| View previous topic :: View next topic |
| Author |
Message |
NathanZachary
Moderator
Joined: 30 Jan 2007
Posts: 2605
|
 Posted: Tue Oct 16, 2018 3:16 am Post subject: LetsEncrypt and multiple vhosts |
 |
|
Hello,
Is anyone currently using LetsEncrypt (the official certbot client or otherwise) to automatically obtain certificates for Apache with multiple vhosts? I don't particularly like the idea of certbot being able to modify vhost configurations, but would imagine that it's possible to use it just to grab the new certificates every X days and overwrite them. Does anyone have experience with this process?
Cheers,
Nathan Zachary
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio--- |
|
| Back to top |
|
 |
geki
Advocate
Joined: 13 May 2004
Posts: 2387
Location: Germania
|
| Posted: Tue Oct 16, 2018 5:48 am Post subject: |
|
|
There is good documentation out there. See webroot variant to fetch only certs. On that site you find infos how to use cron to update every ~90 days.
https://certbot.eff.org/docs/using.html#webroot
Since I have dyndns and letsencrypt has rate-limits I added this script to cron to get the certificates somewhen in the future:
| Code: | # crontab -l | grep cert
23 1 */3 * * /root/certonly.sh
# cat /root/certonly.sh
#!/bin/sh
if [ ! -d /etc/letsencrypt/live ]
then
rm -vrf /etc/letsencrypt/*
rm -v /var/log/letsencrypt/letsencrypt.log*
/usr/bin/yes N | /usr/bin/certbot certonly --webroot -w /var/www/<host1>/htdocs/ -d <domain1> -w /var/www/<host2>/htdocs/ -d <domain2> -m <mail address> --agree-tos --force-interactive
fi
exit 0 |
The 'yes N' command tells certbot(or companies behind it) not to reuse (anonymously?) information about my data. See by executing on cli without 'yes N'.
_________________
hear hear |
|
| Back to top |
|
|
Fitzcarraldo
Advocate
Joined: 30 Aug 2008
Posts: 2034
Location: United Kingdom
|
| Posted: Tue Oct 16, 2018 11:30 am Post subject: |
|
|
On one of my servers I have more than one vhost running Apache, and use the same Let's Encrypt certificate for them. One vhost is responsible for updating the certificate, and it copies the certificate to the other vhost. I don't use the Let's Encrypt vhost configuration; I just configure the certificate locations in each vhost's config file.
I use a cron job to check for certificate renewal. It does not matter if you check more frequently than every ~90 days; The cron job checks twice-daily, as you can see below in the crontab entry.
| Code: | vhost1user@vhost1:~$ sudo crontab -l | grep -v ^# | grep cert
23 2,14 * * * /usr/local/sbin/certbot-auto renew --renew-hook /home/vhost1user/renew-hook-script.sh --no-self-upgrade >> /var/log/le-renew.log
27 2,14 * * * /home/vhost1user/copy_SSLcerts_to_vhost2.sh 2>> /var/log/le-cp-errors.log |
The renewal hook shell script makes a time-date stamp record on the vhosts of when the renewal occurred (which also acts as a flag to the other vhost that the renewed certificate files have been copied over) and gracefully restarts Apache on the vhost that renewed the certificate:
| Code: | vhost1user@vhost1:~$ cat renew-hook-script.sh
#!/bin/bash
# This script will be run by a root crontab job (sudo crontab -e) only once when the SSL certificate is actually renewed.
date > /home/vhost1user/SSLcert_renewed
sshpass -p '<vhost2user's password>' scp /home/vhost1user/SSLcert_renewed vhost2user@vhost2:/home/vhost2user/SSLcert_renewed
/usr/sbin/apachectl graceful |
The second cron job shown above runs a shell script that copies the renewed certificates to the other vhost:
| Code: | vhost1user@vhost1:~$ cat copy_SSLcerts_to_vhost2.sh
#! /bin/bash
# This script will be run by a root crontab job (sudo crontab -e) to copy the SSL certificates to vhost2.
sshpass -p '<vhost2's password>' scp /etc/letsencrypt/live/<my ddns domain name>/cert.pem vhost2user@vhost2:/home/vhost2user/letsencrypt/cert.pem 2>> /var/log/le-cp-errors.log
sshpass -p '<vhost2's password>' scp /etc/letsencrypt/live/<my ddns domain name>/chain.pem vhost2user@vhost2:/home/vhost2user/letsencrypt/chain.pem 2>> /var/log/le-cp-errors.log
sshpass -p '<vhost2's password>' scp /etc/letsencrypt/live/<my ddns domain name>/privkey.pem vhost2user@vhost2:/home/vhost2user/letsencrypt/privkey.pem 2>> /var/log/le-cp-errors.log |
On the other vhost I have another cron job to restart Apache on the other host when the certificate files have been copied:
| Code: | vhost2user@vhost2:~$ sudo crontab -l | grep -v ^# | grep cert
28 2,14 * * * /home/vhost2user/restart_apache.sh 2>> /var/log/le-cert-update.log |
... which runs a shell script to restart gracefully Apache on the other vhost:
| Code: | vhost2user@vhost2:~$ cat restart_apache.sh
#!/bin/bash
# This script will be run by a root crontab job (sudo crontab -e) and will only restart Apache if the SSL certificate has just been renewed.
if [ -f /home/vhost2user/SSLcert_renewed ]; then
/usr/sbin/apachectl graceful
rm /home/vhost2user/SSLcert_renewed
/usr/bin/logger "SSL certificate renewed and Apache restarted"
fi
|
This used to work fine when Let's Encrypt had a few servers, which I could whitelist in the firewall. However, recently Let's Encrypt added a lot more servers. The problem then is that, when the script /usr/local/sbin/certbot-auto tries to renew the certificate, Let's Encrypt then establishes a new inbound connection from a different (and therefore unknown) IP address to your vhost, which is blocked by your firewall. The upshot of all this is that, when I receive a crontab e-mail once every ~90 days from vhost1 telling me that the renewal job failed, I manually disable the firewall temporarily, run the above-mentioned /usr/local/sbin/certbot-auto command to renew the certificate, then re-enable the firewall. I could of course automate this, but I choose not to in case something goes wrong and the firewall does not get re-enabled. I just don't want to risk this happening, as potentially I may be away on a work trip and unable to fix the problem immediately remotely.
_________________
Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Tue Oct 16, 2018 3:51 pm Post subject: |
|
|
I use le.pl to generate a wildcard cert. I don't like the idea of something messing with my system config files either, it runs as a confined user and the cert is copied out of its home directory afterwards.
Haven't bothered to automate the process yet beyond a cronjob checking the last update and sending warning emails after 70 days, but it's infrequent enough I don't really care about that. |
|
| Back to top |
|
|
NathanZachary
Moderator
Joined: 30 Jan 2007
Posts: 2605
|
| Posted: Tue Oct 16, 2018 3:56 pm Post subject: |
|
|
Thank you both for your responses! I guess what I'm wondering here is if it is possible to just pull one certificate and use it across the virtual hosts. My guess is no, since the FQDNs are different. So, I would likely need to have a list of the domains that are virtual hosts, and have certbot generate a new cert for each of them once every ~90 days and put it in place. As long as the name stays the same, no Apache vhost modifications will be necessary. Does that seem like a feasible plan?
So, for instance, let's say I have domain{1,2,3}.com and they are set up under /etc/apache2/vhosts.d/includes/domain{1,2,3}.com.conf.
The root for each site is /var/www/domains/domain{1,2,3}.com/.
I'm guessing that I could set up a directory for the certificates either under each site (in, say, /var/www/domains/domain{1,2,3}.com/ssl/) or in a location under Apache like /etc/apache2/vhosts/ssl/.
certbot can then generate a certificate for each site and place it in the corresponding directory.
As long as the name of each certificate remains the same, then no Apache modifications/reloads will need to happen.
Does this approach seem valid?
Thanks again for your help!
Cheers,
Nathan Zachary
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio--- |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Tue Oct 16, 2018 4:21 pm Post subject: |
|
|
| It should be possible to use one cert for multiple hosts, that's what I did before wildcards were added. It'll be the same process whether they're subdomains on one host or different domains entirely. |
|
| Back to top |
|
|
NathanZachary
Moderator
Joined: 30 Jan 2007
Posts: 2605
|
| Posted: Tue Oct 16, 2018 4:30 pm Post subject: |
|
|
| Ant P. wrote: | | It should be possible to use one cert for multiple hosts, that's what I did before wildcards were added. It'll be the same process whether they're subdomains on one host or different domains entirely. |
That would be amazing if I could use just one certificate for multiple FQDNs/domains/vhosts. They all hit the same IP, so if that could work, that would be ideal in my opinion (provided they won't throw security errors/warnings). I could then just have the Apache configs point to the same certificate, which would really help with scaling it out.
I don't see any documentation on how that would work, though. Looking through the certbot webroot documentation, it looks like I would need to issue the commands for each domain and even each subdomain separately.
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio--- |
|
| Back to top |
|
|
Fitzcarraldo
Advocate
Joined: 30 Aug 2008
Posts: 2034
Location: United Kingdom
|
| Posted: Tue Oct 16, 2018 4:45 pm Post subject: |
|
|
| NathanZachary wrote: | | That would be amazing if I could use just one certificate for multiple FQDNs/domains/vhosts. They all hit the same IP, so if that could work, that would be ideal in my opinion (provided they won't throw security errors/warnings). I could then just have the Apache configs point to the same certificate, which would really help with scaling it out. |
https://letsencrypt.org/docs/faq/
| Let's Encrypt FAQ wrote: | Can I get a certificate for multiple domain names (SAN certificates or UCC certificates)?
Yes, the same certificate can contain several different names using the Subject Alternative Name (SAN) mechanism.
Does Let’s Encrypt issue wildcard certificates?
Yes. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for more technical information. |
| NathanZachary wrote: | | I don't see any documentation on how that would work, though. Looking through the certbot webroot documentation, it looks like I would need to issue the commands for each domain and even each subdomain separately. |
https://certbot.eff.org/docs/using.html#certbot-command-line-options
| Quote: | obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near expiry
enhance Add security enhancements to your existing configuration
-d DOMAINS Comma-separated list of domains to obtain a certificate for |
You could use a mechanism similar to the one I outlined in my previous post, to copy the certificate files from the vhost that renews the certificate to the other vhosts.
_________________
Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1270
|
| Posted: Wed Oct 17, 2018 9:09 pm Post subject: |
|
|
| NathanZachary wrote: | | Ant P. wrote: | | It should be possible to use one cert for multiple hosts, that's what I did before wildcards were added. It'll be the same process whether they're subdomains on one host or different domains entirely. |
That would be amazing if I could use just one certificate for multiple FQDNs/domains/vhosts. They all hit the same IP, so if that could work, that would be ideal in my opinion (provided they won't throw security errors/warnings). I could then just have the Apache configs point to the same certificate, which would really help with scaling it out.
I don't see any documentation on how that would work, though. Looking through the certbot webroot documentation, it looks like I would need to issue the commands for each domain and even each subdomain separately. |
Hi, you describe the setup I have on my webserver, so it is possible with certbot. You initially create one certificate for multiple domains with certbot certonly for all your domains (try those options with --dry-run first), and then renew them with a cronjob (crontab -e) periodically issuing certbot renew and maybe --renew-hook /usr/local/bin/restart_services.sh
See: https://certbot.eff.org/docs/using.html#webroot
You end up with the following two lines in your vhost configuration files:
| Code: | SSLCertificateFile /etc/letsencrypt/live/yourdomain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain/privkey.pem
|
Those are symlinks to the actual certs that are managed by certbot upon renewal.
And certbot will store everything needed for the renewal process in:
| Code: | /etc/letsencrypt/renewal/yourdomain.conf
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
