| Both sides previous revisionPrevious revision | |
| procedures:certificates [2026/03/02 17:37] – Added Basile domain sysadm | procedures:certificates [2026/04/09 13:42] (current) – Cleanup sysadm |
|---|
| === FIRST THING === | === FIRST THING === |
| |
| **BACKUP THE EXISTENT CERTS** (in ''/etc/servicepattern/'')\\ | To install certbot (OL9): |
| In case anything goes wrong, you will reuse the old certs. | <code> |
| | yum install -y python3-certbot python3-certbot-nginx |
| | </code> |
| |
| \\ | To install certbot (Debian): |
| | |
| To install certbot: | |
| <code> | <code> |
| yum install -y certbot | apt install -y python3-certbot python3-certbot-nginx |
| </code> | </code> |
| |
| \\ | |
| \\ | \\ |
| |
| ==== No acme-challenge ==== | ==== No acme-challenge ==== |
| |
| === Istances that need certs for operation === | === Istances that need certs to be renewed manually === |
| |
| * Prod5_Core1(Frankfurt) | * Prod5_Core1/2(Frankfurt) |
| * Prod5_Core2(Frankfurt) | |
| * BeCloud5x | * BeCloud5x |
| * Monitor | |
| * Be360(s) | |
| |
| (There are shared Outlook calendars for all expiring certs) | (There are shared Outlook calendars for all expiring certs) |
| ==== Commands ==== | ==== Commands ==== |
| |
| === Certbot single istances === | === BeIncontact single istances === |
| <code> | <code> |
| sudo certbot-3 certonly --nginx | sudo certbot-3 certonly --nginx |
| OR | |
| sudo certbot certonly --nginx | |
| </code> | </code> |
| |
| Copy-paste domains Core1: | Copy-paste domains Core1: |
| <code> | <code> |
| -d core1.beincontact.becloudsolutions.com,beincontact.becloudsolutions.com,elettric80.beincontact.becloudsolutions.com,prysmianuk.beincontact.becloudsolutions.com,prysmianib.beincontact.becloudsolutions.com,alidays.beincontact.becloudsolutions.com,aria.beincontact.becloudsolutions.com,beeasy.beincontact.becloudsolutions.com,prysmianfr.beincontact.becloudsolutions.com,fives.beincontact.becloudsolutions.com,medicair.beincontact.becloudsolutions.com,golilla.beincontact.becloudsolutions.com,excellgo.beincontact.becloudsolutions.com,newtime.beincontact.becloudsolutions.com,aetnagroup.beincontact.becloudsolutions.com,estendo.beincontact.becloudsolutions.com,volvo.beincontact.becloudsolutions.com,prysmiantk.beincontact.becloudsolutions.com,sonova.beincontact.becloudsolutions.com,cft.beincontact.becloudsolutions.com,basile.beincontact.becloudsolutions.com | sudo certbot-3 certonly --nginx -d core1.beincontact.becloudsolutions.com,beincontact.becloudsolutions.com,elettric80.beincontact.becloudsolutions.com,prysmianuk.beincontact.becloudsolutions.com,prysmianib.beincontact.becloudsolutions.com,alidays.beincontact.becloudsolutions.com,aria.beincontact.becloudsolutions.com,beeasy.beincontact.becloudsolutions.com,prysmianfr.beincontact.becloudsolutions.com,fives.beincontact.becloudsolutions.com,medicair.beincontact.becloudsolutions.com,golilla.beincontact.becloudsolutions.com,excellgo.beincontact.becloudsolutions.com,newtime.beincontact.becloudsolutions.com,aetnagroup.beincontact.becloudsolutions.com,estendo.beincontact.becloudsolutions.com,volvo.beincontact.becloudsolutions.com,prysmiantk.beincontact.becloudsolutions.com,sonova.beincontact.becloudsolutions.com,cft.beincontact.becloudsolutions.com,basile.beincontact.becloudsolutions.com |
| </code> | </code> |
| |
| Copy-paste domains Core2: | Copy-paste domains Core2: |
| <code> | <code> |
| -d core2.beincontact.becloudsolutions.com,beincontact.becloudsolutions.com,elettric80.beincontact.becloudsolutions.com,prysmianuk.beincontact.becloudsolutions.com,prysmianib.beincontact.becloudsolutions.com,alidays.beincontact.becloudsolutions.com,aria.beincontact.becloudsolutions.com,beeasy.beincontact.becloudsolutions.com,prysmianfr.beincontact.becloudsolutions.com,fives.beincontact.becloudsolutions.com,medicair.beincontact.becloudsolutions.com,golilla.beincontact.becloudsolutions.com,excellgo.beincontact.becloudsolutions.com,newtime.beincontact.becloudsolutions.com,aetnagroup.beincontact.becloudsolutions.com,estendo.beincontact.becloudsolutions.com,volvo.beincontact.becloudsolutions.com,prysmiantk.beincontact.becloudsolutions.com,sonova.beincontact.becloudsolutions.com,cft.beincontact.becloudsolutions.com,basile.beincontact.becloudsolutions.com | sudo certbot-3 certonly --nginx -d core2.beincontact.becloudsolutions.com,beincontact.becloudsolutions.com,elettric80.beincontact.becloudsolutions.com,prysmianuk.beincontact.becloudsolutions.com,prysmianib.beincontact.becloudsolutions.com,alidays.beincontact.becloudsolutions.com,aria.beincontact.becloudsolutions.com,beeasy.beincontact.becloudsolutions.com,prysmianfr.beincontact.becloudsolutions.com,fives.beincontact.becloudsolutions.com,medicair.beincontact.becloudsolutions.com,golilla.beincontact.becloudsolutions.com,excellgo.beincontact.becloudsolutions.com,newtime.beincontact.becloudsolutions.com,aetnagroup.beincontact.becloudsolutions.com,estendo.beincontact.becloudsolutions.com,volvo.beincontact.becloudsolutions.com,prysmiantk.beincontact.becloudsolutions.com,sonova.beincontact.becloudsolutions.com,cft.beincontact.becloudsolutions.com,basile.beincontact.becloudsolutions.com |
| </code> | </code> |
| |
| | \\ |
| \\ | \\ |
| |
| === Certbot not installed === | |
| <code> | |
| ./certbot-auto certonly --nginx | |
| </code> | |
| (if you don't find the script you can locate it with ''find / -iname certbot-auto'') | |
| |
| |
| Follow the wizard and **read the final output**, you need to ''cd'' into the directory of the certificate before running | |
| the commands to preare the certs (will be in /etc/letsencrypt/live/) | |
| |
| \\ | |
| \\ | |
| |
| ==== Acme-challenge ==== | ==== Acme-challenge ==== |
| === Istances that need certs for operation === | === Istances that need certs for operation === |
| |
| * Prod5_Core1(Sydney) | * Prod5_Core1/2(Sydney) |
| * Prod5_Core2(Sydney) | |
| |
| (There are shared Outlook calendars for all expiring certs) | (There are shared Outlook calendars for all expiring certs) |
| |
| Follow the instructions on screen and replace old entries in the DNS, make a copy of the old values in case you need to use the old certs. Do **not** create multiple records for one domain, even if certbot tell you to do it, you can't in AWS. | Follow the instructions on screen and replace old entries in the DNS, make a copy of the old values in case you need to use the old certs. Do **not** create multiple records for one domain, even if certbot tell you to do it, you can't in AWS. |
| | Be aware that you have to deploy all domains before terminating the script (it will warn you when it's almost done), Certbot check for deployment only in the end, not every time it ask you to deploy a domain. |
| <code> | <code> |
| certbot certonly --manual --preferred-challenges dns --key-type rsa -d **domain**,**domain**,*etc* | certbot certonly --manual --preferred-challenges dns --key-type rsa -d **domain**,**domain**,*etc* |
| Copy-paste domains: | Copy-paste domains: |
| <code> | <code> |
| -d beincontact2.becloudsolutions.com,core1.beincontact2.becloudsolutions.com,core2.beincontact2.becloudsolutions.com,prysmianau.beincontact2.becloudsolutions.com,humecity.beincontact2.becloudsolutions.com,benetas.beincontact2.becloudsolutions.com | certbot certonly --manual --preferred-challenges dns --key-type rsa -d beincontact2.becloudsolutions.com,core1.beincontact2.becloudsolutions.com,core2.beincontact2.becloudsolutions.com,prysmianau.beincontact2.becloudsolutions.com,humecity.beincontact2.becloudsolutions.com,benetas.beincontact2.becloudsolutions.com |
| </code> | </code> |
| |
| | \\ |
| \\ | \\ |
| |
| ==== Certs preparation ==== | ==== Certs preparation ==== |
| <code> | <code> |
| cp privkey.pem server.key | \cp -b privkey.pem server.key |
| cat fullchain.pem | cat - privkey.pem > server.pem | cat fullchain.pem | cat - privkey.pem > server.pem |
| \cp -b server.key /etc/servicepattern/ | \cp -b server.key /etc/servicepattern/ |
| \\ | \\ |
| |
| --- //[[lorenzo.cesana@becloudsolutions.com|Lorenzo Cesana]] 2024/09/02 08:58// | --- //[[lorenzo.cesana@becloudsolutions.com|Lorenzo Cesana]] 2026/04/09 15:42// |
