server/Workstation
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
ea21651a2c9cd8e7a7ceef5a4189ade11868b40f
Workstation/ubuntu_server.md

3.5 KiB
Raw Blame History

Ubuntu Server

Unattended Upgrades

apt install unattended-upgrades
systemctl enable unattended-upgrades

Certbot for Cockpit

During this process you'll pick one node to act as your manager for your other nodes. You'll only need to cert a single node and then it will connect via ssh over your local network to the other nodes.

Create an AWS user which will have route53 access. This is required for certbot's route53 validation.

export username=<hostname>
aws iam create-user --user-name $username

You'll also need a policy which allows the user to modify the selected hosted zone:

(list with aws route53 list-hosted-zones)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:GetChange"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect" : "Allow",
            "Action" : [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource" : [
                "arn:aws:route53:::hostedzone/Z0092652G7L97DSINN18"
            ]
        }
    ]
}

Attach the policy to the user:

aws iam attach-user-policy \
    --user-name $username \
    --policy-arn arn:aws:iam::892236928704:policy/certbot-route53-reeselink

Generate credentials:

aws iam create-access-key --user-name $username

On the host machine:

sudo su -
mkdir ~/.aws
vim ~/.aws/config

[profile default]
region=us-east-2

sudo su -
vim ~/.aws/credentials

[default]
aws_access_key_id=
aws_secret_access_key=

Install the aws cli v2 on the manager node:

sudo su -
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
apt update && apt install -y unzip
unzip awscliv2.zip
./aws/install

Test your credentials with aws route53 list-hosted-zones. You should see as list of your hosted zones.

Now install certbot and acquire a cert using those credentials:

sudo su -
export record=orange.reeselink.com
apt update && apt install -y certbot python3-certbot-dns-route53
certbot certonly --dns-route53 -d $record

cp /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
cp /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key

systemctl restart cockpit.service

Test the renewal process with:

sudo su -
export record=orange.reeselink.com
certbot renew --cert-name $record --dry-run
mkdir -p /usr/lib/scripts

Create a renewal script in /usr/lib/scripts/certbot-renew.sh

/usr/lib/scripts/certbot-renew.sh

#!/bin/bash

/usr/bin/certbot renew --cert-name $record
/usr/bin/cp -f /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
/usr/bin/cp -f /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key

:%s/$record/yellow.reeselink.com/g

chmod +x /usr/lib/scripts/certbot-renew.sh

Now create a systemd oneshot service to run the script

/etc/systemd/system/certbot-renew.service

[Unit]
Description=Certbot Renewal

[Service]
Type=oneshot
ExecStart=/usr/lib/scripts/certbot-renew.sh

/etc/systemd/system/certbot-renew.timer

[Unit]
Description=Timer for Certbot Renewal

[Timer]
OnBootSec=300
OnUnitActiveSec=1w

[Install]
WantedBy=multi-user.target

Enable the service

systemctl enable --now certbot-renew.timer

Cockpit now has a valid TLS certificate that auto-renews!

Reference in New Issue View Git Blame Copy Permalink