Original Message:
Sent: 06-17-2020 07:43
From: Mathias Jeschke
Subject: Let's Encrypt certificate for conductor
Hi Morne,
The authorization is done by a challenge-response protocol. This is why port 80 is needed and the fqdn (A record) has to point to the conductor's public IP.
Of course, this works only for publicly reachable systems. For private systems and/or wildcard certificates Let's Encrypt offers dns validation which is more complex, since the certbot requires a way to dynamically place a TXT record into the company's dns server/database.
I hope this answers your question.
Mathias
------------------------------
Mathias Jeschke
Sales Engineer
Burlington MA
+1.781.203.8400
Original Message:
Sent: 06-17-2020 07:35
From: Morne Vermeulen
Subject: Let's Encrypt certificate for conductor
Thanks Mathias, appreciate that feedback here.
And I assume the regular info is required with regards to having a cert installed from Let's Encrypt? For instance I need a DNS entry with the domain owned by the customer for the certbot to know I am a authorised user of this domain and all the other info?
Regards,
------------------------------
Morne Vermeulen
Core Engineer
+27 (0) 10 141 8512
Original Message:
Sent: 06-17-2020 06:03
From: Mathias Jeschke
Subject: Let's Encrypt certificate for conductor
Hi Morne,
Basically, the certbot tool, a script to retrieve and update the webserver certificate and a firewall rule is what you need:
Firstly, install the certbot tool and update the firewall in order to open port 80:
$ dnf install -y certbot$ firewall-cmd --permanent --add-service=http --zone t128$ firewall-cmd --reload
Secondly, make sure your fqdn resolves publicly to the IP address of your conductor:
$ host conductor.example.com 8.8.8.8
Then create a script that binds altogether (replace "conductor.example.com" with your FQDN):
$ cat > /usr/local/sbin/renew-certificate.sh <<'EOF'#!/bin/shDOMAIN=conductor.example.comcertbot certonly -d $DOMAIN --register-unsafely-without-email --webroot --webroot-path /var/www/128technology/ --agree-tos --quiet --post-hook "cat /etc/letsencrypt/live/$DOMAIN/{fullchain,privkey}.pem > /etc/128technology/pki/webserver.pem"EOF$ chmod +x /usr/local/sbin/renew-certificate.sh
Now you should be able to call that script from the shell:
$ /usr/local/sbin/renew-certificate.sh
It should confirm the certificate retrieval with "Congratulations". If not, double-check the conductor is reachable from the internet on port tcp/80.
Finally, install a cronjob that tries to renew the certificate every two months or so:
$ crontab -e42 23 1 */2 * /usr/local/sbin/renew-certificate.sh
Done.
------------------------------
Mathias Jeschke
Sales Engineer
Burlington MA
+1.781.203.8400
Original Message:
Sent: 06-15-2020 08:39
From: Morne Vermeulen
Subject: Let's Encrypt certificate for conductor
Hi All,
I have a request from a customer to install certificates on the conductors so that we don't receive the certificate error on these platforms anymore.
From what I understand, Let's Encrypt provides this functionality and should be pretty easy to implement. My question is do you have a guide on specifically how to do something like this on the conductor, and whether it would be possible?
How are other customers installing their own certificates to solve this problem?
Regards,
------------------------------
Morne Vermeulen
Core Engineer
+27 (0) 10 141 8512
------------------------------