💾 Archived View for ibert.tech › articles › get-wildcard-certificates-on-a-server.gmi captured on 2024-06-16 at 12:01:42. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-01-29)
-=-=-=-=-=-=-
After automating your Let's Encrypt wildcard generation (as described in Automate the verification of Let's Encrypt wildcard certificates[1]), you are left with the problem of getting the certificates to the servers that are going to use them.
My set-up has a script running after the update that packs up the generated keys. In addition to some copying of files, it also packs the certificates to bundles, using a GNU Make makefile that looks essentially like this:
all: emeademo.eu.bundle.pfx
%.bundle.pfx: live/%/cert.pem live/%/fullchain.pem live/%/privkey.pem
openssl pkcs12 -export -out $@ -inkey live/$*/privkey.pem -in live/$*/cert.pem -certfile live/$*/fullchain.pem -password pass:${password}
The directory this runs in has a copy of the live section of /etc/letsencrypt in it. The list of bundles to generate is in reality longer than just one.
The content of the directory is then picked up by a periodic script (left as an exercise to the reader) that copies the *.pem and *.pfx files into some directories on a local server that is accessible to a technical user.
When I set up a new VM (such as described in Build a non-production Ubuntu server VM[2]) that needs wildcard certificates, the following steps are necessary.
On the new server, as the standard user, generate a new SSH key with no password:
$ ssh-keygen -t ed25519 -N ""
Then add the public key to the authorized_keys file for the technical user on the server where the certificates reside.
Create a script bin/update-certs.sh on the new server and make it executable. This is an example for NGINX; copy to other places and restart other services as necessary.
#! /bin/sh
mkdir -p ~/certs
scp ${technical_user}@${system_with_the_certs}:${folder_with_the_rights_certs}/* ~/certs/ && \
sudo cp ~/certs/* /etc/nginx/certs/ && \
sudo chown -R root:www-data /etc/nginx/certs/* && \
sudo systemctl restart nginx
So far I haven't found it necessary to automate this further. Maybe one day …
1: automate-the-verification-of-lets-encrypt-wildcard-certificates.gmi
2: build-a-non-production-ubuntu-server-vm.gmi