the unencrypted private key.)
NOTE: Make sure you delete any trailing spaces or line feeds!
That should do it.
Debugging:
If, when you paste the certs into the GAE Settings page, you get an invalid error:
Make sure you delete any trailing line feeds or spaces!
If it still won't accept your PEM files, replace the code from unencrypted_key.pem with the code from the original privkey.pem
If you get homebrew error:
$ cd /usr/local/Library
$ sudo git pull origin master
if get augeas error:
$ brew install augeas
if get Warning: augeas-1.4.0 already installed, it's just not linked
$ sudo brew link augeas
if ExecutableNotFound:
$ brew install dialog
if get Warning: dialog-1.2-20150920 already installed, it's just not linked
$ sudo brew link dialog
Renewing:
$ cd certbot
$ ./certbot-auto certonly --debug --force-renew -a manual -d www.yoursite.com -d yoursite.com
( You may get an "unable to reach..." error, but the certs still created.)
Change directory to where pem files are placed:
$ cd /private/etc/letsencrypt/live/www.yoursite.com
Create unencrypted key (this is the one you upload to GAE. If fails, use the original privkey.pem):
$ sudo openssl rsa -in privkey.pem -out unencrypted_key.pem
fullchain.pem is the public key.
unencrypted_key.pem is the unencrypted private key
Go to GAE Settings and install as outlined above.
I recently deployed a Dart server application that serves HTTP requests. I wanted to add support for HTTPS so I have been trying to add SSL to the Dart server application.
This answer gives a clear explanation of how to add a self-signing SSL certificate to Dart. However, I want to add an SSL certificate I bought from an SSL provider.
The SSL provider e-mailed my 4 files:
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - my_domain.crt
I have been trying to figure out how certutil works and how to add these certificates to the certificate database, but I just can't figure it all out.
Anyone with experience enabling a CA SSL certificate in Dart?
SOLVED: Thanks to suggestion in the comments, I solved the issue. This is the gist of my complete setup: https://gist.github.com/stevenroose/e6abde14258971eae982
First of all, you probably have three files generated with openssl for your private key, server certificate and CA certificate. To convert all those into a PKCS12 file, you can use openssl:
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile CAcert.crt
Then, you can adapt the certutil commands as shown to load you PKCS12 instead of generating new certificates:
certutil -N -d sql:certdb
certutil -A -n mycertnick -i server.crt -t "TCu,Cu,Tuw" -d sql:certdb
certutil -A -n myCA -i CAcert.crt -t "TCu,Cu,Tuw" -d sql:certdb
pk12util -i server.p12 -d sql:certdb
It seems to work with the sample code in the referenced question.
Unfortunately the SSL management in Dart is known to be very lacking.
I reported this many times, with no serious answer from the Dart team.
Star this issue if you want something done about it:
https://code.google.com/p/dart/issues/detail?id=20967