From c4af45298e66324798345bcaa427d4cbba17a49c Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Aug 22 2023 14:13:18 +0000 Subject: Reflected change for letsencrypt (no certbot anymore) Signed-off-by: Fabian Arrotin --- diff --git a/docs/security/tls.md b/docs/security/tls.md index 390e947..59d06ff 100644 --- a/docs/security/tls.md +++ b/docs/security/tls.md @@ -144,7 +144,7 @@ You can now push both .key/.crt files into `pkistore` git-crypted repository *an We use one dedicated node to obtain/renew certs for the acme http challenges, and also the same for dns challenges (for internal openshift setup). -Actually that node is `certbot.rdu2.centos.org`. +Actually that node is `acme01.rdu2.centos.org`. #### How to obtain new cert (DNS challenge is the preferred way) @@ -208,13 +208,13 @@ All certs/keys obtained through acme are under /root/.acme.sh/{hostname}/ so you ##### For http challenge Normally we prefer DNS challenge, but there are corner cases like delegated records for which that would be problematic. That's the case for {buildlogs,cloud,vault}.centos.org nodes (delegated records to pdns/geoip) -You can add multiple SANs in the same certs. Here is one example with mon.centos.org and SAN mon.j7.centos.org, status.centos.org : +You can add multiple SANs in the same certs. Here is one example with buildlogs.centos.org and SAN cloud.centos.org : ``` -certbot certonly --webroot --webroot-path /var/www/html --manual-public-ip-logging-ok --agree-tos --email sysadmin@centos.org -d mon.centos.org -d mon.j7.centos.org -d status.centos.org +acme.sh --issue -d buildlogs.centos.org -d cloud.centos.org -w /var/www/html/ ``` -All files (certs/keys) are then available under /etc/letsencrypt/live/ (you'll have to import those into this pkistore dir) +All files (certs/keys) are then available under /root/.acme.sh/{hostname} (you'll have to import those into this pkistore dir) @@ -225,14 +225,9 @@ For each cert/dns record, we have to ask for a renewal acme.sh --renew-all ``` -##### For HTTP challange -For http challenge it's better to run first with --dry-run, then fix eventual issue and then launch it again for real operations -``` -time certbot renew --webroot --webroot-path /var/www/html --manual-public-ip-logging-ok --agree-tos --email sysadmin@centos.org --dry-run ; echo return code $? - -certbot renew --force-renew --webroot --webroot-path /var/www/html --manual-public-ip-logging-ok --agree-tos --email sysadmin@centos.org +##### For HTTP challenges -``` +Same as for dns challenges as we consolidated all under `acme.sh` (and no certbot anymore) ### Deploying through ansible Don't forget to have pushed the new/renewed certs/keys into this pkistore directory first.