update obsd note (certbot)

main
Dominic Reich 10 months ago
parent eb7a7ff6a7
commit 101c4a6d45
Signed by: dominic
GPG Key ID: BC9D6AE1A3BE169A

@ -1,7 +1,7 @@
---
title: OpenBSD notes
title: OpenBSD
date: 2023-11-29T20:33:48+0100
lastmod: 2024-01-22T22:02:30+0000
lastmod: 2024-01-26T11:16:40+0000
tags:
- openbsd
- python
@ -10,6 +10,9 @@ tags:
- git
- rust
- neovim
- apache2
- mod_md
- certbot
#showDate: false
showReadingTime: false
@ -27,6 +30,90 @@ These are random notes -- more or less about OpenBSD. Some may
not fit here well, but they could relate to OpenBSD or similar
operating systems in some way...
## Apache with wildcard certificates
I often got errors when I clicked a link on my main website for example
to the weather page. It was complaining about different
<abbr title="Server Name Indication">SNI</abbr> because both hosts used different
certificates and I wasn't sure how I could fix that easily. I thought wildcard
certs could fix that because I'd only have one cert for all the domains.
~~~console
$ doas pkg_add certbot
~~~
Run and follow instructions:
~~~console
$ doas certbot certonly --manual --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual-public-ip-logging-ok -d '*.oe7drt.com' -d oe7drt.com
[...]
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/oe7drt.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/oe7drt.com/privkey.pem
This certificate expires on 2024-04-25.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual
certificates requires the use of an authentication hook script (--manual-auth-hook)
but one was not provided. To renew this certificate, repeat this same certbot
command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~~~
Also adding my .net domain to the certs:
~~~console
$ doas certbot certonly --manual --manual-public-ip-logging-ok \
--preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory \
-d "*.oe7drt.com" -d "*.oe7drt.net" -d oe7drt.com -d oe7drt.net
~~~
Some changes to the apache2 configuration was made:
~~~apache
<MDomain oe7drt.com oe7drt.net>
MDMember *.oe7drt.com
MDMember *.oe7drt.net
MDCertificateFile /etc/letsencrypt/live/oe7drt.com/fullchain.pem
MDCertificateKeyFile /etc/letsencrypt/live/oe7drt.com/privkey.pem
</MDomain>
MDChallengeDns01 /etc/apache2/dns/dns-challenge.phar --
MDCertificateAgreement accepted
MDContactEmail dominic@mm.st
MDCAChallenges dns-01
~~~
It seems Apache likes this:
![cropped output of apaches status website /md-status](./mod-status-certs.png)
This is **currently testing** because I have no idea if mod_md will update these certs
itself or if I should run certbot again when it's needed. In the meantime I monitor my
website with [UptimeKuma](https://github.com/louislam/uptime-kuma) which alerts me on
expiring certificates.
The binary (`dns-challenge.phar`) that actually does the DNS Challenge is taken from
[kategray/dns-challenge-cloudflare](https://github.com/kategray/dns-challenge-cloudflare).
An **easier way** to obtain wildcard certificates would be the use of **Cloudflares proxy**.
They would also create another wildcard cert of another issuer in case the first one
would get compromised so they would actually replace your main cert with a backup cert
just with a whoooop.
Certbot commands have been taken from
[this article by nabbisen](https://dev.to/nabbisen/let-s-encrypt-wildcard-certificate-with-certbot-plo)
at dev.to.
## Get some filesystem information
~~~console

Binary file not shown.

After

Width:  |  Height:  |  Size: 20 KiB

Loading…
Cancel
Save