From fd8995f2fb0b4621bc47aca48d7d43b15d7e3968 Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Oct 16 2024 11:58:49 +0000 Subject: Snippet doc about TLS renewal wrapper script Signed-off-by: Fabian Arrotin --- diff --git a/docs/security/tls.md b/docs/security/tls.md index 53de4fd..7393784 100644 --- a/docs/security/tls.md +++ b/docs/security/tls.md @@ -220,11 +220,41 @@ All files (certs/keys) are then available under /root/.acme.sh/{hostname} (you'l #### How to renew existing certs ##### For DNS challenges (existing records) -For each cert/dns record, we have to ask for a renewal + +Each `pkistore` git repository (based on the env) will have a `./tools/letsencrypt-renew-import` wrapper tool that will : + + * inspect .crt TLS files in the pkistore git repo + * verify if that's signed by Let's Encrypt CA + * access the central acme machine through ssh (from which you initially create new cert) and renew with `acme.sh --renew -d ${domain} --force` + * retrieve the .crt and CA chain, and also corresponding .key + * reencrypt (if needed, based on env) with ansible-vault + +Once all done and validated, you can just git commit && git push back as usual + +Example : + ``` -acme.sh --renew-all --dnssleep 3 +./tools/letsencrypt-renew-import +[+] Analyzing TLS cert accounts.centos.org.crt ... + Renewing [accounts.centos.org.crt] on [acme01.rdu2.centos.org] + TLS cert accounts.centos.org.crt remotely renewed so importing key/crt/cachain : SUCCESS + [accounts.centos.org.crt] validated against [/etc/pki/tls/certs/ca-bundle.crt accounts.centos.org-CAChain.crt] : SUCCESS + +[+] Analyzing TLS cert accounts.dev.centos.org.crt ... + TLS [accounts.dev.centos.org.crt] file is a symlink so ignoring ... SKIPPED + +[+] Analyzing TLS cert accounts.stg.centos.org.crt ... + Renewing [accounts.stg.centos.org.crt] on [acme01.rdu2.centos.org] + TLS cert accounts.stg.centos.org.crt remotely renewed so importing key/crt/cachain : SUCCESS + [accounts.stg.centos.org.crt] validated against [/etc/pki/tls/certs/ca-bundle.crt accounts.stg.centos.org-CAChain.crt] : SUCCESS +<...> + ``` +!!! note + if you'll have an error on a specific cert, just ssh into delegate machine for acme.sh and manually kick `acme.sh --renew -d --force` to see the output and fix the underlying issue (if any) + + ##### For HTTP challenges Same as for dns challenges as we consolidated all under `acme.sh` (and no certbot anymore)