summaryrefslogtreecommitdiff
path: root/docs/en/guide/keys-and-certificates
diff options
context:
space:
mode:
Diffstat (limited to 'docs/en/guide/keys-and-certificates')
-rw-r--r--docs/en/guide/keys-and-certificates/index.html89
1 files changed, 89 insertions, 0 deletions
diff --git a/docs/en/guide/keys-and-certificates/index.html b/docs/en/guide/keys-and-certificates/index.html
index 016a03a7..95279270 100644
--- a/docs/en/guide/keys-and-certificates/index.html
+++ b/docs/en/guide/keys-and-certificates/index.html
@@ -181,6 +181,25 @@ Keys and Certificates - LEAP Platform Documentation
<li>
<a href="index.html#renewing-a-certificate">Renewing a certificate</a>
</li>
+ <li>
+ <a href="index.html#issues">Issues</a>
+ <ol>
+ <li>
+ <a href="index.html#certs-already-expired">Certs already expired</a>
+ <ol>
+ <li>
+ <a href="index.html#install-the-official-acme-client">Install the official acme client</a>
+ </li>
+ <li>
+ <a href="index.html#fetch-cert">Fetch cert</a>
+ </li>
+ <li>
+ <a href="index.html#deploy-the-certs">Deploy the certs</a>
+ </li>
+ </ol>
+ </li>
+ </ol>
+ </li>
</ol>
</li>
</ol></div>
@@ -445,6 +464,76 @@ workstation$ leap deploy
<p>There is no need to create a new CSR: renewing will reuse the old private key and the old CSR. It is especially important to not create a new CSR if you have advertised public key pins using HPKP.</p>
+<h2><a name="issues"></a>Issues</h2>
+
+<h3><a name="certs-already-expired"></a>Certs already expired</h3>
+
+<p>When a cert is already expired, you can get into a possible deadlock situation on your servers which you can only resolve manually at the moment.</p>
+
+<h4><a name="install-the-official-acme-client"></a>Install the official acme client</h4>
+
+<p>Log in to your webapp node and install the <code>certbot</code> package:</p>
+
+<pre><code>server$ apt install -t jessie-backports certbot
+</code></pre>
+
+<h4><a name="fetch-cert"></a>Fetch cert</h4>
+
+<p>Stop apache so the letsencrypt client can bind to port 80:</p>
+
+<pre><code>server$ systemctl stop apache2
+</code></pre>
+
+<p>Fetch the certs</p>
+
+<pre><code>server$ certbot certonly --standalone --email admin@$(hostname -d) -d $(hostname -d) -d api.$(hostname -d) -d $(hostname -f) -d nicknym.$(hostname -d)
+</code></pre>
+
+<p>This will put the certs and keys into <code>/etc/letsencrypt/live/DOMAIN/</code>.</p>
+
+<p>Now, go to your workstation&rsquo;s provider configuration directory and copy the newly created files from the server to your local config. You will override existing files so please make a backup before proceeding, or use a version control system to track changes.</p>
+
+<pre><code>workstation$ cd PATH_TO_PROVIDER_CONFIG
+</code></pre>
+
+<p>Copy the Certificate</p>
+
+<pre><code>workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/cert.pem' files/cert/DOMAIN.crt
+</code></pre>
+
+<p>Copy the private key</p>
+
+<pre><code>workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/privkey.pem' files/cert/DOMAIN.key
+</code></pre>
+
+<p>Copy the CA chain cert</p>
+
+<pre><code>workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/fullchain.pem' files/cert/commercial_ca.crt
+</code></pre>
+
+<h4><a name="deploy-the-certs"></a>Deploy the certs</h4>
+
+<p>Now you only need to deploy the certs</p>
+
+<pre><code>workstation$ leap deploy
+</code></pre>
+
+<p>This will put them into the right locations which are:</p>
+
+<ul>
+<li><code>/etc/x509/certs/leap_commercial.crt</code> for the certificate</li>
+<li><code>/etc/x509/./keys/leap_commercial.key</code> for the private key</li>
+<li><code>/usr/local/share/ca-certificates/leap_commercial_ca.crt</code> for the CA chain cert.</li>
+</ul>
+
+
+<p>Start apache2 again</p>
+
+<pre><code>server$ systemctl start apache2
+</code></pre>
+
+<p>Done! In the future please make sure to always renew letsencrypt certificates before they expire ;).</p>
+
</div>
</div>
</body>