Page History

...

Before obtaining the certificates ensure that there are two DNS A record for the website name (i.e. demonodepublicdns). 

...

Automatic certificate renewal uses a cronjob to run the update command twice a day.

     1. Ensure the following command returns successfully. It will not make any changes. It will be used in the cronjob to update the certificate if it is in need of renewal.

user@ls:/var/www# sudo ./certbot-auto --config /etc/letsencrypt/configs/ls.datim4u.org.conf certonly --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cert.test2.ohie.org
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (4096 bits): /etc/letsencrypt/keys/0009_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0009_csr-certbot.pem
IMPORTANT NOTES:
 - The dry run was successful.

...

• Store this script under `/etc/certbot_renewal/update_OpenHIM.sh`. 
• Ensure it is executable by running  `chmod +x /etc/certbot_renewal/update_OpenHIM.sh`.

In Progress

...

• Store this script under `/etc/certbot_renewal/renewal_cronjob.sh.
• Ensure it is executable by running  `chmod +x /etc/certbot_renewal/renewal_cronjob.sh`.

#!/bin/bash
## navigate to directory with ./certbot-auto
cd /path/to/certbot-auto
## check if the certificate is expiring soon and renew it if needed
sudo ./certbot-auto --config /etc/letsencrypt/configs/ls.datim4u.org.conf certonly --renew-hook "/etc/certbot_renewal/update_OpenHIM.sh" -n 
		# -n ensures a noninteractive session 
		# --renew-hook command only fires if a certificate is renewed
exit 0

...

can be installed on a DATIM box to ensure that the certificate on this machine is automatically renewed. The process consists of Two Parts:

1. Install the package `datim-auto-cert-updater`
   1. Ensure the PPA is installed
   2. Configure the installation
2. Test the installation
   1. Immediately check that all functionality works
   2. Return in a few days and check that the cronjob is called successfully

The instructions to do these steps are outlined at the following link: https://github.com/OHIEDATIM/datim-auto-cert-updater/blob/master/docs/testing/readme.md

Certificate creation on CentOS:

BAO has created custom scripts to aid in the creation of certificates on CentOS and Amazon Linux hosts. That script is called certbot-new and is available on hosts with the BAO yum repository installed. In order to create a new certificate, use the following steps:

• If you need a cert for $( hostname ):
  • Use the wrapper script: certbot-new --domain=$( hostname )
  • Add the Nginx config from certbot-new to /etc/nginx/conf.d/ssl-files.conf
• Create another certificate if $( hostname ) begins with www. or is a naked domain:
  • Use the wrapper script: cerbot-new --domain=www.example.com
  • Add the Nginx config to the non-default server{} in Nginx, NOT the conf.d/ssl-files.conf file (that is intended for the default hostname/domain)

Certificate Renewal:

If the server was installed by BAO, or using BAO's tools, the cron job will automatically be installed in /etc/cron.daily/certbot-renew.

Essentially, the certbot-renew script runs the following:

certbot \
  renew \
  --quiet \
  --non-interactive \
  --agree-tos \
  --preferred-challenges 'http-01' \
  --pre-hook '/bin/mkdir -pv /var/lib/letsencrypt/html/' \
  --renew-hook "$RENEW_HOOK"

• Run `crontab -e`.  Add the following contents:

...

...