Automating LetsEncrypt Certificate Installation on shared server - ssl-certificate

Is it possible to programmatically installing LetsEncrypt Certificate on shared server, by using some opensource tool or PHP. Currently I'm generating Certificate on windows machine with "letsencrypt-win-simple" tool with W option which uses webdav to authenticate server. Certificate are generated locally in my windows machine and I've to configure it manually through cpanel every month.
Is it any possible automation for this process on certificate installation?

You can use Cpanel's API to install the new certificate. Here is a Linux example, but curl exists for Windows as well. You would need to change the paths in this script though:
domain='example.org'
ledir="/etc/letsencrypt/live/$domain"
cabundle="$ledir/chain.pem"
crt="$ledir/cert.pem"
key="$ledir/privkey.pem"
cpanel_host='cpanel.example.com:2083'
cpanel_user=''
curl -u "$cpanel_user"\
"$cpanel_host/json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=SSL&cpanel_jsonapi_func=installssl&cpanel_jsonapi_user=$cpanel_user"\
-d "domain=$domain" --data-urlencode "cabundle#$cabundle" --data-urlencode "crt#$crt" --data-urlencode "key#$key"
This will still ask for your password. But it is possible to provide Curl with the password as well: curl -u "user:password" ...

you should look windows "sheduled tasks"
https://sites.google.com/site/ballif1073/windows/taches-planifiees
command line Example, not sure its working as i wrote it from the doc on my linux systeme :) (run task every month):
C:\>SCHTASKS /Create /SC MONTHLY /TR C:\path\to\letsencrypt-win-simple.exe

Related

Add certificate to trusted does not work via macos "security add-trusted-cert"

I have a safari web-page connecting to secured web socket server (written with C# netcore 3.0).
I add server sertificate to trusted running this command (the same certificate I put on my websocket end point).
security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain certificate.crt
Everything seems valid (I have a blue cross near my certificate in Keys application)
but when I connect from safari (catalina os, mojave os) I get an error
OSStatus Error -9807. Invalid certificate chain
Also when I import certificate manually via Keys Application GUI there is no error. Everything works.
Can anyone explain is there any difference between "security add-trusted-cert" import and GUI manual import?
Maybe my add-trusted-cert command is wrong and I need some additional params?
This syntax works perfectly for me on MacOS Catalina, however, it must be run with elevated privileges (sudo or whatever).
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <MY_CERTIFICATE_FILE.pem>

How to find .crt file installed by default of FreeIPA?

Use this guide installed FreeIPA with SSL: https://www.howtoforge.com/how-to-install-freeipa-server-on-centos-7/
yum install ipa-server bind-dyndb-ldap ipa-server-dns -y
ipa-server-install --setup-dns
After finish it, it can be accessed by https://ipa.hakase-labs.io/.
There are two files generated on the /root/ path:
ca-agent.p12
cacert.p12
If use a self-prepared CA file, we can know where the .crt file is. And set it to a client server in order to connect to the LDAP(FreeIPA) server.
But where is it by the default way?
I don't see how this question is related to programming, maybe move it to ServerFault.
And it's not clear what you want to do exactly. You don't want to install an embedded CA within the IPA Server, but it's unclear if you're going to use an external CA or no CA at all. In the first case this means the IPA Server would still automatically update the certificates, while the second case means you would update yourself when it is necessary.
The best entry point is the Linux Domain Identity, Authentication, and Policy Guide
If you're not going to use any CA at all, see section 2.3.6 :
# ipa-server-install \
--http-cert-file /tmp/server.crt \
--http-cert-file /tmp/server.key \
--http-pin secret \
--dirsrv-cert-file /tmp/server.crt \
--dirsrv-cert-file /tmp/server.key \
--dirsrv-pin secret \
--ca-cert-file ca.crt

Curl and dialog popups

Is it possible to interact/bypass a dialog popup when running a curl command?
My example involves running a curl command within a jenkins build that is using a p.12 certificate for authentication.
curl -v -k -E dev_key.p12:password https://jira.dev.organisation.co.uk:443/rest/api/2/issue/MYSTATS-2213
So if I do this within my regular terminal I will get a popup first time round asking stating example wants to access key in your keychain with allow/always allow buttons after which I can make my curl requests uninterrupted. But for some reason when running the same command in a Jenkins pipeline I just get the error (which is the outcome if you press cancel on the popup)
SSL can't load the certificate and it's private key
Is there a way around this?
UPDATE
So I have found there is a --cacert option to pass through which I guess verifies the dev_key but when I export my ca certificate its a .crt file. is the right format?
For SSL (https), curl option -E expects a certificate in PEM format (not PKCS#12). From man page:
-E, --cert <certificate[:password]>
[...]
The certificate must be in PKCS#12 format if using Secure Transport, or
PEM format if using any other engine.
[...]

How can I deploy a secure (HTTPS) Meteor app on Heroku?

I would like to deploy my Meteor app to Heroku and make it only accessible through HTTPS. Ideally, I want to do this as cheaply as possible.
Create the Certificate
Run these commands to get certbot-auto. certbot-auto should work on most systems
wget https://dl.eff.org/certbot-auto
chmod 755 certbot-auto
This command starts the process of getting your certificate. The -d flag allows you to pass in the domain you would like to secure. Alternatively, without the -d flag, it will pop up a prompt where you can enter the domain.
./certbot-auto certonly --manual -d app.yoursite.com
Then it will ask you the following. Do not hit enter.
Make sure your web server displays the following content at
http://app.yoursite.com/.well-known/acme-challenge/SOME-LENGTHY-KEY before continuing:
SOME-LONGER-KEY
Use Picker
I suggest using this method because on renewal, you will only need to update an environment variable. You can use public/ as below, but it will require a rebuild of your entire app every time
Run meteor add meteorhacks:picker
In a server side file, add the following
import { Picker } from 'meteor/meteorhacks:picker';
Picker.route('/.well-known/acme-challenge/:routeKey', (params, request, response) => {
response.writeHead('200', {'Content-Type': 'text/plain'});
response.write(process.env.SSL_PAGE_KEY)
response.end();
});
Then set an environment variable SSL_PAGE_KEY to SOME-LONGER-KEY with
heroku config:set SSL_PAGE_KEY=SOME-LONGER-KEY
Use public/
Create the directory path in your public folder. If you don't have one, create one.
mkdir -p public/.well-known/acme-challenge/
Then create the file SOME-LENGTHY-KEY and place SOME-LONGER-KEY inside it
echo SOME-LONGER-KEY > public/.well-known/acme-challenge/SOME-LENGTHY-KEY
Commit and push that change to your Heroku app.
git push heroku master
Now hit enter to continue the verification process. You should receive a message like this
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/app.yoursite.com/fullchain.pem. Your cert will
expire on 2016-04-11. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
Upload the Certificate
To upload your certificates to Heroku, first enable the SSL Beta
heroku labs:enable http-sni -a your-app
heroku plugins:install heroku-certs
Then add your fullchain.pem and privkey.pem to Heroku.
sudo heroku _certs:add /etc/letsencrypt/live/app.yoursite.com/fullchain.pem /etc/letsencrypt/live/app.yoursite.com/privkey.pem
You can verify that the certificate was uploaded with
heroku _certs:info
Change your DNS Settings
Update your DNS to point to app.yoursite.com.herokudns.com
Verify SSL is working
To check that SSL is set up, run the following. -v gives you verbose output. -I shows the document info only. -H passes a header to the URL. The header we're passing ensures that a cache is not being used and will ensure you get your new certificate and not an old one.
curl -vI https://app.yoursite.com -H "Cache-Control: no-cache"
Check that the output contains the following
* Server certificate:
* subject: C=US; ST=CA; L=SF; O=SFDC; OU=Heroku; CN=app.yoursite.com
If the subject line does not contain CN=app.yoursite.com, wait 5 to 10 minutes and try again. If it does, you're almost good to go.
Make Meteor Specific Changes
To finish up the process, you'll want to change your ROOT_URL environment variable to the new https version.
heroku config:set ROOT_URL=https://app.yoursite.com
Then you'll want to ensure that your users are always using SSL with the force-ssl package
meteor add force-ssl
Lastly, if you have any OAuth logins set up in your app (Facebook, Google, etc), you'll want to provide them with the new https version of your URL.
Renewal
Run certbot-auto again
./certbot-auto certonly --manual -d app.yoursite.com
It may prompt you for the same endpoint with the same content. If it does, just hit enter. If it does not, you will need to repeat the above steps.
It will then create new certificate files, which you will upload to Heroku with
heroku certs:update /etc/letsencrypt/live/app.yoursite.com/fullchain.pem /etc/letsencrypt/live/app.yoursite.com/privkey.pem
Then to confirm, run the Verify SSL is working commands above
Sources
https://certbot.eff.org/#ubuntutrusty-other
https://devcenter.heroku.com/articles/ssl-beta
https://themeteorchef.com/blog/securing-meteor-applications/

Docker: What is the simplest way to secure a private registry?

Our Docker images ship closed sources, we need to store them somewhere safe, using own private docker registry.
We search the simplest way to deploy a private docker registry with a simple authentication layer.
I found :
this manual way http://www.activestate.com/blog/2014/01/deploying-your-own-private-docker-registry
and the shipyard/docker-private-registry docker image based on stackbrew/registry and adding basic auth via Nginx - https://github.com/shipyard/docker-private-registry
I think use shipyard/docker-private-registry, but is there one another best way?
I'm still learning how to run and use Docker, consider this an idea:
# Run the registry on the server, allow only localhost connection
docker run -p 127.0.0.1:5000:5000 registry
# On the client, setup ssh tunneling
ssh -N -L 5000:localhost:5000 user#server
The registry is then accessible at localhost:5000, authentication is done through ssh that you probably already know and use.
Sources:
https://blog.codecentric.de/en/2014/02/docker-registry-run-private-docker-image-repository/
https://docs.docker.com/userguide/dockerlinks/
You can also use an Nginx front-end with a Basic Auth and an SSL certificate.
Regarding the SSL certificate I have tried couple of hours to have a working self-signed certificate but Docker wasn't able to work with the registry. To solve this I have a free signed certificate which work perfectly. (I have used StartSSL but there are others).
Also be careful when generating the certificate. If you want to have the registry running at the URL registry.damienroch.com, you must give this URL with the sub-domain otherwise it's not going to work.
You can perform all this setup using Docker and my nginx-proxy image (See the README on Github: https://github.com/zedtux/nginx-proxy).
This means that in the case you have installed nginx using the distribution package manager, you will replace it by a containerised nginx.
Place your certificate (.crt and .key files) on your server in a folder (I'm using /etc/docker/nginx/ssl/ and the certificate names are private-registry.crt and private-registry.key)
Generate a .htpasswd file and upload it on your server (I'm using /etc/docker/nginx/htpasswd/ and the filename is accounts.htpasswd)
Create a folder where the images will be stored (I'm using /etc/docker/registry/)
Using docker run my nginx-proxy image
Run the docker registry with some environment variable that nginx-proxy will use to configure itself.
Here is an example of the commands to run for the previous steps:
sudo docker run -d --name nginx -p 80:80 -p 443:443 -v /etc/docker/nginx/ssl/:/etc/nginx/ssl/ -v /var/run/docker.sock:/tmp/docker.sock -v /etc/docker/nginx/htpasswd/:/etc/nginx/htpasswd/ zedtux/nginx-proxy:latest
sudo docker run -d --name registry -e VIRTUAL_HOST=registry.damienroch.com -e MAX_UPLOAD_SIZE=0 -e SSL_FILENAME=private-registry -e HTPASSWD_FILENAME=accounts -e DOCKER_REGISTRY=true -v /etc/docker/registry/data/:/tmp/registry registry
The first line starts nginx and the second one the registry. It's important to do it in this order.
When both are up and running you should be able to login with:
docker login https://registry.damienroch.com
I have create an almost ready to use but certainly ready to function setup for running a docker-registry: https://github.com/kwk/docker-registry-setup .
Maybe it helps.
Everything (Registry, Auth server, and LDAP server) is running in containers which makes parts replacable as soon as you're ready to. The setup is fully configured to make it easy to get started. There're even demo certificates for HTTPs but they should be replaced at some point.
If you don't want LDAP authentication but simple static authentication you can disable it in auth/config/config.yml and put in your own combination of usernames and hashed passwords.