BeCloud Internal Wiki

User Tools

Site Tools

Trace:
procedures:certificates

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
procedures:certificates [2024/03/22 20:06] – [Restart services] 93.66.33.147procedures:certificates [2026/04/09 13:42] (current) – Cleanup sysadm
Line 1: Line 1:
-====== SSL certs renewal certonly (no acme-challenge) ======+====== SSL certs renewal ======
  
 === FIRST THING === === FIRST THING ===
  
-**BACKUP THE EXISTENT CERTS** (in ''/etc/servicepattern/'')\\ +To install certbot (OL9): 
-In case anything goes wrong, you will reuse the old certs. +<code> 
- +yum install -y python3-certbot python3-certbot-nginx 
-\\ +</code>
-\\+
  
-To install certbot:+To install certbot (Debian):
 <code> <code>
-yum install -y certbot-nginx+apt install -y python3-certbot python3-certbot-nginx
 </code> </code>
  
 \\ \\
  
-=== Istances that need certs for operation ===+==== No acme-challenge ==== 
 + 
 +=== Istances that need certs to be renewed manually ===
  
-* Frankfurt +  Prod5_Core1/2(Frankfurt) 
-    - Prod5_Core1 +  BeCloud5x
-    - Prod5_Core2 +
-    - BeCloud5x +
-    - Monitor +
-    - Support +
-    - Be360(s)+
  
 (There are shared Outlook calendars for all expiring certs) (There are shared Outlook calendars for all expiring certs)
Line 30: Line 26:
 \\ \\
  
-=== Commands === +==== Commands ==== 
-\\ + 
-==== Certbot single istances ====+=== BeIncontact single istances ===
 <code> <code>
-certbot certonly --nginx+sudo certbot-3 certonly --nginx
 </code>    </code>   
  
 \\ \\
  
-==== Certbot clusters ====+=== Certbot clusters ===
  
-For clusters, you need to run the command on **both** istances, but first you have to modify the "weight" of the domain. +For clusters, you need to run the command on **both** "Core" istances, but first you have to modify the "weight" of the domain. 
-Login to [AWS DNS](https://us-east-1.console.aws.amazon.com/route53and select the desired Hosted Zone.+Login to [[https://us-east-1.console.aws.amazon.com/route53|AWS DNS]] and select the desired Hosted Zone.
          
 Clusters have shared domain between two machines (for example, Prod5_Core1 and Prod5_Core2 are both pointed by Clusters have shared domain between two machines (for example, Prod5_Core1 and Prod5_Core2 are both pointed by
Line 52: Line 48:
 the weight and repeat the process for the second server. the weight and repeat the process for the second server.
 <code> <code>
-certbot certonly --nginx -d **domain** -d **domain** *etc*+sudo certbot-3 certonly --nginx -d **domain**,**domain**,*etc* 
 +</code> 
 + 
 +Copy-paste domains Core1: 
 +<code> 
 +sudo certbot-3 certonly --nginx -d core1.beincontact.becloudsolutions.com,beincontact.becloudsolutions.com,elettric80.beincontact.becloudsolutions.com,prysmianuk.beincontact.becloudsolutions.com,prysmianib.beincontact.becloudsolutions.com,alidays.beincontact.becloudsolutions.com,aria.beincontact.becloudsolutions.com,beeasy.beincontact.becloudsolutions.com,prysmianfr.beincontact.becloudsolutions.com,fives.beincontact.becloudsolutions.com,medicair.beincontact.becloudsolutions.com,golilla.beincontact.becloudsolutions.com,excellgo.beincontact.becloudsolutions.com,newtime.beincontact.becloudsolutions.com,aetnagroup.beincontact.becloudsolutions.com,estendo.beincontact.becloudsolutions.com,volvo.beincontact.becloudsolutions.com,prysmiantk.beincontact.becloudsolutions.com,sonova.beincontact.becloudsolutions.com,cft.beincontact.becloudsolutions.com,basile.beincontact.becloudsolutions.com 
 +</code> 
 + 
 +Copy-paste domains Core2: 
 +<code> 
 +sudo certbot-3 certonly --nginx -d core2.beincontact.becloudsolutions.com,beincontact.becloudsolutions.com,elettric80.beincontact.becloudsolutions.com,prysmianuk.beincontact.becloudsolutions.com,prysmianib.beincontact.becloudsolutions.com,alidays.beincontact.becloudsolutions.com,aria.beincontact.becloudsolutions.com,beeasy.beincontact.becloudsolutions.com,prysmianfr.beincontact.becloudsolutions.com,fives.beincontact.becloudsolutions.com,medicair.beincontact.becloudsolutions.com,golilla.beincontact.becloudsolutions.com,excellgo.beincontact.becloudsolutions.com,newtime.beincontact.becloudsolutions.com,aetnagroup.beincontact.becloudsolutions.com,estendo.beincontact.becloudsolutions.com,volvo.beincontact.becloudsolutions.com,prysmiantk.beincontact.becloudsolutions.com,sonova.beincontact.becloudsolutions.com,cft.beincontact.becloudsolutions.com,basile.beincontact.becloudsolutions.com
 </code> </code>
  
 \\ \\
 +\\
 +
 +
 +==== Acme-challenge ====
 +
 +=== Istances that need certs for operation ===
 +
 +  * Prod5_Core1/2(Sydney)
 +
 +(There are shared Outlook calendars for all expiring certs)
 +
 +\\
 +
 +==== Commands ====
 +
 +=== Acme-challenges clusters ===
 +
 +For clusters, you need to run the command on **both** "Core" istances, but first you have to modify the "weight" of the domain.
 +Login to [[https://us-east-1.console.aws.amazon.com/route53|AWS DNS]] and select the desired Hosted Zone.
 +    
 +Clusters have shared domain between two machines (for example, Prod5_Core1 and Prod5_Core2 are both pointed by
 +*beincontact.becloudsolutions.com*), to change the weight select one of the two record entry, on the left panel
 +click "Edit record", change the param "Weight" from 100 to 0, then save.
 +    
 +You have to do this for the machine where you are **not** trying to renew the certificates (for example, you want to renew
 +Prod5_Core1, change the param of Prod5_Core2, renew the 1 and then convert everything to renew the 2), then restore
 +the weight and repeat the process for the second server.
  
-==== Certbot not installed ====+Follow the instructions on screen and replace old entries in the DNS, make a copy of the old values in case you need to use the old certs. Do **not** create multiple records for one domain, even if certbot tell you to do it, you can't in AWS. 
 +Be aware that you have to deploy all domains before terminating the script (it will warn you when it's almost done), Certbot check for deployment only in the end, not every time it ask you to deploy a domain.
 <code> <code>
-./certbot-auto certonly --nginx+certbot certonly --manual --preferred-challenges dns --key-type rsa -d **domain**,**domain**,*etc*
 </code> </code>
-(if you don't find the script you can locate it with ''find / -iname certbot-auto'') 
  
 +Copy-paste domains:
 +<code>
 +certbot certonly --manual --preferred-challenges dns --key-type rsa -d beincontact2.becloudsolutions.com,core1.beincontact2.becloudsolutions.com,core2.beincontact2.becloudsolutions.com,prysmianau.beincontact2.becloudsolutions.com,humecity.beincontact2.becloudsolutions.com,benetas.beincontact2.becloudsolutions.com
 +</code>
 +
 +\\
 +\\
  
 Follow the wizard and **read the final output**, you need to ''cd'' into the directory of the certificate before running Follow the wizard and **read the final output**, you need to ''cd'' into the directory of the certificate before running
Line 71: Line 111:
 ==== Certs preparation ==== ==== Certs preparation ====
 <code> <code>
-cp privkey.pem server.key+\cp -b privkey.pem server.key
 cat fullchain.pem | cat - privkey.pem > server.pem cat fullchain.pem | cat - privkey.pem > server.pem
 \cp -b server.key /etc/servicepattern/ \cp -b server.key /etc/servicepattern/
Line 84: Line 124:
 </code> </code>
  
- --- //[[lorenzo.cesana@becloudsolutions.com|Lorenzo Cesana]] 2024/03/14 16:55//+\\ 
 + 
 + --- //[[lorenzo.cesana@becloudsolutions.com|Lorenzo Cesana]] 2026/04/09 15:42//
procedures/certificates.1711137961.txt.gz · Last modified: by 93.66.33.147
Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
Public Domain Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki