FreeBSD and SSL

Angel Hess

Angel Hess

I have used certbot for many years and have never found a good configuration that I like that does auto updates. I am using wildcard domains with command certbot certonly --manual -d domain.com -d '*.domain.com' so the normal automatic update can not be used unless you use an additional script for doing the security checks in command line. What is your preferred method for auto update? Or do you use something other than certbot? I would like to hear all comments please.

Adding this question. Does anyone have a sh script that checks SSL dates for expiring soon and then emails me?
 
Last edited:
This would a) better fit in "web/network services" and b) isn't actually about SSL (TLS) but about ACME (possibly letsencrypt).

Unfortunately, I can't help with certbot, never used it. I use the pretty minimal security/uacme for that purpose and added a lot of custom shell script to fully automate my certificate renewal and deployment needs ....
 
Yes, I agree this belongs in web/network services.

The problem here is that for wildcard domains one has to use a DNS challenge. And that in turn means that one has to control the DNS server for the domain, which is harder than controlling a web server. How to control the DNS server depends on who is providing the DNS for your domain. If you look at "man certbot", it has plugins for a wide variety of DNS servers that can be used for automation.

So I see two alternatives for you: (a) Find a certbot configuration that can handle your DNS server; look at man certbot, then at all the --dns-... switches. (b) Give up on using a wildcard domain certificate. Instead enumerate all the servers that are going to use that wildcard manually, and make sure their web servers are all accessible to certbot (meaning on the public internet), and use the more common web server challenge method.

Unfortunately, the DNS for my domain comes from my ISP, which is a small company (Sonic.net). And while they allow me to control the DNS for my domain, both via web site and via an API, there is no pre-built certbot plugin for that API, so I have to do the renewal manually, every 3 months.
 
Angel Hess said:
What is your preferred method for auto update?
Click to expand...
I have a HAProxy as frontend. It terminates the SSL/TLS connections to my websites. Certbot is configured to auto-update using a directory (--webroot) set to /usr/local/www/acme. There's a local www/nginx running:
Code: 
    server {
        listen       [::1]:80 default_server;
        listen       127.0.0.1:80 default_server;

        server_name  localhost *.example.com "";

        #access_log  logs/host.access.log  main;

        location / {
            root   /usr/local/www/nginx;
            index  index.html index.htm;
        }

        location /.well-known/acme-challenge {
                alias /usr/local/www/acme/.well-known/acme-challenge;
                autoindex off;
        }

        location /up.txt {
                return 200 "UP!";
                access_log off;
        }

        location /basic_status {
          stub_status;
          allow 127.0.0.1;
          allow ::1;
          deny all;
          access_log off;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/local/www/nginx-dist;
        }
    }
This local nginx is meant to capture everything that's NOT specifically proxied to other hosts/websites. HAProxy also sends any request containing the .well-known/acme-challenge path to the local nginx (where certbot writes the challlenge).

Relevant haproxy.conf bits:
Code: 
frontend http-in
  bind x.x.x.x:80
  
  default_backend local

  # Letsencrypt
  acl is_letsencrypt path_beg /.well-known/acme-challenge/

{...}
  use_backend local if is_letsencrypt


frontend https-in
  bind x.x.x.x:443 ssl crt /usr/local/etc/haproxy/ssl/

  { bunch of other SSL/TLS specific settings }
  { same acl is_letsencrypt and backend as for http }

backend local
  option httpchk GET /up.txt
  server localhost 127.0.0.1:80 check


A /usr/local/etc/letsencrypt/renewal-hooks/deploy/haproxy.sh script takes care of copying the right things for HAProxy.

Code: 
#!/bin/sh -e

# $RENEWED_LINEAGE will point to the config live subdirectory
# $RENEWED_DOMAINS will contain a space-delimited list of renewed certificate domains

TARGETDIR="/usr/local/etc/haproxy/ssl"
TARGET="${TARGETDIR}/${RENEWED_DOMAINS%% *}.pem"

cat "${RENEWED_LINEAGE}/fullchain.pem" > "${TARGET}"
cat "${RENEWED_LINEAGE}/privkey.pem" >> "${TARGET}"

And a /usr/local/etc/letsencrypt/renewal-hooks/post/haproxy.sh will kick HAProxy if needed.

Code: 
#!/bin/sh

# Lets check the validity of the config first
echo -n "Checking haproxy config: "
/usr/sbin/service haproxy configtest > /dev/null 2>&1
if [ $? != 0 ]; then
  echo "There is an error in haproxy.conf. Not reloading!"
  exit 1
else
  echo "All good. Reloading."
  /usr/sbin/service haproxy reload
fi
 
  • Like
Reactions: im
I am using certbot with auto-update for a wildcard domain. I am running DNS myself.
I have a vault that does DNSSEC signing (continuous rollover mode), then the signed zonefile is sent by e-mail to the hidden primary, and from there onwards by XFR.

Certbot needs a manual-auth-hook (and manual-cleanup-hook) to create a snippet as @include to the zonefile. That snippet goes into the vault (depending on how much security we like to entertain), then the DNSSEC signer detects the change and pushes the freshly signed zonefile out with a new serial.
 
zirias@ said:
This would a) better fit in "web/network services" and b) isn't actually about SSL (TLS) but about ACME (possibly letsencrypt).

Unfortunately, I can't help with certbot, never used it. I use the pretty minimal security/uacme for that purpose and added a lot of custom shell script to fully automate my certificate renewal and deployment needs ....
Click to expand...
Hi, your reply is very vague. Is the work you do visible to the public because it sounds like its probably not and that is why you use uacme. There is not much info about uacme on the internet. Do you have a link with more info?
 
Angel Hess said:
Hi, your reply is very vague. Is the work you do visible to the public because it sounds like its probably not and that is why you use uacme.
Click to expand...
I use it because it is simple and minimal. I don't think my custom scripts would ever help anyone, one is the "cron script" calling uacme to renew certificates and deploying the resulting files to where they're needed (completely custom), the other one is the callback script for the challenge, for which I used one of the example scripts from upstream's github (answering DNS challenges) and modified it to my needs.
 
I just use certbot and the certbot apache plugin, both installed from packages. No need for dns checks, certbot can use your web server (apache) instead. Of course, that requires you to run a web server on the host.
configuration in /etc/periodic.conf isn't complicated.
Code: 
weekly_certbot_enable="YES"
weekly_certbot_post_hook="service apache24 onereload"
 
You must log in or register to reply here.
Back
Top