Generate Let's Encrypts certs for IPBrick

From wiki.IPBRICK.COM
Revision as of 18:33, 1 March 2018 by Amachado (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

To generate a certificate you must do the following:

1 Install certbot-auto (eg. on /home1/_locals/operator) 

   wget https://dl.eff.org/certbot-auto
   chmod a+x certbot-auto

   More info on https://certbot.eff.org/#debianwheezy-other

2 Change the virtualhosts that will require certificates and write protect them: 

       eg. 200-200-light.domain.com
       Insert lines:
         SSLCertificateFile /etc/letsencrypt/live/ucoip.domain.com/cert.pem
         SSLCertificateKeyFile /etc/letsencrypt/live/ucoip.domain.com/privkey.pem
         SSLCertificateChainFile /etc/letsencrypt/live/ucoip.domain.com/chain.pem

       Write protect the files: eg. chattr +i 200-200-light.domain.com

3 If you want to use CAFE Phone or UCoIP Page WebPhone you need: 

       Change file /etc/webrtc2sip/config.xml
       Modify ssl-certificates section:
         <ssl-certificates>
             /etc/letsencrypt/live/ucoip.domain.com/privkey.pem;
             /etc/letsencrypt/live/ucoip.domain.com/cert.pem;
             *;
         </ssl-certificates>

       Restart service webrtc2sip:
         /etc/init.d/webrtc2sip stop
         /etc/init.d/webrtc2sip start

       Write protect the file: eg. chattr +i /etc/webrtc2sip/config.xml

4 If you want to use UCoIP/CAFE Video Conference (WebRTC ) you need: 

       Copy certs into folder /opt/ucoip/site/rtc/signalmaster/ssl and create an empty ca.crt
           cp /etc/letsencrypt/live/ucoip.domain/privkey.pem /opt/ucoip/site/rtc/signalmaster/ssl/private.key
           cp /etc/letsencrypt/live/ucoip.domain.com/cert.pem /opt/ucoip/site/rtc/signalmaster/ssl/certificate.crt
           touch /opt/ucoip/site/rtc/signalmaster/ssl/ca.crt

       Change permissons and restart service:
           chown webrtc.webrtc /opt/ucoip/site/rtc/signalmaster/ssl/*
           /etc/init.d/webrtc_signal stop
           /etc/init.d/webrtc_signal start

5 Generate the certs with the command: 

       /etc/init.d/apache2 stop
       /home1/_locals/operator/certbot-auto certonly --standalone -d ucoip.domain.com -d webrtcproxy.domain.com -d .....
       /etc/init.d/apache2 start
       The cert will be created on folder: /etc/letsencrypt/live

6 Create a script to renew the cert and call the command on cron.d (Certificates valid for 90 days) 

   Script (eg. /home1/_locals/operator/renewcerts.sh)
   #!/bin/sh
   echo "***********" $(date +"%m-%d-%Y - %H:%M") >> /var/log/le-renew.log
   /etc/init.d/apache2 stop >> /var/log/le-renew.log
   /home1/_locals/operator/certbot-auto renew >> /var/log/le-renew.log
   cp /etc/letsencrypt/live/ucoip.domain.com/privkey.pem /opt/ucoip/site/rtc/signalmaster/ssl/private.key >> /var/log/le-renew.log
   cp /etc/letsencrypt/live/ucoip.domain.com/cert.pem /opt/ucoip/site/rtc/signalmaster/ssl/certificate.crt >> /var/log/le-renew.log
   /etc/init.d/apache2 start >> /var/log/le-renew.log
   /etc/init.d/webrtc_signal stop >> /var/log/le-renew.log
   /etc/init.d/webrtc_signal start >> /var/log/le-renew.log

7. Place the script in cron.d and add execution permissions to this script 

   vi /etc/cron.d/letsencrypt 
   01 04 */15 * * root /home1/_locals/operator/renewcerts.sh
   ipbrick:~# ls -la /etc/cron.d/letsencrypt 
   -rw-r--r-- 1 root root 58 Feb 23 16:15 /etc/cron.d/letsencrypt

    chmod 755 /home1/_locals/operator/renewcerts.sh
Retrieved from "https://wiki.ipbrick.com/index.php?title=Generate_Let%27s_Encrypts_certs_for_IPBrick&oldid=1019"