Line 296: |
Line 296: |
| | | |
| https://letsencrypt.org/docs/rate-limits/ | | https://letsencrypt.org/docs/rate-limits/ |
| + | |
| + | ==Advanced Topics== |
| + | ===Obtaining certificates for other servers=== |
| + | The dehydrated client can be used to obtain certificates for other servers on your network, if the hostnames resolve (from outside your network) to your SME Server. Here's how to do this using John Crisp's contrib. |
| + | |
| + | You'll need to create two template fragments: one to add your hostname to /etc/dehydrated/domains.txt, and the second to handle the certificate once it's generated. To create the first, do |
| + | |
| + | mkdir -p /etc/e-smith/templates-custom/etc/dehydrated/domains.txt |
| + | nano -w /etc/e-smith/templates-custom/etc/dehydrated/domains.txt/15Hostname |
| + | |
| + | You can replace "Hostname" in "15Hostname" with something that's descriptive of the host you're obtaining a certificate for. If you want more than one additional certificate, create separate fragments for each one. In the file, just enter the fully-qualified domain name of the system: |
| + | |
| + | hostname.domain.tld |
| + | |
| + | Then Ctrl-X to exit, Y to save. |
| + | |
| + | The second template fragment will be a portion of the hook script, so the dehydrated client knows what to do with this certificate. This must be present, otherwise dehydrated will configure your SME server to use this certificate rather than the certificate for the SME Server. |
| + | |
| + | mkdir -p /etc/e-smith/templates-custom/usr/local/bin/hook-script.sh/ |
| + | nano -w 05deploy_cert_hostname |
| + | |
| + | As above, replace "hostname" with something that describes the host that this script will apply to. The numeric portion can be changed, but MUST be less than 10. |
| + | |
| + | At a minimum, this fragment will need to recognize that it's being called for a certificate other than the main server certificate, and exit in order to prevent later portions of the script from installing that certificate as the main server certificate. The minimal form of this fragment would be: |
| + | |
| + | { |
| + | use strict; |
| + | use warnings; |
| + | use esmith::ConfigDB; |
| + | |
| + | my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB"); |
| + | |
| + | my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' ) || 'disabled'; |
| + | |
| + | if ( $letsencryptStatus ne 'disabled' ) { |
| + | |
| + | $OUT .=<<'_EOF'; |
| + | if [ $1 = "deploy_cert" ] && [ $2 = "hostname.domain.tld" ]; then |
| + | echo "$2 certificate renewed" | mail -s "Certificate renewal" admin@yourdomain.com |
| + | exit 0 |
| + | fi |
| + | _EOF |
| + | |
| + | } |
| + | } |
| + | |
| + | Depending on the characteristics of the other system, though, this script may be able to install the certificate on that system. The following fragment would copy the certificate files to a remote Linux system running Apache for the web server, and reload Apache to get it to begin using the new certificate: |
| + | |
| + | { |
| + | use strict; |
| + | use warnings; |
| + | use esmith::ConfigDB; |
| + | |
| + | my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB"); |
| + | |
| + | my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' ) || 'disabled'; |
| + | |
| + | if ( $letsencryptStatus ne 'disabled' ) { |
| + | |
| + | $OUT .=<<'_EOF'; |
| + | if [ $1 = "deploy_cert" ] && [ $2 = "hostname.domain.tld" ]; then |
| + | KEY=$3 |
| + | CERT=$4 |
| + | CHAIN=$6 |
| + | scp $CERT root@hostname:/etc/pki/tls/certs/pbx.familybrown.org.crt |
| + | scp $KEY root@hostname:/etc/pki/tls/private/pbx.familybrown.org.key |
| + | scp $CHAIN root@hostname:/etc/pki/tls/certs/server-chain.crt |
| + | ssh root@pbx "/sbin/service httpd reload" |
| + | echo "$2 certificate renewed" | mail -s "Certificate renewal" admin@domain.tld |
| + | exit 0 |
| + | fi |
| + | _EOF |
| + | |
| + | } |
| + | } |
| + | |
| + | The following fragment would install the new certificate on a Proxmox VE host: |
| + | |
| + | { |
| + | use strict; |
| + | use warnings; |
| + | use esmith::ConfigDB; |
| + | |
| + | my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB"); |
| + | |
| + | my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' ) || 'disabled'; |
| + | |
| + | if ( $letsencryptStatus ne 'disabled' ) { |
| + | |
| + | $OUT .=<<'_EOF'; |
| + | if [ $1 = "deploy_cert" ] && [ $2 = "pve.domain.tld" ]; then |
| + | KEY=$3 |
| + | CHAIN=$5 |
| + | scp $KEY root@pve:/etc/pve/nodes/pve/pveproxy-ssl.key |
| + | scp $CHAIN root@pve:/etc/pve/nodes/pve/pveproxy-ssl.pem |
| + | ssh root@pve "systemctl restart pveproxy" |
| + | echo "$2 certificate renewed" | mail -s "Certificate renewal" admin@domain.tld |
| + | exit 0 |
| + | fi |
| + | _EOF |
| + | |
| + | } |
| + | } |
| + | |
| + | |
| | | |
| [[Category:Howto]] [[Category:Security]] [[Category:Howto]] | | [[Category:Howto]] [[Category:Security]] [[Category:Howto]] |
| [[Category: Administration:Certificates]] | | [[Category: Administration:Certificates]] |