Get wildcard certificates on a server
After automating your Let's Encrypt wildcard generation (as described in Automate the verification of Let's Encrypt wildcard certificates ), you are left with the problem of getting the certificates to the servers that are going to use them.
My set-up has a script running after the update that packs up the generated keys. In addition to some copying of files, it also packs the certificates to bundles, using a GNU Make makefile that looks essentially like this:
all: emeademo.eu.bundle.pfx
%.bundle.pfx: live/%/cert.pem live/%/fullchain.pem live/%/privkey.pem
openssl pkcs12 -export -out $@ -inkey live/$*/privkey.pem -in live/$*/cert.pem -certfile live/$*/fullchain.pem -password pass:${password}
The directory this runs in has a copy of the
live
section of
/etc/letsencrypt
in it. The list of bundles to generate is in reality longer than just one.
The content of the directory is then picked up by a periodic script (left as an exercise to the reader) that copies the
*.pem
and
*.pfx
files into some directories on a local server that is accessible to a technical user.
When I set up a new VM (such as described in Build a non-production Ubuntu server VM ) that needs wildcard certificates, the following steps are necessary.
On the new server, as the standard user, generate a new SSH key with no password:
$ ssh-keygen -t ed25519 -N ""
Then add the public key to the
authorized_keys
file for the technical user on the server where the certificates reside.
Create a script
bin/update-certs.sh
on the new server and make it executable. This is an example for NGINX; copy to other places and restart other services as necessary.
#! /bin/sh
mkdir -p ~/certs
scp ${technical_user}@${system_with_the_certs}:${folder_with_the_rights_certs}/* ~/certs/ && \
sudo cp ~/certs/* /etc/nginx/certs/ && \
sudo chown -R root:www-data /etc/nginx/certs/* && \
sudo systemctl restart nginx
So far I haven't found it necessary to automate this further. Maybe one day …