Junos OS

  • 1.  Let's Encrypt certificate for conductor

    Posted 06-15-2020 08:39
    Hi All,

    I have a request from a customer to install certificates on the conductors so that we don't receive the certificate error on these platforms anymore. 

    From what I understand, Let's Encrypt provides this functionality and should be pretty easy to implement. My question is do you have a guide on specifically how to do something like this on the conductor, and whether it would be possible? 

    How are other customers installing their own certificates to solve this problem? 

    Regards,

    ------------------------------
    Morne Vermeulen
    Core Engineer
    +27 (0) 10 141 8512
    ------------------------------


  • 2.  RE: Let's Encrypt certificate for conductor

     
    Posted 06-17-2020 06:03

    Hi Morne,

    Basically, the certbot tool, a script to retrieve and update the webserver certificate and a firewall rule is what you need:

    Firstly, install the certbot tool and update the firewall in order to open port 80:

    $ dnf install -y certbot
$ firewall-cmd --permanent --add-service=http --zone t128
$ firewall-cmd --reload


    Secondly, make sure your fqdn resolves publicly to the IP address of your conductor:

    $ host conductor.example.com 8.8.8.8


    Then create a script that binds altogether (replace "conductor.example.com" with your FQDN):

    $ cat > /usr/local/sbin/renew-certificate.sh <<'EOF'
#!/bin/sh

DOMAIN=conductor.example.com
certbot certonly -d $DOMAIN --register-unsafely-without-email --webroot --webroot-path /var/www/128technology/ --agree-tos --quiet --post-hook "cat /etc/letsencrypt/live/$DOMAIN/{fullchain,privkey}.pem > /etc/128technology/pki/webserver.pem"
EOF
$ chmod +x /usr/local/sbin/renew-certificate.sh


    Now you should be able to call that script from the shell:

    $ /usr/local/sbin/renew-certificate.sh

    It should confirm the certificate retrieval with "Congratulations". If not, double-check the conductor is reachable from the internet on port tcp/80.

    Finally, install a cronjob that tries to renew the certificate every two months or so:

    $ crontab -e
42 23 1 */2 *	/usr/local/sbin/renew-certificate.sh


    Done.



    ------------------------------
    Mathias Jeschke
    Sales Engineer
    Burlington MA
    +1.781.203.8400
    ------------------------------

    Original Message


  • 3.  RE: Let's Encrypt certificate for conductor

    Posted 06-17-2020 07:35
    Thanks Mathias, appreciate that feedback here. 

    And I assume the regular info is required with regards to having a cert installed from Let's Encrypt? For instance I need a DNS entry with the domain owned by the customer for the certbot to know I am a authorised user of this domain and all the other info?

    Regards,

    ------------------------------
    Morne Vermeulen
    Core Engineer
    +27 (0) 10 141 8512
    ------------------------------

    Original Message


  • 4.  RE: Let's Encrypt certificate for conductor

     
    Posted 06-17-2020 07:44

    Hi Morne,

    The authorization is done by a challenge-response protocol. This is why port 80 is needed and the fqdn (A record) has to point to the conductor's public IP.

    Of course, this works only for publicly reachable systems. For private systems and/or wildcard certificates Let's Encrypt offers dns validation which is more complex, since the certbot requires a way to dynamically place a TXT record into the company's dns server/database.

    I hope this answers your question.

    Mathias



    ------------------------------
    Mathias Jeschke
    Sales Engineer
    Burlington MA
    +1.781.203.8400
    ------------------------------

    Original Message


  • 5.  RE: Let's Encrypt certificate for conductor

    Posted 07-02-2020 05:19
    Hi Mathias, 

    Thanks for the info on this one - tested and working. 

    Regards,

    ------------------------------
    Morne Vermeulen
    Core Engineer
    +27 (0) 10 141 8512
    ------------------------------

    Original Message