From 20e934063f009a6f03754a825d7b823f74881490 Mon Sep 17 00:00:00 2001 From: Mario Alegre Date: Sun, 31 May 2020 18:25:14 -0500 Subject: [PATCH] rename --- linux/letsencrypt-haproxy/dehydrated.md | 87 ------------------- .../acme-sh.md | 0 .../certbot.md | 0 3 files changed, 87 deletions(-) delete mode 100644 linux/letsencrypt-haproxy/dehydrated.md rename linux/{letsencrypt-haproxy => letsencrypt}/acme-sh.md (100%) rename linux/{letsencrypt-haproxy => letsencrypt}/certbot.md (100%) diff --git a/linux/letsencrypt-haproxy/dehydrated.md b/linux/letsencrypt-haproxy/dehydrated.md deleted file mode 100644 index fd11f6b..0000000 --- a/linux/letsencrypt-haproxy/dehydrated.md +++ /dev/null @@ -1,87 +0,0 @@ -# use dehydrated to automatically generate and renew Let's Encrypt certificates for HAproxy - -## Install - -install `curl`: -``` -apt install curl -``` -download the dehydrated script to `/usr/local/bin`: -``` -cd /usr/local/bin/ -wget https://raw.githubusercontent.com/dehydrated-io/dehydrated/master/dehydrated -chmod +x dehydrated -``` - -## Configure HAproxy HTTP - -we need to configure haproxy to reroute Let's Encrypt requests to the certbot server. The beginning of your web frontend should look like: -``` -frontend www - bind *:80 - option forwardfor - - # Reroute certbot requests to certbot - use_backend certbot if { path_beg /.well-known/acme-challenge/ } - - ... -``` -and also add a backend: -``` -backend certbot - server certbot localhost:8888 -``` - -## Configure Certbot - -We also want to configure Certbot so we can easily use it for creating/renewing certificates for HAproxy. Edit the file `/etc/letsencrypt/cli.ini` and add the lines: -``` -standalone -# tls-sni challenge is deprecated -preferred-challenges = http -http-01-port = 8888 -deploy-hook = /etc/letsencrypt/deploy-hook.sh -``` -We also need to add the deploy hook script that we referenced in the config file, at `/etc/letsencrypt/deploy-hook.sh`. The contents of the script should be: -``` -#!/bin/sh - -mkdir -p /etc/haproxy/certs -base=$(basename $RENEWED_LINEAGE) -cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > /etc/haproxy/certs/$base.pem -#etckeeper commit "got new Let's Encrypt certificate for $base" -service haproxy reload -``` -(Uncomment the `etckeeper` line if you are using etckeeper to store your configuration). And don't forget to make the script executable: -``` -chmod +x /etc/letsencrypt/deploy-hook.sh -``` - -With this configuration, you should be able to run certbot to obtain a certificate. The cron job that is automatically set up when you install certbot will also work correctly with this configuration. - -## Get Certificate - -Run Certbot to get a certificate: -``` -certbot certonly -``` -After successfully acquiring a certificate, the deploy hook will automatically put the combined certificate in `/etc/haproxy/certs/` for you. - -## Configure HAproxy HTTPs - -Now that you have HTTPs working, you can configure HAproxy for HTTPs. The beginning of your web frontend should now look like: -``` -frontend www - bind *:80 - bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 - option forwardfor - http-request set-header X-Forwarded-Proto https if { ssl_fc } - - # Reroute letsencrypt requests to certbot - use_backend certbot if { path_beg /.well-known/acme-challenge/ } - - # Reroute HTTP to HTTPs - http-request redirect scheme https if !{ ssl_fc } - - ... -``` diff --git a/linux/letsencrypt-haproxy/acme-sh.md b/linux/letsencrypt/acme-sh.md similarity index 100% rename from linux/letsencrypt-haproxy/acme-sh.md rename to linux/letsencrypt/acme-sh.md diff --git a/linux/letsencrypt-haproxy/certbot.md b/linux/letsencrypt/certbot.md similarity index 100% rename from linux/letsencrypt-haproxy/certbot.md rename to linux/letsencrypt/certbot.md