Skip to content
Snippets Groups Projects
Verified Commit a5527c7a authored by anarcat's avatar anarcat
Browse files

fix markdown syntax

parent 24c514c7
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 67 additions and 67 deletions
tls-configuration.md
+ 67
67
View file @ a5527c7a
...@@ -22,7 +22,7 @@ Changes performed: ...@@ -22,7 +22,7 @@ Changes performed:
To reproduce the config: To reproduce the config:
1. deploy certbot from the fork: 1. deploy certbot from the fork:
```
git clone https://github.com/certbot/certbot/ git clone https://github.com/certbot/certbot/
cd certbot cd certbot
git remote add -f hpax https://github.com/hpax/certbot.git git remote add -f hpax https://github.com/hpax/certbot.git
...@@ -33,48 +33,48 @@ cd certbot ...@@ -33,48 +33,48 @@ cd certbot
~/.virtualenv/certbot/bin/pip3 install . ~/.virtualenv/certbot/bin/pip3 install .
cd ../certbot-dns-rfc2136 cd ../certbot-dns-rfc2136
~/.virtualenv/certbot/bin/pip3 install . ~/.virtualenv/certbot/bin/pip3 install .
```
1. configure a `/etc/letsencrypt/rfc2136-credentials.ini` file with the following content (e.g. on che), the `dns_rfc2136_name`, `dns_rfc2136_secret` and `dns_rfc2136_algorithm` parameters are magic and come from the DNS primary : 1. configure a `/etc/letsencrypt/rfc2136-credentials.ini` file with the following content (e.g. on che), the `dns_rfc2136_name`, `dns_rfc2136_secret` and `dns_rfc2136_algorithm` parameters are magic and come from the DNS primary :
```
# Target DNS server # Target DNS server
#dns_rfc2136_server = ns2.riseup.net. #dns_rfc2136_server = ns2.riseup.net.
1. https://github.com/certbot/certbot/issues/7871 # https://github.com/certbot/certbot/issues/7871
dns_rfc2136_server = 204.13.164.8 dns_rfc2136_server = 204.13.164.8
1. Target DNS port # Target DNS port
dns_rfc2136_port = 53 dns_rfc2136_port = 53
1. TSIG key name # TSIG key name
dns_rfc2136_name = che_ircd_key dns_rfc2136_name = che_ircd_key
1. TSIG key secret # TSIG key secret
dns_rfc2136_secret = [CENSORED]== dns_rfc2136_secret = [CENSORED]==
1. TSIG key algorithm # TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA512 dns_rfc2136_algorithm = HMAC-SHA512
```
1. create the certificate: 1. create the certificate:
```
~/.virtualenv/certbot/bin/certbot --dns-rfc2136-credentials /etc/letsencrypt/rfc2136-credentials.ini certonly -d irc.indymedia.org --register-unsafely-without-email --dns-rfc2136 --reuse-key ~/.virtualenv/certbot/bin/certbot --dns-rfc2136-credentials /etc/letsencrypt/rfc2136-credentials.ini certonly -d irc.indymedia.org --register-unsafely-without-email --dns-rfc2136 --reuse-key
```
1. change permissions on the generated cert: 1. change permissions on the generated cert:
```
chown -R :ssl-cert /etc/letsencrypt/archive/ chown -R :ssl-cert /etc/letsencrypt/archive/
chmod -R g+rX /etc/letsencrypt/archive/ chmod -R g+rX /etc/letsencrypt/archive/
```
1. add the cert to `/etc/charybdis/ircd.conf` and restart the ircd 1. add the cert to `/etc/charybdis/ircd.conf` and restart the ircd
```
service charybdis restart service charybdis restart
```
1. extract the new SHA256 private key fingerprint: 1. extract the new SHA256 private key fingerprint:
```
certtool --pubkey-info --load-privkey /etc/letsencrypt/live/irc.indymedia.org/privkey.pem | grep -i sha256 | grep -v pin- certtool --pubkey-info --load-privkey /etc/letsencrypt/live/irc.indymedia.org/privkey.pem | grep -i sha256 | grep -v pin-
```
1. add that key to the `connect` block on the other servers, and restarted those ircds: 1. add that key to the `connect` block on the other servers, and restarted those ircds:
```
service charybdis restart service charybdis restart
```
1. create cronjob to use patched certbot for renewals: 1. create cronjob to use patched certbot for renewals:
```
cat > /etc/cron.daily/certbot-rfc2136 <<EOF cat > /etc/cron.daily/certbot-rfc2136 <<EOF
1. We need to use our patched version of certbot to renew certs so that DNS-01 # We need to use our patched version of certbot to renew certs so that DNS-01
1. challenges can be completed # challenges can be completed
SHELL=/bin/sh SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
...@@ -84,20 +84,20 @@ EOF ...@@ -84,20 +84,20 @@ EOF
cat > /usr/local/bin/patched_certbot_renew <<EOF cat > /usr/local/bin/patched_certbot_renew <<EOF
#!/bin/sh #!/bin/sh
1. Use the patched certbot to renew certificates # Use the patched certbot to renew certificates
/root/.virtualenv/certbot/bin/certbot -q renew /root/.virtualenv/certbot/bin/certbot -q renew
EOF EOF
chmod a+x /usr/local/bin/patched_certbot_renew chmod a+x /usr/local/bin/patched_certbot_renew
```
1. create renewal hook so that charybdis takes on the new certificates automatically 1. create renewal hook so that charybdis takes on the new certificates automatically
```
cat > /etc/letsencrypt/renewal-hooks/deploy/charybdis <<EOF cat > /etc/letsencrypt/renewal-hooks/deploy/charybdis <<EOF
#!/bin/sh #!/bin/sh
/usr/sbin/service charybdis reload /usr/sbin/service charybdis reload
EOF EOF
chmod a+x /etc/letsencrypt/renewal-hooks/deploy/charybdis chmod a+x /etc/letsencrypt/renewal-hooks/deploy/charybdis
```
To configure a DNS primary server, the following command need to be issued: To configure a DNS primary server, the following command need to be issued:
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment