# Ubuntu Server ## Unattended Upgrades ```bash apt install unattended-upgrades systemctl enable unattended-upgrades ``` ## Certbot for Cockpit During this process you'll pick one node to act as your manager for your other nodes. You'll only need to cert a single node and then it will connect via ssh over your local network to the other nodes. Create an AWS user which will have route53 access. This is required for certbot's route53 validation. ```bash export username= aws iam create-user --user-name $username ``` You'll also need a policy which allows the user to modify the selected hosted zone: (list with `aws route53 list-hosted-zones`) ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "route53:ListHostedZones", "route53:GetChange" ], "Resource": [ "*" ] }, { "Effect" : "Allow", "Action" : [ "route53:ChangeResourceRecordSets" ], "Resource" : [ "arn:aws:route53:::hostedzone/Z0092652G7L97DSINN18" ] } ] } ``` Attach the policy to the user: ```bash aws iam attach-user-policy \ --user-name $username \ --policy-arn arn:aws:iam::892236928704:policy/certbot-route53-reeselink ``` Generate credentials: ```bash aws iam create-access-key --user-name $username ``` On the host machine: ```bash sudo su - mkdir ~/.aws vim ~/.aws/config ``` ```conf [profile default] region=us-east-2 ``` ```bash sudo su - vim ~/.aws/credentials ``` ```conf [default] aws_access_key_id= aws_secret_access_key= ``` Install the aws cli v2 on the manager node: ```bash sudo su - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" apt update && apt install -y unzip unzip awscliv2.zip ./aws/install ``` Test your credentials with `aws route53 list-hosted-zones`. You should see as list of your hosted zones. Now install certbot and acquire a cert using those credentials: ```bash sudo su - export record=orange.reeselink.com apt update && apt install -y certbot python3-certbot-dns-route53 certbot certonly --dns-route53 -d $record cp /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert cp /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key systemctl restart cockpit.service ``` Test the renewal process with: ```bash sudo su - export record=orange.reeselink.com certbot renew --cert-name $record --dry-run mkdir -p /usr/lib/scripts ``` Create a renewal script in /usr/lib/scripts/certbot-renew.sh /usr/lib/scripts/certbot-renew.sh ```bash #!/bin/bash /usr/bin/certbot renew --cert-name $record /usr/bin/cp -f /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert /usr/bin/cp -f /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key ``` ```bash :%s/$record/yellow.reeselink.com/g chmod +x /usr/lib/scripts/certbot-renew.sh ``` Now create a systemd oneshot service to run the script /etc/systemd/system/certbot-renew.service ```conf [Unit] Description=Certbot Renewal [Service] Type=oneshot ExecStart=/usr/lib/scripts/certbot-renew.sh ``` /etc/systemd/system/certbot-renew.timer ```conf [Unit] Description=Timer for Certbot Renewal [Timer] OnBootSec=300 OnUnitActiveSec=1w [Install] WantedBy=multi-user.target ``` Enable the service ```bash systemctl enable --now certbot-renew.timer ``` Cockpit now has a valid TLS certificate that auto-renews!