Uputstvo za automatizovanu zamenu TCS sertifikata¶

Softver koji će biti instaliran¶

Kreiranje ACME naloga na Sectigo portalu¶

Potrebno je ulogovati se na zvaničan Sectigo portal :

https://cert-manager.com/customer/AMRES

U sekciji Enrollment, izabrati polje ACME nakon čega će se prikazati svi dostupni Sectigo Public ACME nalozi:

Izabrati https://acme.sectigo.com/v2/GEANTOV Sectigo Public ACME nalog i nakon toga kliknuti na dugme Accounts:

Za kreiranje novog ACME naloga kliknuti na opciju + :

Uneti proizvoljan naziv ACME naloga:

Zatim je potrebno dodati odgovarajući domen sertifikata, pretraživanjem i odabirom sertifikata iz liste:

Sačuvajte nalog klikom na SAVE.

Nakon toga dobićete prikaz dva bitna parametra: Key ID i HMAC Key. Oni će biti potrebni u postupku registracije Certbot agenta. Ukoliko ih u tom momentu ne sačuvate, možete ih pronaći kasnije klikom na opciju Details u okviru kreiranog ACME naloga:

Napomena: Može se kreirati nalog za svaki server.

CentOS 7 End of Life - instalacija paketa iz arhiviranog repozitorijuma¶

Pokrenuti sledeće komande:

Napraviti rezervnu kopiju fajla CentOS-Base.repo.

cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup

sed -i s/#baseurl/baseurl/ /etc/yum.repos.d/CentOS-Base.repo

sed -i s/mirrorlist.centos.org/vault.centos.org/ /etc/yum.repos.d/CentOS-Base.repo

sed -i s/mirror.centos.org/vault.centos.org/ /etc/yum.repos.d/CentOS-Base.repo

yum clean all

yum makecache

Instalacija potrebnih softverskih paketa¶

Napomena: Ovde je prikazan slučaj kada je na serveru dostupan Python 2, pa se samim tim koristi paket python2-certbot-apache. Međutim, ako koristite Python 3, potrebno je da instalirate paket python3-certbot-apache

Instalirati potrebne pakete:

yum install epel-release

yum install certbot python2-certbot-apache mod_ssl -y

Registracija Certbot agenta¶

certbot register --email <EMAIL> --server <ACME URL> --eab-kid <KEY ID> --eab-hmac-key <HMAC KEY>

certbot register --email xxxxx@xxx.ac.rs --server https://acme.sectigo.com/v2/GEANTOV --eab-kid 5vxxxxxxxx_xxg --eab-hmac-key P-xxxxx0_xxxxxxi_xx_x_xmxxxxxxxxx343utxxxE-xx_6xx-Loxxxxxxxxdx

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://secure.trust-provider.com/repository/docs/Legacy/20230516_Certificate_Subscriber_Agreement_v_2_6_click.pdf.
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.

Kreiranje novih sertifikata putem certbot agenta¶

certbot certonly --standalone --email <EMAIL> --server <ACME URL> --domain <DOMEN_SERTIFIKATA> --key-type rsa --rsa-key-size 3072 --cert-name <NAZIV>

certbot certonly --standalone --email xxxxxx@xxxxx.ac.rs --server https://acme.sectigo.com/v2/GEANTOV --domain test_domen.institucija.ac.rs --key-type rsa --rsa-key-size 3072 --cert-name test_domen.institucija.ac.rs

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for test_domen.institucija.ac.rs

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/test_domen.institucija.ac.rs/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/test_domen.institucija.ac.rs/privkey.pem
   Your certificate will expire on 2025-01-31. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

lrwxrwxrwx 1 root root  48 Feb  5 03:02 cert.pem -> ../../archive/test_domen.institucija.ac.rs/cert.pem
lrwxrwxrwx 1 root root  49 Feb  5 03:02 chain.pem -> ../../archive/test_domen.institucija.ac.rs/chain.pem
lrwxrwxrwx 1 root root  53 Feb  5 03:02 fullchain.pem -> ../../archive/test_domen.institucija.ac.rs/fullchain.pem
lrwxrwxrwx 1 root root  51 Feb  5 03:02 privkey.pem -> ../../archive/test_domen.institucija.ac.rs/privkey.pem
-rw-r--r-- 1 root root 692 Feb  1 14:24 README

Proveriti validnost sertifikata:

openssl x509 -in /etc/letsencrypt/live/test_domen.institucija.ac.rs/cert.pem -text -noout

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: test_domen.institucija.ac.rs
    Serial Number: 6axxxxxxxxxxxxxxxxxxxxxxxxx
    Key Type: RSA
    Domains: test_domen.institucija.ac.rs
    Expiry Date: 2025-02-04 23:59:59+00:00 (VALID: 365 days)
    Certificate Path: /etc/letsencrypt/live/test_domen.institucija.ac.rs/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/test_domen.institucija.ac.rs/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Promena konfiguracije Apache servera¶

Simboličkim linkom prebaciti sertifikate na odgovarajuću putanju sa koje Apache WEB server može da ih usvoji (/etc/ssl/certs/ i /etc/ssl/private/):

ln -s /etc/letsencrypt/live/test_domen.institucija.ac.rs/cert.pem /etc/pki/tls/certs/cert.pem

ln -s /etc/letsencrypt/live/test_domen.institucija.ac.rs/privkey.pem /etc/pki/tls/private/privkey.pem

ln -s /etc/letsencrypt/live/test_domen.institucija.ac.rs/chain.pem /etc/pki/tls/certs/chain.pem

Izmeniti konfiguraciju Apache servera, tako da budu uneti novi sertifikati na gore navedenim putanjama.

Zatim treba restartovati Apache proces:

systemctl restart httpd

Podešavanje termina sledeće obnove sertifikata¶

Konfiguracioni fajl koji sadrži opciju specifikacije termina je /etc/letsencrypt/renewal/test_domen.institucija.ac.rs.conf, a čiji naziv zavisi od domena sertifikata, u ovom slučaju to je test_domen.institucija.ac.rs:

Otkomentarisati prvu liniju i zatim specificirati broj dana pred istek sertifikata kada će sertifikat biti obnovljen (naša preporuka bi bila 14 dana):

# renew_before_expiry = 30 days
renew_before_expiry = 14 days

Potrebno je da se podesi da komanda za obnovu serifikata pokreće svaki dan (u 03 ujutru) uz proveru validnosti serifikata. Napomena: Navedena komanda neće obnavljati sertifikat svaki dan već će ga obnoviti tek kada dođe do navedenog broja dana pred njegov istek.

crontab -e

Uneti navedenu liniju:

0 3 * * * /usr/bin/certbot renew --renew-hook "/usr/bin/systemctl restart httpd"

Ovim je proces podešavanja automatske obnove sertifikata završen.