Difference between revisions of "Generate Let's Encrypts certs for IPBrick"

From wiki.IPBRICK.COM
Jump to: navigation, search
(Created page with "To generate a certificate you must do the following: 1 Install certbot-auto (eg. on /home1/_locals/operator) wget https://dl.eff.org/certbot-auto chmod a+x certbot-au...")
 
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
 
To generate a certificate you must do the following:
 
To generate a certificate you must do the following:
  
1 Install certbot-auto (eg. on /home1/_locals/operator)
+
1 Install certbot-auto v0.31.0 (ONLY THIS VERSION IS SUPPORTED IN IPBRICK OS)
    wget https://dl.eff.org/certbot-auto
+
  mkdir /home1/_letsencrypt
    chmod a+x certbot-auto
+
  cd /home1/_letsencrypt
 +
  wget https://ipbcloud.ipbrick.com/index.php/s/SxHtunjaWXEfOBf/download -O certbot-auto
 +
  chmod a+x certbot-auto
  
 
     More info on https://certbot.eff.org/#debianwheezy-other
 
     More info on https://certbot.eff.org/#debianwheezy-other
Line 44: Line 46:
 
5 Generate the certs with the command:
 
5 Generate the certs with the command:
 
         /etc/init.d/apache2 stop
 
         /etc/init.d/apache2 stop
         /home1/_locals/operator/certbot-auto certonly --standalone -d ucoip.domain.com -d webrtcproxy.domain.com -d .....
+
         /home1/_locals/operator/certbot-auto certonly --standalone --no-self-upgrade -d ucoip.domain.com -d webrtcproxy.domain.com -d .....
 
         /etc/init.d/apache2 start
 
         /etc/init.d/apache2 start
 
         The cert will be created on folder: /etc/letsencrypt/live
 
         The cert will be created on folder: /etc/letsencrypt/live
Line 53: Line 55:
 
     echo "***********" $(date +"%m-%d-%Y - %H:%M") >> /var/log/le-renew.log
 
     echo "***********" $(date +"%m-%d-%Y - %H:%M") >> /var/log/le-renew.log
 
     /etc/init.d/apache2 stop >> /var/log/le-renew.log
 
     /etc/init.d/apache2 stop >> /var/log/le-renew.log
     /home1/_locals/operator/certbot-auto renew >> /var/log/le-renew.log
+
     /home1/_locals/operator/certbot-auto --no-self-upgrade renew >> /var/log/le-renew.log
 
     cp /etc/letsencrypt/live/ucoip.domain.com/privkey.pem /opt/ucoip/site/rtc/signalmaster/ssl/private.key >> /var/log/le-renew.log
 
     cp /etc/letsencrypt/live/ucoip.domain.com/privkey.pem /opt/ucoip/site/rtc/signalmaster/ssl/private.key >> /var/log/le-renew.log
 
     cp /etc/letsencrypt/live/ucoip.domain.com/cert.pem /opt/ucoip/site/rtc/signalmaster/ssl/certificate.crt >> /var/log/le-renew.log
 
     cp /etc/letsencrypt/live/ucoip.domain.com/cert.pem /opt/ucoip/site/rtc/signalmaster/ssl/certificate.crt >> /var/log/le-renew.log

Latest revision as of 17:40, 24 April 2019

To generate a certificate you must do the following:

1 Install certbot-auto v0.31.0 (ONLY THIS VERSION IS SUPPORTED IN IPBRICK OS)

  mkdir /home1/_letsencrypt
  cd /home1/_letsencrypt
  wget https://ipbcloud.ipbrick.com/index.php/s/SxHtunjaWXEfOBf/download -O certbot-auto
  chmod a+x certbot-auto
   More info on https://certbot.eff.org/#debianwheezy-other

2 Change the virtualhosts that will require certificates and write protect them:

       eg. 200-200-light.domain.com
       Insert lines:
         SSLCertificateFile /etc/letsencrypt/live/ucoip.domain.com/cert.pem
         SSLCertificateKeyFile /etc/letsencrypt/live/ucoip.domain.com/privkey.pem
         SSLCertificateChainFile /etc/letsencrypt/live/ucoip.domain.com/chain.pem
       Write protect the files: eg. chattr +i 200-200-light.domain.com

3 If you want to use CAFE Phone or UCoIP Page WebPhone you need:

       Change file /etc/webrtc2sip/config.xml
       Modify ssl-certificates section:
         <ssl-certificates>
             /etc/letsencrypt/live/ucoip.domain.com/privkey.pem;
             /etc/letsencrypt/live/ucoip.domain.com/cert.pem;
             *;
         </ssl-certificates>
       Restart service webrtc2sip:
         /etc/init.d/webrtc2sip stop
         /etc/init.d/webrtc2sip start
       Write protect the file: eg. chattr +i /etc/webrtc2sip/config.xml

4 If you want to use UCoIP/CAFE Video Conference (WebRTC ) you need:

       Copy certs into folder /opt/ucoip/site/rtc/signalmaster/ssl and create an empty ca.crt
           cp /etc/letsencrypt/live/ucoip.domain/privkey.pem /opt/ucoip/site/rtc/signalmaster/ssl/private.key
           cp /etc/letsencrypt/live/ucoip.domain.com/cert.pem /opt/ucoip/site/rtc/signalmaster/ssl/certificate.crt
           touch /opt/ucoip/site/rtc/signalmaster/ssl/ca.crt

       Change permissons and restart service:
           chown webrtc.webrtc /opt/ucoip/site/rtc/signalmaster/ssl/*
           /etc/init.d/webrtc_signal stop
           /etc/init.d/webrtc_signal start

5 Generate the certs with the command:

       /etc/init.d/apache2 stop
       /home1/_locals/operator/certbot-auto certonly --standalone --no-self-upgrade -d ucoip.domain.com -d webrtcproxy.domain.com -d .....
       /etc/init.d/apache2 start
       The cert will be created on folder: /etc/letsencrypt/live

6 Create a script to renew the cert and call the command on cron.d (Certificates valid for 90 days)

   Script (eg. /home1/_locals/operator/renewcerts.sh)
   #!/bin/sh
   echo "***********" $(date +"%m-%d-%Y - %H:%M") >> /var/log/le-renew.log
   /etc/init.d/apache2 stop >> /var/log/le-renew.log
   /home1/_locals/operator/certbot-auto --no-self-upgrade renew >> /var/log/le-renew.log
   cp /etc/letsencrypt/live/ucoip.domain.com/privkey.pem /opt/ucoip/site/rtc/signalmaster/ssl/private.key >> /var/log/le-renew.log
   cp /etc/letsencrypt/live/ucoip.domain.com/cert.pem /opt/ucoip/site/rtc/signalmaster/ssl/certificate.crt >> /var/log/le-renew.log
   /etc/init.d/apache2 start >> /var/log/le-renew.log
   /etc/init.d/webrtc_signal stop >> /var/log/le-renew.log
   /etc/init.d/webrtc_signal start >> /var/log/le-renew.log

7. Place the script in cron.d and add execution permissions to this script

   vi /etc/cron.d/letsencrypt 
   01 04 */15 * * root /home1/_locals/operator/renewcerts.sh
   ipbrick:~# ls -la /etc/cron.d/letsencrypt 
   -rw-r--r-- 1 root root 58 Feb 23 16:15 /etc/cron.d/letsencrypt
    chmod 755 /home1/_locals/operator/renewcerts.sh