====== SSL certs renewal ======

=== FIRST THING ===

**BACKUP THE EXISTENT CERTS** (in ''/etc/servicepattern/'')\\
In case anything goes wrong, you will reuse the old certs.

\\

To install certbot:
<code>
yum install -y certbot
</code>

\\
\\

==== No acme-challenge ====

=== Istances that need certs for operation ===

  * Prod5_Core1(Frankfurt)
  * Prod5_Core2(Frankfurt)
  * BeCloud5x
  * Monitor
  * Be360(s)

(There are shared Outlook calendars for all expiring certs)

\\

==== Commands ====

=== Certbot single istances ===
<code>
sudo certbot-3 certonly --nginx
OR
sudo certbot certonly --nginx
</code>   

\\

=== Certbot clusters ===

For clusters, you need to run the command on **both** "Core" istances, but first you have to modify the "weight" of the domain.
Login to [[https://us-east-1.console.aws.amazon.com/route53|AWS DNS]] and select the desired Hosted Zone.
    
Clusters have shared domain between two machines (for example, Prod5_Core1 and Prod5_Core2 are both pointed by
*beincontact.becloudsolutions.com*), to change the weight select one of the two record entry, on the left panel
click "Edit record", change the param "Weight" from 100 to 0, then save.
    
You have to do this for the machine where you are **not** trying to renew the certificates (for example, you want to renew
Prod5_Core1, change the param of Prod5_Core2, renew the 1 and then convert everything to renew the 2), then restore
the weight and repeat the process for the second server.
<code>
sudo certbot-3 certonly --nginx -d **domain**,**domain**,*etc*
</code>

Copy-paste domains Core1:
<code>
-d core1.beincontact.becloudsolutions.com,beincontact.becloudsolutions.com,elettric80.beincontact.becloudsolutions.com,prysmianuk.beincontact.becloudsolutions.com,prysmianib.beincontact.becloudsolutions.com,alidays.beincontact.becloudsolutions.com,aria.beincontact.becloudsolutions.com,beeasy.beincontact.becloudsolutions.com,prysmianfr.beincontact.becloudsolutions.com,fives.beincontact.becloudsolutions.com,medicair.beincontact.becloudsolutions.com,golilla.beincontact.becloudsolutions.com,excellgo.beincontact.becloudsolutions.com,newtime.beincontact.becloudsolutions.com,aetnagroup.beincontact.becloudsolutions.com,estendo.beincontact.becloudsolutions.com,volvo.beincontact.becloudsolutions.com,prysmiantk.beincontact.becloudsolutions.com,sonova.beincontact.becloudsolutions.com,cft.beincontact.becloudsolutions.com
</code>

Copy-paste domains Core2:
<code>
-d core2.beincontact.becloudsolutions.com,beincontact.becloudsolutions.com,elettric80.beincontact.becloudsolutions.com,prysmianuk.beincontact.becloudsolutions.com,prysmianib.beincontact.becloudsolutions.com,alidays.beincontact.becloudsolutions.com,aria.beincontact.becloudsolutions.com,beeasy.beincontact.becloudsolutions.com,prysmianfr.beincontact.becloudsolutions.com,fives.beincontact.becloudsolutions.com,medicair.beincontact.becloudsolutions.com,golilla.beincontact.becloudsolutions.com,excellgo.beincontact.becloudsolutions.com,newtime.beincontact.becloudsolutions.com,aetnagroup.beincontact.becloudsolutions.com,estendo.beincontact.becloudsolutions.com,volvo.beincontact.becloudsolutions.com,prysmiantk.beincontact.becloudsolutions.com,sonova.beincontact.becloudsolutions.com,cft.beincontact.becloudsolutions.com
</code>

\\

=== Certbot not installed ===
<code>
./certbot-auto certonly --nginx
</code>
(if you don't find the script you can locate it with ''find / -iname certbot-auto'')


Follow the wizard and **read the final output**, you need to ''cd'' into the directory of the certificate before running
the commands to preare the certs (will be in /etc/letsencrypt/live/)

\\
\\

==== Acme-challenge ====

=== Istances that need certs for operation ===

  * Prod5_Core1(Sydney)
  * Prod5_Core2(Sydney)

(There are shared Outlook calendars for all expiring certs)

\\

==== Commands ====

=== Acme-challenges clusters ===

For clusters, you need to run the command on **both** "Core" istances, but first you have to modify the "weight" of the domain.
Login to [[https://us-east-1.console.aws.amazon.com/route53|AWS DNS]] and select the desired Hosted Zone.
    
Clusters have shared domain between two machines (for example, Prod5_Core1 and Prod5_Core2 are both pointed by
*beincontact.becloudsolutions.com*), to change the weight select one of the two record entry, on the left panel
click "Edit record", change the param "Weight" from 100 to 0, then save.
    
You have to do this for the machine where you are **not** trying to renew the certificates (for example, you want to renew
Prod5_Core1, change the param of Prod5_Core2, renew the 1 and then convert everything to renew the 2), then restore
the weight and repeat the process for the second server.

Follow the instructions on screen and replace old entries in the DNS, make a copy of the old values in case you need to use the old certs. Do **not** create multiple records for one domain, even if certbot tell you to do it, you can't in AWS.
<code>
certbot certonly --manual --preferred-challenges dns --key-type rsa -d **domain**,**domain**,*etc*
</code>

Copy-paste domains:
<code>
-d beincontact2.becloudsolutions.com,core1.beincontact2.becloudsolutions.com,core2.beincontact2.becloudsolutions.com,prysmianau.beincontact2.becloudsolutions.com,humecity.beincontact2.becloudsolutions.com,benetas.beincontact2.becloudsolutions.com
</code>

\\

Follow the wizard and **read the final output**, you need to ''cd'' into the directory of the certificate before running
the commands to preare the certs (will be in /etc/letsencrypt/live/)

\\

==== Certs preparation ====
<code>
cp privkey.pem server.key
cat fullchain.pem | cat - privkey.pem > server.pem
\cp -b server.key /etc/servicepattern/
\cp -b server.pem /etc/servicepattern/
</code>

\\
  
==== Restart services ====
<code>
systemctl restart nginx && systemctl restart agentserver
</code>

\\

 --- //[[lorenzo.cesana@becloudsolutions.com|Lorenzo Cesana]] 2024/09/02 08:58//