mefernandez
commented
6 years ago Certificado antiguo de Godaddy
Open mefernandez opened 6 years ago
mefernandez
commented
6 years ago
mefernandez
commented
6 years ago 
mefernandez
commented
5 years ago Para sacar un certificado *.ondevio.com hay que poner en el DNS un registro de tipo TXT. Este paso se considera "manual". Es por eso que no funciona la renovación automática.
Pero se puede hacer algo con un script que haga ese paso manual pasando el argumento --manual-auth-hook a certbot.
https://certbot.eff.org/docs/using.html#hooks
sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --authenticator manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): *.ondevio.com
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for ondevio.com
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.ondevio.com with the following value:
RKzsCe_T-WAXn9diHLl151kPb0Ih_Yrve5kBc7Mab7g
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ondevio.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ondevio.com/privkey.pem
Your cert will expire on 2019-01-16. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
La parte del script debería llamar al API de Godaddy para insertar ese registro TXT.
https://developer.godaddy.com/doc/endpoint/domains
Manualmente:
mefernandez
commented
5 years ago Después de lanzar manualmente el certbot, fué necesario hacer un restart del nginx.
docker restart dockerdrcon_nginx_1No hubo ningún problema con el restart del nginx.
mefernandez
commented
5 years ago sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --authenticator manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): *.ondevio.com
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for ondevio.com
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.ondevio.com with the following value:
mXS1cF3pTwmg0mqxvBcyr2tqljjlUbqoZLmuY79ntDY
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ondevio.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ondevio.com/privkey.pem
Your cert will expire on 2019-04-16. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-ledocker restart dockerdrcon_nginx_1
*NOTA: Poner un TTL de 600 segundos para que el valor del registro TXT sea efectivo rápido.
dig -t txt _acme-challenge.ondevio.com
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t txt _acme-challenge.ondevio.com @ns06.domaincontrol.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22005
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.ondevio.com. IN TXT
;; ANSWER SECTION:
_acme-challenge.ondevio.com. 600 IN TXT "mXS1cF3pTwmg0mqxvBcyr2tqljjlUbqoZLmuY79ntDY"
;; Query time: 19 msec
;; SERVER: 173.201.70.3#53(173.201.70.3)
;; WHEN: mié ene 16 08:05:18 CET 2019
;; MSG SIZE rcvd: 164El último certificado instalado expira el martes 16 de abril.
Cuando llegue el aviso de renovación (20 días antes), hay que probar si funciona el nuevo servicio de renovación certs que puse en el docker-compose.yml.
Bastará con lanzar docker-compose run certs. Ya está todo configurado.
Si ocurre algo con los certificados, hay una copia en ~./ondevio.com.
Si funciona, entonces poner un crontab para que lo lance automáticamente cada 3 meses.
mefernandez
commented
5 years ago Renovado lanzando docker-compose run --rm certs:
mefernandez
commented
5 years ago He puesto un crontab con aviso de error a Slack si falla la renovación.
crontab -e
# Renovación automática de certificados con aviso si falla
0 20 10 * * cd /home/centos/git/docker-drcon && /usr/local/bin/docker-compose run --rm certs || /usr/bin/curl -X POST --data-urlencode "payload={\"channel\": \"#errores-pro\", \"username\": \"webhookbot\", \"text\": \"Ha fallado la renovación del certificado para \*.ondevio.com\", \"icon_emoji\": \":ghost:\"}" https://hooks.slack.com/services/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
Obtener Certificado *.ondevio.com via DNS challenge
Instalar Certbot
Usar Certbot
NOTA: A mitad de este comando hay que insertar un DNS TXT record en Godaddy, como se muestra en la imagen a continuación de este bloque de consola.