Differences

This shows you the differences between two versions of the page.

--- procedures:certificates [2024/08/28 15:51] – Fixed link sysadm
+++ procedures:certificates [2025/11/28 20:18] (current) – Added Sonova and CFT domains sysadm
@@ Line 1: / Line 1: @@
-====== SSL certs renewal certonly (no acme-challenge) ======
+====== SSL certs renewal ======
 === FIRST THING ===
@@ Line 6: / Line 6: @@
 In case anything goes wrong, you will reuse the old certs.
-\\
 \\
 To install certbot:
 <code>
-yum install -y certbot-nginx
+yum install -y certbot
 </code>
+\\
 \\
+==== No acme-challenge ====
 === Istances that need certs for operation ===
-* Frankfurt
+  * Prod5_Core1(Frankfurt)
-    - Prod5_Core1
+  * Prod5_Core2(Frankfurt)
-    - Prod5_Core2
+  * BeCloud5x
-    - BeCloud5x
+  * Monitor
-    - Monitor
+  * Be360(s)
-    - Support
-    - Be360(s)
 (There are shared Outlook calendars for all expiring certs)
@@ Line 30: / Line 30: @@
 \\
-=== Commands ===
+==== Commands ====
-\\
-==== Certbot single istances ====
+=== Certbot single istances ===
 <code>
-certbot certonly --nginx
+sudo certbot-3 certonly --nginx
+OR
+sudo certbot certonly --nginx
 </code>
 \\
-==== Certbot clusters ====
+=== Certbot clusters ===
-For clusters, you need to run the command on **both** istances, but first you have to modify the "weight" of the domain.
+For clusters, you need to run the command on **both** "Core" istances, but first you have to modify the "weight" of the domain.
 Login to [[https://us-east-1.console.aws.amazon.com/route53|AWS DNS]] and select the desired Hosted Zone.
@@ Line 52: / Line 54: @@
 the weight and repeat the process for the second server.
 <code>
-certbot certonly --nginx -d **domain** -d **domain** *etc*
+sudo certbot-3 certonly --nginx -d **domain**,**domain**,*etc*
+</code>
+Copy-paste domains Core1:
+<code>
+-d core1.beincontact.becloudsolutions.com,beincontact.becloudsolutions.com,elettric80.beincontact.becloudsolutions.com,prysmianuk.beincontact.becloudsolutions.com,prysmianib.beincontact.becloudsolutions.com,alidays.beincontact.becloudsolutions.com,aria.beincontact.becloudsolutions.com,beeasy.beincontact.becloudsolutions.com,prysmianfr.beincontact.becloudsolutions.com,fives.beincontact.becloudsolutions.com,medicair.beincontact.becloudsolutions.com,golilla.beincontact.becloudsolutions.com,excellgo.beincontact.becloudsolutions.com,newtime.beincontact.becloudsolutions.com,aetnagroup.beincontact.becloudsolutions.com,estendo.beincontact.becloudsolutions.com,volvo.beincontact.becloudsolutions.com,prysmiantk.beincontact.becloudsolutions.com,sonova.beincontact.becloudsolutions.com,cft.beincontact.becloudsolutions.com
+</code>
+Copy-paste domains Core2:
+<code>
+-d core2.beincontact.becloudsolutions.com,beincontact.becloudsolutions.com,elettric80.beincontact.becloudsolutions.com,prysmianuk.beincontact.becloudsolutions.com,prysmianib.beincontact.becloudsolutions.com,alidays.beincontact.becloudsolutions.com,aria.beincontact.becloudsolutions.com,beeasy.beincontact.becloudsolutions.com,prysmianfr.beincontact.becloudsolutions.com,fives.beincontact.becloudsolutions.com,medicair.beincontact.becloudsolutions.com,golilla.beincontact.becloudsolutions.com,excellgo.beincontact.becloudsolutions.com,newtime.beincontact.becloudsolutions.com,aetnagroup.beincontact.becloudsolutions.com,estendo.beincontact.becloudsolutions.com,volvo.beincontact.becloudsolutions.com,prysmiantk.beincontact.becloudsolutions.com,sonova.beincontact.becloudsolutions.com,cft.beincontact.becloudsolutions.com
 </code>
 \\
-==== Certbot not installed ====
+=== Certbot not installed ===
 <code>
 ./certbot-auto certonly --nginx
@@ Line 63: / Line 75: @@
 (if you don't find the script you can locate it with ''find / -iname certbot-auto'')
+Follow the wizard and **read the final output**, you need to ''cd'' into the directory of the certificate before running
+the commands to preare the certs (will be in /etc/letsencrypt/live/)
+\\
+\\
+==== Acme-challenge ====
+=== Istances that need certs for operation ===
+  * Prod5_Core1(Sydney)
+  * Prod5_Core2(Sydney)
+(There are shared Outlook calendars for all expiring certs)
+\\
+==== Commands ====
+=== Acme-challenges clusters ===
+For clusters, you need to run the command on **both** "Core" istances, but first you have to modify the "weight" of the domain.
+Login to [[https://us-east-1.console.aws.amazon.com/route53|AWS DNS]] and select the desired Hosted Zone.
+Clusters have shared domain between two machines (for example, Prod5_Core1 and Prod5_Core2 are both pointed by
+*beincontact.becloudsolutions.com*), to change the weight select one of the two record entry, on the left panel
+click "Edit record", change the param "Weight" from 100 to 0, then save.
+You have to do this for the machine where you are **not** trying to renew the certificates (for example, you want to renew
+Prod5_Core1, change the param of Prod5_Core2, renew the 1 and then convert everything to renew the 2), then restore
+the weight and repeat the process for the second server.
+Follow the instructions on screen and replace old entries in the DNS, make a copy of the old values in case you need to use the old certs. Do **not** create multiple records for one domain, even if certbot tell you to do it, you can't in AWS.
+<code>
+certbot certonly --manual --preferred-challenges dns --key-type rsa -d **domain**,**domain**,*etc*
+</code>
+Copy-paste domains:
+<code>
+-d beincontact2.becloudsolutions.com,core1.beincontact2.becloudsolutions.com,core2.beincontact2.becloudsolutions.com,prysmianau.beincontact2.becloudsolutions.com,humecity.beincontact2.becloudsolutions.com,benetas.beincontact2.becloudsolutions.com
+</code>
+\\
 Follow the wizard and **read the final output**, you need to ''cd'' into the directory of the certificate before running
@@ Line 84: / Line 140: @@
 </code>
- --- //[[lorenzo.cesana@becloudsolutions.com|Lorenzo Cesana]] 2024/03/14 16:55//
+\\
+ --- //[[lorenzo.cesana@becloudsolutions.com|Lorenzo Cesana]] 2024/09/02 08:58//