update obsd note (certbot)

main
Dominic Reich 10 months ago
parent eb7a7ff6a7
commit 101c4a6d45
Signed by: dominic
GPG Key ID: BC9D6AE1A3BE169A

@ -1,7 +1,7 @@
--- ---
title: OpenBSD notes title: OpenBSD
date: 2023-11-29T20:33:48+0100 date: 2023-11-29T20:33:48+0100
lastmod: 2024-01-22T22:02:30+0000 lastmod: 2024-01-26T11:16:40+0000
tags: tags:
- openbsd - openbsd
- python - python
@ -10,6 +10,9 @@ tags:
- git - git
- rust - rust
- neovim - neovim
- apache2
- mod_md
- certbot
#showDate: false #showDate: false
showReadingTime: false showReadingTime: false
@ -27,6 +30,90 @@ These are random notes -- more or less about OpenBSD. Some may
not fit here well, but they could relate to OpenBSD or similar not fit here well, but they could relate to OpenBSD or similar
operating systems in some way... operating systems in some way...
## Apache with wildcard certificates
I often got errors when I clicked a link on my main website for example
to the weather page. It was complaining about different
<abbr title="Server Name Indication">SNI</abbr> because both hosts used different
certificates and I wasn't sure how I could fix that easily. I thought wildcard
certs could fix that because I'd only have one cert for all the domains.
~~~console
$ doas pkg_add certbot
~~~
Run and follow instructions:
~~~console
$ doas certbot certonly --manual --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual-public-ip-logging-ok -d '*.oe7drt.com' -d oe7drt.com
[...]
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/oe7drt.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/oe7drt.com/privkey.pem
This certificate expires on 2024-04-25.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual
certificates requires the use of an authentication hook script (--manual-auth-hook)
but one was not provided. To renew this certificate, repeat this same certbot
command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~~~
Also adding my .net domain to the certs:
~~~console
$ doas certbot certonly --manual --manual-public-ip-logging-ok \
--preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory \
-d "*.oe7drt.com" -d "*.oe7drt.net" -d oe7drt.com -d oe7drt.net
~~~
Some changes to the apache2 configuration was made:
~~~apache
<MDomain oe7drt.com oe7drt.net>
MDMember *.oe7drt.com
MDMember *.oe7drt.net
MDCertificateFile /etc/letsencrypt/live/oe7drt.com/fullchain.pem
MDCertificateKeyFile /etc/letsencrypt/live/oe7drt.com/privkey.pem
</MDomain>
MDChallengeDns01 /etc/apache2/dns/dns-challenge.phar --
MDCertificateAgreement accepted
MDContactEmail dominic@mm.st
MDCAChallenges dns-01
~~~
It seems Apache likes this:
![cropped output of apaches status website /md-status](./mod-status-certs.png)
This is **currently testing** because I have no idea if mod_md will update these certs
itself or if I should run certbot again when it's needed. In the meantime I monitor my
website with [UptimeKuma](https://github.com/louislam/uptime-kuma) which alerts me on
expiring certificates.
The binary (`dns-challenge.phar`) that actually does the DNS Challenge is taken from
[kategray/dns-challenge-cloudflare](https://github.com/kategray/dns-challenge-cloudflare).
An **easier way** to obtain wildcard certificates would be the use of **Cloudflares proxy**.
They would also create another wildcard cert of another issuer in case the first one
would get compromised so they would actually replace your main cert with a backup cert
just with a whoooop.
Certbot commands have been taken from
[this article by nabbisen](https://dev.to/nabbisen/let-s-encrypt-wildcard-certificate-with-certbot-plo)
at dev.to.
## Get some filesystem information ## Get some filesystem information
~~~console ~~~console

Binary file not shown.

After

Width:  |  Height:  |  Size: 20 KiB

Loading…
Cancel
Save