How to renew letsencrypt cert in AWS Load Balancer? - ruby-on-rails

I used letsencrypt to generate SSL Cert with standalone option, then I generated successfully a SSL cert.
I went to the AWS Load Balancer to config a listener at port 433 and used the SSL cert that I generated before to import at this kind of popup:
Then everything worked, now I want to renew this SSL cert. I followed this instruction to renew my cert.
I tried:
./certbot-auto renew --standalone
=> Checking for new version...
Requesting root privileges to run certbot...
/root/.local/share/letsencrypt/bin/letsencrypt renew --standalone
No renewals were attempted.
Or obtain the cert again ./certbot-auto certonly --standalone
Failed authorization procedure. www.atoha.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested ef39667c9d782884f8157f30f3e85e81.fb4436208f9bc7c8bdeb19356bb090f2.acme.invalid from 54.179.140.152:443. Received certificate containing 'www.my_domain.com'
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.my_domain.com
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested ef39667c9d782884f8157f30f3e85e81.fb4436208f9bc7c8bdeb1935
6bb090f2.acme.invalid from 54.179.140.152:443. Received certificate
containing 'www.my_domain.com'
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
This means my cert was generated correctly before, for now I want to know how to renew it, since it is nearly expired!
Thanks!

you can try this :
bash /opt/letsencrypt/letsencrypt-auto -t --renew-by-default --server https://acme-v01.api.letsencrypt.org/directory certonly --agree-tos --email 'your#email.com' --webroot --webroot-path 'yourwebdirectory_publichtml' -d yourdomain.com -d www.yourdomain.com
where /opt/letsencrypt/ = your letsencrypt directory location
and then place (copy paste) the file's content of .pem to your aws elb (i usually use cat in linux) :
private key ---> privkey.pem
public key certificate ---> fullchain.pem
certificate chain ---> no need to fill this

I use https://github.com/alex/letsencrypt-aws to automatically handle automatic renewal on AWS. The only thing it doesn't currently do is remove old certs.

Related

I created a new SSL but why I still see the error of SSL?

I have a harbor stack running on docker with nginx revers proxy. Its SSL certificate is expired and I am not able to login via SSH. I created a new certificate with OpenSSL. I can see that new certificate is being used in browser as date and other information are updated. However still I see SSL error in browser and see following error via SSH.
Error response from daemon: Get "https://123.123.123.111:444/v2/": x509: cannot validate certificate for 123.123.123.111 because it doesn't contain any IP SANs
What I have done?
I created the SSL As follow. Firstly I updated the /etc/ssl/openssl.cnf and added subjectAltName=IP:123.123.123.111 as mentioned in this stack overflow question.
Then I follow this official guide to make SSL certificate.
Once all work well I copy the certificated and added them to the correct directory.
I also copy the certificated on this directory
sudo cp ca.crt /usr/local/share/ca-certificates/ca.crt
Finally I update the certificates like this.
sudo dpkg-reconfigure ca-certificates
sudo update-ca-certificates
Result of all this work?
Certificates has been updated but still I can see the SSL error in browser and SSH.
What I want?
I want to make my SSL certificates work so I can login through SSH and upload repos.

'Kibana server is not ready error' after ElasticSearch upgrade to 7.17

Upgraded Elasticsearch from 7.10 to 7.17 . After Upgrade, the ES & kibana nodes are up but when trying to access the Kibana frontend, gets error 'Kibana server is not ready yet'. I checked logs at \var\logs\messages\ and few similar error posts but didn't find anything specific.
The environment is set up as a 3-node Elasticsearch cluster on linux and a single Kibana instance using docker-compose.
On executing below , gets further notification
curl -XDELETE https://<SerVerName>:Port/*kibana*
*curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.*
Executing curl with -k and username:password like below helped {"acknowledged":true}
& kibana error resolved. Thanks #Def Soudini
`curl -k -XDELETE https://<SerVerName>:Port/*kibana* -u username:password`

Heroku with Let's Encrypt: Couldn't find that sni endpoint

I made an SSL certificate for subdomain.mysite.com using Let's Encrypt.
I did that using the certbot command.
brew install certbot
sudo certbot certonly --manual
I got the following response:
IMPORTANT NOTES:
Congratulations!
Your certificate and chain have been saved at:
/etc/letsencrypt/live/subdomain.mysite.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/subdomain.mysite.com/privkey.pem
Your certificate will expire on 2021-07-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
certbot renew
Now I want to add this to heroku by running:
heroku certs:add /etc/letsencrypt/live/subdomain.mysite.com/fullchain.pem /etc/letsencrypt/live/subdomain.mysite.com/privkey.pem --type endpoint
=== Almost done! Which of these domains on this application would you like this certificate associated with?
? Select domains subdomain.mysite.com
▸ Couldn't find that sni endpoint.
I can now see the certificate by running the following command:
heroku certs
Name Endpoint Common Name(s) Expires Trusted Type Domains
─────────────── ──────────────────────────────────────── ──────────────────── ──────────────────── ─────── ──────── ───────
okugama-59392 depp-basions-garble.ssl.herokudns.com subdomain.mysite.com 2021-07-23 11:45 UTC True Endpoint 2
And when I run the heroku domains command I will see the domain but with the SNI = undefined.
=== artists-way Custom Domains
Domain Name DNS Record Type DNS Target SNI Endpoint
subdomain.mysite.com CNAME mammalias-makderel-ydfdsesesfssfsedwsdkn6wd.herokudns.com undefined
Accessing the subdomain in a browser it will tell me that a secure connection can't be established.
So, how may I configure a SNI Endpoint or what do I need to do in order for this to work.

How to generate certs for secured connection from Celery to Redis

I'm following this tutorial, and adjusting the Celery-background related code to my project.
In my case I am operating in a Docker environment, and I have a secured site (i.e. https://localhost) which requires secured ssl communication.
The documentation in here shows an example on how to provide cert related files (keyfile, certfile, ca_certs).
But it is not clear to me how to create these files in the first place.
The tutorial in here shows how to create a custom certificate authority, and how to sign a certificate with it.
I followed the steps and created the 3 files:
keyfile - dev.mergebot.com.crt - the signed certificate (signed by myCA.pem)
ca_certs - dev.mergebot.com.key - private key to create a signed cert with "self-trusted CA"
certfile - myCA.pem - "self-trusted CA" certificate (filename in the tutorial: myCA.pem)
Note that I created these 3 files completely unrelated to Celery or Redis or Docker.
They were created in my local machine outside Docker. The files don't have the name of the Redis container and the Common Name in the cert was set to "foo"
When I use these files in my webapp, there is no connection from Celery to Redis.
Without ssl I do get a connection, so the overall environment aside from ssl is OK - see here
Is there any specific requirements to create the cert related files? (e.g. should the Common Name in the cert have the container name "redis", etc... )
Is there a way to test the validity of the certs without the app, e.g. by issuing a command from the container shell?
Thanks
I was able to generate the cert related files (keyfile, certfile, ca_certs) using the tutorial in here
I first tested that I can connect from my localhost to the "redis with ssl" docker container.
and I described the details here
Then I tested that I can connect from Celery docker container to the "redis with ssl" docker container
and I described the details here
Yes the certificate comman name should match the host name also the issuer of the certificate should be trusted by the client .
In your case since you are using a custom CA and generating the certs , the public cert of the CA should be in the trusted root of the client .
Additionally the certificate should be issued to the hostname in your case it will be localhost . Please do note that if you access the site from a remote machine by either using the fqdn or the Up the browser will flag an alert as invalid.
Also to verify the certificates , you can use the OpenSSL Verify option.

How to properly set up HTTPS for OnlyOffice

Following OnlyOffice's help center's instructions leads to the creation of security certificate declared as invalid by browsers, as it is self-signed.
The intention is to use OnlyOffice's server on Docker for NextCloud, which runs properly already on another server.
Currently, the certificates have been created in the directory suggested by the instructions:
/app/onlyoffice/DocumentServer/data/certs# ls
dhparam.pem onlyoffice.crt onlyoffice.csr onlyoffice.key
I have followed all the given steps, and it does not work.
Is there a way to use LetsEncrypt instead of self-signed certificates?
I am not an IT management person, I am a simple developer trying to use OSS to not use Google Docs etc. Take this into consideration when providing guidance, as what you may take for granted, I may not.
The problem that you are having is that a self-signed certificate is not trusted by anyone (anything).
You can create your own certificate using Let's Encrypt. You will either need to create a special file on your server or create a TXT record on your domain's DNS server.
Certbot Download
The following is for Linux. If you are running on Windows, try using ManuaLE (more info below)
Go to let's encrypt and download certbot. Then from the command line:
certbot certonly --manual --preferred-challenges dns -d mydomain.com
This command will prompt you to create a TXT record on your DNS server. After creating the record wait a few minutes before pressing ENTER to continue.
After your SSL certificate is created, copy and rename them to your desired location listed in your question.
Instructions for ManuaLE for Windows.
ManuaLE Download
manuale authorize mydomain.com
manuale issue mydomain.com
After your SSL certificate is created, copy and rename them to your desired location listed in your question.
Please restart the container, the DocumentServer will switch to https config.
Open the address of the DocumentServer in your browser. If that is available, it can be connected to your NextCloud instance.

Resources