From fd33a1492faa02fbef343033024be007116142c8 Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Mon, 22 Aug 2016 17:41:12 +0200 Subject: [PATCH 1/4] fix cerbot spelling mistakes, prevent boulder-integration test from making 0000_chain.pem --- certbot_haproxy/authenticator.py | 4 ++-- provisioning_client.sh | 6 +++--- tests/boulder-integration.sh | 8 ++++---- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/certbot_haproxy/authenticator.py b/certbot_haproxy/authenticator.py index 8fa5e68..68e2288 100644 --- a/certbot_haproxy/authenticator.py +++ b/certbot_haproxy/authenticator.py @@ -16,8 +16,8 @@ file:: default_backend nodes - acl is_cerbot path_beg -i /.well-known/acme-challenge - use_backend certbot if is_cerbot + acl is_certbot path_beg -i /.well-known/acme-challenge + use_backend certbot if is_certbot backend certbot log global diff --git a/provisioning_client.sh b/provisioning_client.sh index 82e7beb..67a84f9 100644 --- a/provisioning_client.sh +++ b/provisioning_client.sh @@ -56,7 +56,6 @@ agree-tos = True no-self-upgrade = True register-unsafely-without-email = True text = True -domains testsite.nl debug = True verbose = True authenticator certbot-haproxy:haproxy-authenticator @@ -82,7 +81,8 @@ EOF # TODO: Does this even work with the `chroot` directive? usermod -a -G vagrant haproxy -mkdir -p /opt/cerbot/haproxy_fullchains +mkdir -p /opt/certbot/haproxy_fullchains +chown -R vagrant: /opt/certbot/ cat < /etc/haproxy/haproxy.cfg global @@ -130,7 +130,7 @@ frontend http-in # needs to be installed *before* HAProxy will be able to start when this # directive is not commented. # - ## bind *:443 ssl crt /opt/cerbot/haproxy_fullchains + ## bind *:443 ssl crt /opt/certbot/haproxy_fullchains # Forward Cerbot verification requests to the certbot-haproxy plugin acl is_certbot path_beg -i /.well-known/acme-challenge diff --git a/tests/boulder-integration.sh b/tests/boulder-integration.sh index 758a7d3..7c00c4e 100755 --- a/tests/boulder-integration.sh +++ b/tests/boulder-integration.sh @@ -46,7 +46,8 @@ export CSR_PATH="${root}/csr.der" KEY_PATH="${root}/key.pem" \ ./examples/generate-csr.sh le3.wtf common auth --csr "$CSR_PATH" \ --cert-path "${root}/csr/cert.pem" \ - --chain-path "${root}/csr/chain.pem" + --chain-path "${root}/csr/chain.pem" \ + --fullchain-path "${root}/csr/fullchain.pem" openssl x509 -in "${root}/csr/cert.pem" -text openssl x509 -in "${root}/csr/chain.pem" -text @@ -100,7 +101,8 @@ SAN="DNS:ecdsa.le.wtf" openssl req -new -sha256 \ -out "${root}/csr-p384.der" common auth --csr "${root}/csr-p384.der" \ --cert-path "${root}/csr/cert-p384.pem" \ - --chain-path "${root}/csr/chain-p384.pem" + --chain-path "${root}/csr/chain-p384.pem" \ + --fullchain-path "${root}/csr/fullchain-p384.pem" openssl x509 -in "${root}/csr/cert-p384.pem" -text | grep 'ASN1 OID: secp384r1' # OCSP Must Staple @@ -109,8 +111,6 @@ openssl x509 -in "${root}/conf/live/must-staple.le.wtf/cert.pem" -text | grep '1 # revoke by account key common revoke --cert-path "$root/conf/live/le.wtf/cert.pem" -# revoke renewed -# common revoke --cert-path "$root/conf/live/le1.wtf/cert.pem" # revoke by cert key common revoke --cert-path "$root/conf/live/le2.wtf/cert.pem" \ --key-path "$root/conf/live/le2.wtf/privkey.pem" From e9d655a92baa8e23c2d56994c15e3249b792cee8 Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Tue, 23 Aug 2016 10:21:16 +0200 Subject: [PATCH 2/4] finish renewal script --- provisioning_client.sh | 58 +++++++++++++++++++++++------------------- 1 file changed, 32 insertions(+), 26 deletions(-) diff --git a/provisioning_client.sh b/provisioning_client.sh index 67a84f9..844170a 100644 --- a/provisioning_client.sh +++ b/provisioning_client.sh @@ -198,31 +198,37 @@ bash -c 'echo "vagrant ALL=NOPASSWD: /bin/systemctl restart haproxy" systemctl restart apache2 systemctl restart haproxy -#cat < /etc/systemd/system/letsencrypt.timer -#[Unit] -#Description=Run Let's Encrypt every 12 hours -# -#[Timer] -## Time to wait after booting before we run first time -#OnBootSec=2min -## Time between running each consecutive time -#OnUnitActiveSec=12h -#Unit=letsencrypt.service -# -#[Install] -#WantedBy=timers.target -#EOF -# -#cat < /etc/systemd/system/letsencrypt.service -#[Unit] -#Description=Renew Let's Encrypt Certificates -# -#[Service] -#Type=simple -#ExecStart=/usr/bin/certbot renew -q -#EOF -# -#systemctl enable letsencrypt.timer -#systemctl start letsencrypt.timer +# Scripts that run certificate renewal for all certificates every 12 hours. Only +# certificates that are due are renewed. +cat < /etc/systemd/system/letsencrypt.service +[Unit] +Description=Renew Let's Encrypt Certificates + +[Service] +Type=simple +User=vagrant +ExecStart=/usr/bin/certbot renew -q +EOF + +cat < /etc/systemd/system/letsencrypt.timer +[Unit] +Description=Run Let's Encrypt every 12 hours + +[Timer] +# Time to wait after booting before we run first time +OnBootSec=2min +# Time between running each consecutive time +OnUnitActiveSec=12h +Unit=letsencrypt.service + +[Install] +WantedBy=timers.target +EOF + +# Reload for when there were already other scripts in place. +systemctl daemon-reload +# Enable and start the timer, which runs the service. +systemctl enable letsencrypt.timer +systemctl start letsencrypt.timer echo "Provisioning completed." From 4bd44ba15edbbae7497b42ddd6118c33766cd1d4 Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Tue, 23 Aug 2016 10:21:16 +0200 Subject: [PATCH 3/4] finish renewal script --- README.rst | 8 +++--- provisioning_client.sh | 58 +++++++++++++++++++++++------------------- 2 files changed, 37 insertions(+), 29 deletions(-) diff --git a/README.rst b/README.rst index 35004ea..962587d 100644 --- a/README.rst +++ b/README.rst @@ -223,13 +223,13 @@ together a configuration that works for you. frontend http-in # Listen on port 80 - bind *:80 + bind \*:80 # Listen on port 443 # Uncomment after running certbot for the first time, a certificate # needs to be installed *before* HAProxy will be able to start when this # directive is not commented. # - bind *:443 ssl crt /opt/certbot/haproxy_fullchains/__fallback.pem crt /opt/certbot/haproxy_fullchains + bind \*:443 ssl crt /opt/certbot/haproxy_fullchains/__fallback.pem crt /opt/certbot/haproxy_fullchains # Forward Certbot verification requests to the certbot-haproxy plugin acl is_certbot path_beg -i /.well-known/acme-challenge @@ -263,7 +263,7 @@ together a configuration that works for you. server node3 127.0.0.1:8080 check server node4 127.0.0.1:8080 check # If redirection from port 80 to 443 is to be forced, uncomment the next - # line. Keep in mind that the bind *:443 line should be uncommented and a + # line. Keep in mind that the bind \*:443 line should be uncommented and a # certificate should be present for all domains redirect scheme https if !{ ssl_fc } @@ -313,6 +313,7 @@ minutes after the server boots, this is done so renewal starts immediately after the server has been offline for a long time. .. code:: bash + cat < /etc/systemd/system/letsencrypt.timer [Unit] Description=Run Let's Encrypt every 12 hours @@ -334,6 +335,7 @@ after the server has been offline for a long time. [Service] Type=simple + User=certbot ExecStart=/usr/bin/certbot renew -q EOF diff --git a/provisioning_client.sh b/provisioning_client.sh index 67a84f9..844170a 100644 --- a/provisioning_client.sh +++ b/provisioning_client.sh @@ -198,31 +198,37 @@ bash -c 'echo "vagrant ALL=NOPASSWD: /bin/systemctl restart haproxy" systemctl restart apache2 systemctl restart haproxy -#cat < /etc/systemd/system/letsencrypt.timer -#[Unit] -#Description=Run Let's Encrypt every 12 hours -# -#[Timer] -## Time to wait after booting before we run first time -#OnBootSec=2min -## Time between running each consecutive time -#OnUnitActiveSec=12h -#Unit=letsencrypt.service -# -#[Install] -#WantedBy=timers.target -#EOF -# -#cat < /etc/systemd/system/letsencrypt.service -#[Unit] -#Description=Renew Let's Encrypt Certificates -# -#[Service] -#Type=simple -#ExecStart=/usr/bin/certbot renew -q -#EOF -# -#systemctl enable letsencrypt.timer -#systemctl start letsencrypt.timer +# Scripts that run certificate renewal for all certificates every 12 hours. Only +# certificates that are due are renewed. +cat < /etc/systemd/system/letsencrypt.service +[Unit] +Description=Renew Let's Encrypt Certificates + +[Service] +Type=simple +User=vagrant +ExecStart=/usr/bin/certbot renew -q +EOF + +cat < /etc/systemd/system/letsencrypt.timer +[Unit] +Description=Run Let's Encrypt every 12 hours + +[Timer] +# Time to wait after booting before we run first time +OnBootSec=2min +# Time between running each consecutive time +OnUnitActiveSec=12h +Unit=letsencrypt.service + +[Install] +WantedBy=timers.target +EOF + +# Reload for when there were already other scripts in place. +systemctl daemon-reload +# Enable and start the timer, which runs the service. +systemctl enable letsencrypt.timer +systemctl start letsencrypt.timer echo "Provisioning completed." From d4c79cd88f839ed448be1f9cc2dc6137f6625d02 Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Tue, 23 Aug 2016 10:33:05 +0200 Subject: [PATCH 4/4] fix bug in README that ignored part of the code --- README.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.rst b/README.rst index 962587d..2c90079 100644 --- a/README.rst +++ b/README.rst @@ -155,6 +155,7 @@ Now to allow the certbot user to restart HAProxy, put the following in the sudoers file: .. code:: bash + cat <> /etc/sudoers %certbot ALL=NOPASSWD: /bin/systemctl restart haproxy EOF @@ -182,6 +183,7 @@ probably not "copy-paste compatible" with your setup. So you need to piece together a configuration that works for you. .. code:: + cat < /etc/haproxy/haproxy.cfg global log /dev/log local0