💾 Archived View for ibert.tech › articles › get-wildcard-certificates-on-a-server.gmi captured on 2023-06-14 at 13:43:13. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-01-29)

-=-=-=-=-=-=-

Get wildcard certificates on a server

After automating your Let's Encrypt wildcard generation (as described in Automate the verification of Let's Encrypt wildcard certificates[1]), you are left with the problem of getting the certificates to the servers that are going to use them.

My set-up has a script running after the update that packs up the generated keys. In addition to some copying of files, it also packs the certificates to bundles, using a GNU Make makefile that looks essentially like this:

all: emeademo.eu.bundle.pfx

%.bundle.pfx: live/%/cert.pem live/%/fullchain.pem live/%/privkey.pem
        openssl pkcs12 -export -out $@ -inkey live/$*/privkey.pem -in live/$*/cert.pem -certfile live/$*/fullchain.pem -password pass:${password}

The directory this runs in has a copy of the live section of /etc/letsencrypt in it. The list of bundles to generate is in reality longer than just one.

The content of the directory is then picked up by a periodic script (left as an exercise to the reader) that copies the *.pem and *.pfx files into some directories on a local server that is accessible to a technical user.

When I set up a new VM (such as described in Build a non-production Ubuntu server VM[2]) that needs wildcard certificates, the following steps are necessary.

On the new server, as the standard user, generate a new SSH key with no password:

$ ssh-keygen -t ed25519 -N ""

Then add the public key to the authorized_keys file for the technical user on the server where the certificates reside.

Create a script bin/update-certs.sh on the new server and make it executable. This is an example for NGINX; copy to other places and restart other services as necessary.

#! /bin/sh

mkdir -p ~/certs
scp ${technical_user}@${system_with_the_certs}:${folder_with_the_rights_certs}/* ~/certs/ && \
        sudo cp ~/certs/* /etc/nginx/certs/ && \
        sudo chown -R root:www-data /etc/nginx/certs/* && \
        sudo systemctl restart nginx

So far I haven't found it necessary to automate this further. Maybe one day …

1: automate-the-verification-of-lets-encrypt-wildcard-certificates.gmi

2: build-a-non-production-ubuntu-server-vm.gmi

Tags

lets-encrypt

certificates

linux

script

Start page