Merge branch 'develop' of code.greenhost.net:open/certbot-haproxy into develop
This commit is contained in:
commit
e04644e756
10
README.rst
10
README.rst
|
@ -155,6 +155,7 @@ Now to allow the certbot user to restart HAProxy, put the following in the
|
|||
sudoers file:
|
||||
|
||||
.. code:: bash
|
||||
|
||||
cat <<EOF >> /etc/sudoers
|
||||
%certbot ALL=NOPASSWD: /bin/systemctl restart haproxy
|
||||
EOF
|
||||
|
@ -182,6 +183,7 @@ probably not "copy-paste compatible" with your setup. So you need to piece
|
|||
together a configuration that works for you.
|
||||
|
||||
.. code::
|
||||
|
||||
cat <<EOF > /etc/haproxy/haproxy.cfg
|
||||
global
|
||||
log /dev/log local0
|
||||
|
@ -223,13 +225,13 @@ together a configuration that works for you.
|
|||
|
||||
frontend http-in
|
||||
# Listen on port 80
|
||||
bind *:80
|
||||
bind \*:80
|
||||
# Listen on port 443
|
||||
# Uncomment after running certbot for the first time, a certificate
|
||||
# needs to be installed *before* HAProxy will be able to start when this
|
||||
# directive is not commented.
|
||||
#
|
||||
bind *:443 ssl crt /opt/certbot/haproxy_fullchains/__fallback.pem crt /opt/certbot/haproxy_fullchains
|
||||
bind \*:443 ssl crt /opt/certbot/haproxy_fullchains/__fallback.pem crt /opt/certbot/haproxy_fullchains
|
||||
|
||||
# Forward Certbot verification requests to the certbot-haproxy plugin
|
||||
acl is_certbot path_beg -i /.well-known/acme-challenge
|
||||
|
@ -263,7 +265,7 @@ together a configuration that works for you.
|
|||
server node3 127.0.0.1:8080 check
|
||||
server node4 127.0.0.1:8080 check
|
||||
# If redirection from port 80 to 443 is to be forced, uncomment the next
|
||||
# line. Keep in mind that the bind *:443 line should be uncommented and a
|
||||
# line. Keep in mind that the bind \*:443 line should be uncommented and a
|
||||
# certificate should be present for all domains
|
||||
redirect scheme https if !{ ssl_fc }
|
||||
|
||||
|
@ -313,6 +315,7 @@ minutes after the server boots, this is done so renewal starts immediately
|
|||
after the server has been offline for a long time.
|
||||
|
||||
.. code:: bash
|
||||
|
||||
cat <<EOF > /etc/systemd/system/letsencrypt.timer
|
||||
[Unit]
|
||||
Description=Run Let's Encrypt every 12 hours
|
||||
|
@ -334,6 +337,7 @@ after the server has been offline for a long time.
|
|||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=certbot
|
||||
ExecStart=/usr/bin/certbot renew -q
|
||||
EOF
|
||||
|
||||
|
|
|
@ -16,8 +16,8 @@ file::
|
|||
|
||||
default_backend nodes
|
||||
|
||||
acl is_cerbot path_beg -i /.well-known/acme-challenge
|
||||
use_backend certbot if is_cerbot
|
||||
acl is_certbot path_beg -i /.well-known/acme-challenge
|
||||
use_backend certbot if is_certbot
|
||||
|
||||
backend certbot
|
||||
log global
|
||||
|
|
|
@ -56,7 +56,6 @@ agree-tos = True
|
|||
no-self-upgrade = True
|
||||
register-unsafely-without-email = True
|
||||
text = True
|
||||
domains testsite.nl
|
||||
debug = True
|
||||
verbose = True
|
||||
authenticator certbot-haproxy:haproxy-authenticator
|
||||
|
@ -82,7 +81,8 @@ EOF
|
|||
# TODO: Does this even work with the `chroot` directive?
|
||||
usermod -a -G vagrant haproxy
|
||||
|
||||
mkdir -p /opt/cerbot/haproxy_fullchains
|
||||
mkdir -p /opt/certbot/haproxy_fullchains
|
||||
chown -R vagrant: /opt/certbot/
|
||||
|
||||
cat <<EOF > /etc/haproxy/haproxy.cfg
|
||||
global
|
||||
|
@ -130,7 +130,7 @@ frontend http-in
|
|||
# needs to be installed *before* HAProxy will be able to start when this
|
||||
# directive is not commented.
|
||||
#
|
||||
## bind *:443 ssl crt /opt/cerbot/haproxy_fullchains
|
||||
## bind *:443 ssl crt /opt/certbot/haproxy_fullchains
|
||||
|
||||
# Forward Cerbot verification requests to the certbot-haproxy plugin
|
||||
acl is_certbot path_beg -i /.well-known/acme-challenge
|
||||
|
@ -198,31 +198,37 @@ bash -c 'echo "vagrant ALL=NOPASSWD: /bin/systemctl restart haproxy"
|
|||
systemctl restart apache2
|
||||
systemctl restart haproxy
|
||||
|
||||
#cat <<EOF > /etc/systemd/system/letsencrypt.timer
|
||||
#[Unit]
|
||||
#Description=Run Let's Encrypt every 12 hours
|
||||
#
|
||||
#[Timer]
|
||||
## Time to wait after booting before we run first time
|
||||
#OnBootSec=2min
|
||||
## Time between running each consecutive time
|
||||
#OnUnitActiveSec=12h
|
||||
#Unit=letsencrypt.service
|
||||
#
|
||||
#[Install]
|
||||
#WantedBy=timers.target
|
||||
#EOF
|
||||
#
|
||||
#cat <<EOF > /etc/systemd/system/letsencrypt.service
|
||||
#[Unit]
|
||||
#Description=Renew Let's Encrypt Certificates
|
||||
#
|
||||
#[Service]
|
||||
#Type=simple
|
||||
#ExecStart=/usr/bin/certbot renew -q
|
||||
#EOF
|
||||
#
|
||||
#systemctl enable letsencrypt.timer
|
||||
#systemctl start letsencrypt.timer
|
||||
# Scripts that run certificate renewal for all certificates every 12 hours. Only
|
||||
# certificates that are due are renewed.
|
||||
cat <<EOF > /etc/systemd/system/letsencrypt.service
|
||||
[Unit]
|
||||
Description=Renew Let's Encrypt Certificates
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=vagrant
|
||||
ExecStart=/usr/bin/certbot renew -q
|
||||
EOF
|
||||
|
||||
cat <<EOF > /etc/systemd/system/letsencrypt.timer
|
||||
[Unit]
|
||||
Description=Run Let's Encrypt every 12 hours
|
||||
|
||||
[Timer]
|
||||
# Time to wait after booting before we run first time
|
||||
OnBootSec=2min
|
||||
# Time between running each consecutive time
|
||||
OnUnitActiveSec=12h
|
||||
Unit=letsencrypt.service
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
EOF
|
||||
|
||||
# Reload for when there were already other scripts in place.
|
||||
systemctl daemon-reload
|
||||
# Enable and start the timer, which runs the service.
|
||||
systemctl enable letsencrypt.timer
|
||||
systemctl start letsencrypt.timer
|
||||
|
||||
echo "Provisioning completed."
|
||||
|
|
|
@ -46,7 +46,8 @@ export CSR_PATH="${root}/csr.der" KEY_PATH="${root}/key.pem" \
|
|||
./examples/generate-csr.sh le3.wtf
|
||||
common auth --csr "$CSR_PATH" \
|
||||
--cert-path "${root}/csr/cert.pem" \
|
||||
--chain-path "${root}/csr/chain.pem"
|
||||
--chain-path "${root}/csr/chain.pem" \
|
||||
--fullchain-path "${root}/csr/fullchain.pem"
|
||||
openssl x509 -in "${root}/csr/cert.pem" -text
|
||||
openssl x509 -in "${root}/csr/chain.pem" -text
|
||||
|
||||
|
@ -100,7 +101,8 @@ SAN="DNS:ecdsa.le.wtf" openssl req -new -sha256 \
|
|||
-out "${root}/csr-p384.der"
|
||||
common auth --csr "${root}/csr-p384.der" \
|
||||
--cert-path "${root}/csr/cert-p384.pem" \
|
||||
--chain-path "${root}/csr/chain-p384.pem"
|
||||
--chain-path "${root}/csr/chain-p384.pem" \
|
||||
--fullchain-path "${root}/csr/fullchain-p384.pem"
|
||||
openssl x509 -in "${root}/csr/cert-p384.pem" -text | grep 'ASN1 OID: secp384r1'
|
||||
|
||||
# OCSP Must Staple
|
||||
|
@ -109,8 +111,6 @@ openssl x509 -in "${root}/conf/live/must-staple.le.wtf/cert.pem" -text | grep '1
|
|||
|
||||
# revoke by account key
|
||||
common revoke --cert-path "$root/conf/live/le.wtf/cert.pem"
|
||||
# revoke renewed
|
||||
# common revoke --cert-path "$root/conf/live/le1.wtf/cert.pem"
|
||||
# revoke by cert key
|
||||
common revoke --cert-path "$root/conf/live/le2.wtf/cert.pem" \
|
||||
--key-path "$root/conf/live/le2.wtf/privkey.pem"
|
||||
|
|
Reference in New Issue