Closed ivomarino closed 7 years ago
Another interesting option could be https://github.com/srvrco/getssl/blob/master/README.md.
starts working in combination with HAProxy
:
certbot-auto certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for appflow-1.home-unix.com
http-01 challenge for appflow-2.home-unix.com
Waiting for verification...
Cleaning up challenges
Generating key (4096 bits): /etc/letsencrypt/keys/0005_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0005_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/appflow-1.home-unix.com/fullchain.pem. Your
cert will expire on 2017-05-21. To obtain a new or tweaked version
of this certificate in the future, simply run certbot-auto again.
To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
this should run in cron
on master node, concatenate certs and store them on GlusterFS, from there they can be sourced via HAProxy
, that's the idea.
When we specify multiple domains, like in this case:
conf_letsencrypt_rsa_key_size: 4096
conf_letsencrypt_email: root@home-unix.com
conf_letsencrypt_authenticator: standalone
conf_letsencrypt_preferred_challenge: http
conf_letsencrypt_http_01_port: 63443
conf_letsencrypt_domains: appflow-1.home-unix.com,appflow-2.home-unix.com
conf_letsencrypt_agree_tos: True
conf_letsencrypt_noninteractive: True
Let’s Encrypt will create a single cert which contains several different names using the Subject Alternative Name (SAN) mechanism, in this case appflow-1.home-unix.com
and appflow-2.home-unix.com
:
X509v3 Key Usage critical:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints critical:
CA:FALSE
X509v3 Subject Key Identifier:
2F:A7:13:74:83:08:A0:C0:DE:78:EC:F0:1B:1F:E0:16:05:14:63:9A
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:appflow-1.home-unix.com, DNS:appflow-2.home-unix.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
Usage examples:
# create new cert
ssh node "sudo cert-create.sh appflow-1.home-unix.com"
# verify expiration
ssh node "sudo cert-verify.sh"
# renew all certs which need it
ssh node "sudo cert-renew.sh"
# revoke
certbot-auto revoke --cert-path /etc/letsencrypt/live/appflow-1.home-unix.com-0001/cert.pem
For auto-renewal we can schedule a cron
job which:
cert-renew.sh
(locally or remotely via ssh
).cert-renew.sh
returns 0
if there aren't updates, 1
if there are.1
then restart HAProxy
on all involved webservers.Works fine, can be closed.
We want to integrate Let’s Encrypt into AppFlow. Facts:
/etc/certs
(probably we can specify multiple locationscrt /foo/ crt /bar/
).Idea, intercept
/.well-known/acme-challenge
via HAProxy ACLacl letsencrypt_check path_beg /.well-known/acme-challenge
and redirect always tocompute-01
on specific port wherecertbot-auto
is running, share certs and requests via GlusterFS in a multinode environment.