diff options
Diffstat (limited to 'pages/docs')
-rw-r--r-- | pages/docs/platform/guide/keys-and-certificates.md | 58 | ||||
-rw-r--r-- | pages/docs/platform/tutorials/vagrant.md | 4 |
2 files changed, 59 insertions, 3 deletions
diff --git a/pages/docs/platform/guide/keys-and-certificates.md b/pages/docs/platform/guide/keys-and-certificates.md index cf356df..8683a1f 100644 --- a/pages/docs/platform/guide/keys-and-certificates.md +++ b/pages/docs/platform/guide/keys-and-certificates.md @@ -248,3 +248,61 @@ Let's Encrypt validations are short lived. You will need to renew the certificat There is no need to create a new CSR: renewing will reuse the old private key and the old CSR. It is especially important to not create a new CSR if you have advertised public key pins using HPKP. +## Issues + +### Certs already expired + +When a cert is already expired, you can get into a possible deadlock situation on your servers which you can only resolve manually at the moment. + + +#### Install the official acme client + +Log in to your webapp node and install the `certbot` package: + + server$ apt install -t jessie-backports certbot + +#### Fetch cert + +Stop apache so the letsencrypt client can bind to port 80: + + server$ systemctl stop apache2 + +Fetch the certs + + server$ certbot certonly --standalone --email admin@$(hostname -d) -d $(hostname -d) -d api.$(hostname -d) -d $(hostname -f) -d nicknym.$(hostname -d) + +This will put the certs and keys into `/etc/letsencrypt/live/DOMAIN/`. + +Now, go to your workstation's provider configuration directory and copy the newly created files from the server to your local config. You will override existing files so please make a backup before proceeding, or use a version control system to track changes. + + workstation$ cd PATH_TO_PROVIDER_CONFIG + +Copy the Certificate + + workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/cert.pem' files/cert/DOMAIN.crt + +Copy the private key + + workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/privkey.pem' files/cert/DOMAIN.key + +Copy the CA chain cert + + workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/fullchain.pem' files/cert/commercial_ca.crt + +#### Deploy the certs + +Now you only need to deploy the certs + + workstation$ leap deploy + +This will put them into the right locations which are: + +- `/etc/x509/certs/leap_commercial.crt` for the certificate +- `/etc/x509/./keys/leap_commercial.key` for the private key +- `/usr/local/share/ca-certificates/leap_commercial_ca.crt` for the CA chain cert. + +Start apache2 again + + server$ systemctl start apache2 + +Done! In the future please make sure to always renew letsencrypt certificates before they expire ;). diff --git a/pages/docs/platform/tutorials/vagrant.md b/pages/docs/platform/tutorials/vagrant.md index 710c266..a741b1b 100644 --- a/pages/docs/platform/tutorials/vagrant.md +++ b/pages/docs/platform/tutorials/vagrant.md @@ -302,7 +302,7 @@ By default, Vagrant will use VirtualBox to create the virtual machines, but this sudo apt-get install ruby-dev libxslt-dev libxml2-dev libvirt-dev # install the required plugins - vagrant plugin install vagrant-libvirt fog fog-libvirt sahara + vagrant plugin install vagrant-libvirt sahara Log out and then log back in. @@ -353,8 +353,6 @@ Known issues * `Call to virConnectOpen failed: internal error: Unable to locate libvirtd daemon in /usr/sbin (to override, set $LIBVIRTD_PATH to the name of the libvirtd binary)` - you don't have the libvirtd daemon running or installed, be sure you installed the 'libvirt-bin' package and it is running * `Call to virConnectOpen failed: Failed to connect socket to '/var/run/libvirt/libvirt-sock': Permission denied` - you need to be in the libvirt group to access the socket, do 'sudo adduser <user> libvirtd' and then re-login to your session. * if each call to vagrant ends up with a segfault, it may be because you still have virtualbox around. if so, remove virtualbox to keep only libvirt + KVM. according to https://github.com/pradels/vagrant-libvirt/issues/75 having two virtualization engines installed simultaneously can lead to such weird issues. -* see the [vagrant-libvirt issue list on github](https://github.com/pradels/vagrant-libvirt/issues) -* be sure to use vagrant-libvirt >= 0.0.11 and sahara >= 0.0.16 (which are the latest stable gems you would get with `vagrant plugin install [vagrant-libvirt|sahara]`) for proper libvirt support, Useful commands ------------------------ |