Note to Self

Get wildcard certificates on a server

After automating your Let's Encrypt wildcard generation (as described in Automate the verification of Let's Encrypt wildcard certificates ), you are left with the problem of getting the certificates to the servers that are going to use them.

My set-up has a script running after the update that packs up the generated keys. In addition to some copying of files, it also packs the certificates to bundles, using a GNU Make makefile that looks essentially like this:


%.bundle.pfx: live/%/cert.pem live/%/fullchain.pem live/%/privkey.pem
        openssl pkcs12 -export -out $@ -inkey live/$*/privkey.pem -in live/$*/cert.pem -certfile live/$*/fullchain.pem -password pass:${password}

The directory this runs in has a copy of the live section of /etc/letsencrypt in it. The list of bundles to generate is in reality longer than just one.

The content of the directory is then picked up by a periodic script (left as an exercise to the reader) that copies the *.pem and *.pfx files into some directories on a local server that is accessible to a technical user.

When I set up a new VM (such as described in Build a non-production Ubuntu server VM ) that needs wildcard certificates, the following steps are necessary.

On the new server, as the standard user, generate a new SSH key with no password:

$ ssh-keygen -t ed25519 -N ""

Then add the public key to the authorized_keys file for the technical user on the server where the certificates reside.

Create a script bin/ on the new server and make it executable. This is an example for NGINX; copy to other places and restart other services as necessary.

#! /bin/sh

mkdir -p ~/certs
scp ${technical_user}@${system_with_the_certs}:${folder_with_the_rights_certs}/* ~/certs/ && \
        sudo cp ~/certs/* /etc/nginx/certs/ && \
        sudo chown -R root:www-data /etc/nginx/certs/* && \
        sudo systemctl restart nginx

So far I haven't found it necessary to automate this further. Maybe one day …