Quick and Easy process of getting letsencrypt wildcard domain certificate with cloudflare as dns provider

-


Login to any of your server ( this method does not requires to run commands from a working apache or nginx web server hence you can even run these commands from your workstation line client machine)

Create a cloudflare credentials file
need your email id and api key of cloudflare login

you can get cloudflare api key from login into cloudflare account and nevigating to myprofile -> api tokens -> api keys -> global api key -> view

# vim .cloudflarecredentials.ini

paste content as bellow

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

use your mail id and api key in above file

save and make it secure

# chmod 400 .cloudflarecredentials.ini

Now install required package

# yum -y install python2-certbot-dns-cloudflare

Now run bellow command

# certbot certonly --dns-cloudflare --dns-cloudflare-credentials .cloudflarecredentials.ini -d *.mydomain.com

replace *.mydomain.com  with *. your domain

Now accept policy etc from certbot and it will automatically validate ddomain and generate certificate and key file for you.

certificate file    :  /etc/letsencrypt/live/mydomain.com/fullchain.pem;
keyfile             :  /etc/letsencrypt/live/mydomain.com/privkey.pem;

you can use this certificates now in nginx or apache. example bellow is config snippet for nginx

ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;

Now for automatic renewal setup a cron as bellow

0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew

Done!

Comments

Post a Comment

Popular posts from this blog

using libguestfs virt-customize tool to modify qcow2 image and reset root password.

-
ibguestfs is a C library and a set of tools for accessing and modifying virtual disk images used in platform virtualization. The tools can be used for viewing and editing virtual machines managed by libvirt and files inside VMs, scripting changes to VMs, creating VMs, and much else beside. virt-customize is one of them as example. If you forgot root user password here is how you can modify . # virsh shutdown debian9-vm1 # virt-customize -a /var/lib/libvirt/images/debian9-vm1.qcow2 --root-password password:NewRootUserPasswordHere  not only this but you can edit many more. The –run-command option is used to execute any command inside a virtual image file. 1) register with rhel subscription virt-customize -a rhel-server-7.6.qcow2 --run-command 'subscription-manager attach --pool [subscription-pool]'     Install software or packages- virt-customize -a rhel-server-7.6.qcow2 --install net-tools  Upload a file into image virt-customize -a rhel-se...
Read more

Running cockpit behind nginx reverse proxy with nginx ssl and cockpit non ssl

-
Domain for web access to cockpit : cockpit.mylab.local cockpit server ip : 192.168.1.61 nginx server ip   : 192.168.1.65 Linux distro using is Centos 7.6 Login to cockpit server Create a file [root@repo ~]# vim /etc/cockpit/cockpit.conf content will be like [WebService] Origins = https://cockpit.mylab.local wss://cockpit.mylab.local ProtocolHeader = X-Forwarded-Proto AllowUnencrypted = true save and restart cockpit # systemctl restart cockpit now  login to your nginx webserver and install nginx # yum install nginx -y create a new file vim /etc/nginx/conf.d/cockpit.conf paste content as bellow server {     listen         80;     listen         443 ssl http2;     server_name    cockpit.mylab.local;     ssl_certificate /etc/ssl/certs/cockpit-selfsigned.crt;     ssl_certifica...
Read more

setting up openshift alert manager mail alerting based on critical and warning

-
Configure alert manager to send mail. This will send mail to 2 diffrent groups one is managemnet group for ciritical alerts only and second is default group for all alerts. $  oc project openshift-monitoring The secret file where alertmanager.yaml content ( encoded in base64 ) will remain is alertmanager-main convert the yaml content into base64 first $  cat alertmanager.yaml | base64 -w0 copy value now edit secret $ oc edit secret alertmanager-main find value starts with alertmanager.yaml: replace all base64 content from your own . save and exit now in order to take this secret in effect we must bounce the pod $  oc delete po -l alertmanager=main check if all pod came online $  oc get po -l alertmanager=main done! alertmanager.yaml content resolve_timeout : 5m route : group_wait : 30s group_interval : 5m repeat_interval : 12h ...
Read more