Let's Encrypt is the de-facto standard for HTTPS certificate authority. However, the Let's Encrypt wildcard renewal process is not supported for automatic updates by a number of Dynamic DNS providers. In this case the following procedure may help in order to renew the wildcard certificate and to distribute it to a number of production servers.
1. Go to "Kassel" on Aragon, via OpenVPN etc.
/etc/letsencrypt contains the following files:
- certbot-renew.bash:
Requests a certificate renewal.
Guides you through the process
- certbot-deploy.bash:
Creates a combined PEM file for Pound
and copies the file to the connected computers.
certbot-renew.bash:
#!/usr/bin/bash # ------------------------------------------- # /etc/letsencrypt/certbot-renew.bash # ------------------------------------------- /usr/bin/certbot certonly \ --manual \ --preferred-challenges=dns \ --email first.last@domain.com \ --server https://acme-v02.api.letsencrypt.org/directory \ --agree-tos \ -d '*.domain.net'
certbot-deploy.bash:
#!/usr/bin/bash # ------------------------------------------- # /etc/letsencrypt/certbot-renew.bash # ------------------------------------------- cat /etc/letsencrypt/live/domain.net/privkey.pem /etc/letsencrypt/live/domain.net/fullchain.pem > `/bin/date +/etc/letsencrypt/pound-combined.\%Y-\%m-\%d.pem` echo "" echo "PEM written to /etc/letsencrypt/" echo "" echo "Copying PEM to root@server.domain.net:/usr/local/pound/conf/certificates/letsencrypt/" echo "" scp `/bin/date +/etc/letsencrypt/pound-combined.\%Y-\%m-\%d.pem` root@server.domain.net:/usr/local/pound/conf/certificates/letsencrypt/ echo "" echo "Written" echo ""
cd /etc/letsencrypt
bash certbot-renew.bash
The instructions will tell you:
Please deploy a DNS TXT record under the name
_acme-challenge.domain.net with the following value:
XXX-XXX-XXX-XXX
bash certbot-deploy.bash
The script will announce to copy the new certificates from the folder /etc/letsencrypt/live/<domain>
pound-combined.YYYY-MM-DD.pem and
ngix-combined.YYYY-MM-DD
to several production servers.
For security reasons, the new certificates include a YYYY-MM-DD timestamp. Now you need to go to all production servers and in the respective path:
Calle Aprestadora 19, 12o-2a
08902 Hospitalet de Llobregat (Barcelona)
Spain
Tel Europe: +34 609 953 751
Tel US: +1 415 200 2465
Mail: info@project-open.com