Skip to content

certbot

Jump to bottom
Robert Quitt edited this page Jan 4, 2022 · 1 revision

Certbot is running on both soda and tap, to provide HTTPS certificates for our website.

HOWTORENEWTLSCERTS

A text document written by mark64 himself, scribed via neovim, describing the usage of acme.sh. Later invalidated by robertq by using certbot to simplify the renewal.

tap:~$ cat /root/HOWTORENEWTLSCERTS
= Mar 16 2019 =

We use wildcard certs (*.csua.berkeley.edu), so all our services running on tap
use the same cert and private key.

Certs and all the renewal scripts live in /root/CERTS. We use acme.sh to automate
LetsEncrypt cert renewals with DNS verification mode.

Note that soda.csua.berkeley.edu and soda.berkeley.edu actually point to soda, not tap, so
we have a web server there that forwards HTTP requests here. Because of the way it's
setup, you'll have to copy the certificates to soda as well.

# HOW TO RENEW

Run:
> acme.sh --issue --dns -d csua.berkeley.edu -d '*.csua.berkeley.edu' --yes-I-know-dns-manual-mode-enough-go-ahead-please --force --renew

You'll see it print out two challenge tokens as "TXT values". We host our own DNS zone,
so you need to add those to /etc/bind/db.csua. You'll see spots for them at the bottom.
The values there can be replaced; it won't break anything. The order of the TXT values doesn't
matter, just that they're both there.

Once you've done that, go to the top of the db.csua file and edit the number that looks
vaguely like the current date in YYYYMMDDHH format with the comment "Serial" next to it.
This part is important, because otherwise BIND won't know the DNS records were updated
(remember, this is ancient technology).

Now, run:
> sudo systemctl restart bind9

Once that finishes successfully (you can check with sudo systemctl status bind9, it should
have status "active(running)"), run the acme.sh command again. Here it is again:
> acme.sh --issue --dns -d csua.berkeley.edu -d '*.csua.berkeley.edu' --yes-I-know-dns-manual-mode-enough-go-ahead-please --force --renew

Now, sudo systemctl reload all the services that use the certificates (postfix, nginx, and anything else you add in the future)

= Oct 8 2019 =
:author robertq

Fug dis :DDDDDDDDDDDD

Use certbot

sudo certbot --nginx

/etc/letsencrypt/renewal/...

systemctl status certbot

ezpz :)

Later on, circa Jan 2021, UserAns22 moved the mail server over to certbot as well, thus fully deprecating our usage of acme.sh in favor of certbot.

Clone this wiki locally