https://ff.co.za/ en https://ff.co.za/documentation/ecc-and-certbot-automated-renewal <span>ECC and certbot automated renewal</span> <span><span lang="" about="/user/admin" typeof="schema:Person" property="schema:name" datatype="">Admin</span></span> <span>Sun, 21/06/2020 - 11:34</span> <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="ffimage field field--name-field-image field--type-image field--label-hidden field--item"> <a href="https://ff.co.za/sites/default/files/2020-06/ecc_1.png" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;&quot;}" role="button" title="ECC and certbot automated renewal" data-colorbox-gallery="gallery-book-220-yzAciDvVY04" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;&quot;}"><img src="/sites/default/files/styles/medium/public/2020-06/ecc_1.png?itok=nDHxybyf" width="220" height="187" alt="" loading="lazy" typeof="foaf:Image" class="img-responsive" /> </a> </div> <div class="body-padding field field--name-body field--type-text-with-summary field--label-hidden field--item"><p>The problem is that the certbot program cannot renew a certificate for an ECC public key.</p> <p>Instead of running certbot renew, we should roll our own. </p> <p>Take care to rename the Exim and Dovecot certificates in the appropriate place.</p> <p> </p> <p> </p> <p> </p> <p> </p> <p>This works:</p> <pre> <code>root@abispa ~/certbot-renewal $ cat renew-certbot.sh #!/bin/sh LOGFILE=/root/certbot-renewal/certbot-renewal.log ARCHIVE=/etc/letsencrypt/ecc-archive/abispa.waspa.org.za ## "Renew" the RSA certificate -- this actually generates a fresh ## 4096-bit RSA key pair and creates a certificate from the public key. echo "RSA renewal ====================================" &gt; $LOGFILE certbot --force-renewal --rsa-key-size 4096 renew &gt;&gt; $LOGFILE 2&gt;&amp;1 ## Use the Certificate-Signing Request for the existing ECC ## public key, and request a new certificate. ## You can read a CSR with: ## $ openssl req -noout -text -in /path/to/csr.pem echo "ECC renewal ====================================" &gt;&gt; $LOGFILE certbot certonly --non-interactive --apache \ -d abispa.waspa.org.za \ --email ops@ff.co.za \ --csr /etc/letsencrypt/csr/ecc-csr.pem \ --agree-tos &gt;&gt; $LOGFILE 2&gt;&amp;1 ## The above creates three files in the local directory. ## Move them into place. echo "Installing files ===============================" &gt;&gt; $LOGFILE mv -fv 0000_cert.pem $ARCHIVE/cert.pem &gt;&gt; $LOGFILE mv -fv 0000_chain.pem $ARCHIVE/chain.pem &gt;&gt; $LOGFILE mv -fv 0001_chain.pem $ARCHIVE/fullchain.pem &gt;&gt; $LOGFILE ## Fix Debian-exim group permissions. ## Remember to update dovecot &amp; exim4 cert locations! chmod 755 -R /etc/letsencrypt/{ecc-archive,ecc-live}; chgrp -R Debian-exim /etc/letsencrypt/{ecc-archive,ecc-live} chmod 755 -R /etc/letsencrypt/{rsa-archive,rsa-live}; chgrp -R Debian-exim /etc/letsencrypt/{rsa-archive,rsa-live} ## Restart mail &amp; web server so they use the new certs. echo "Apache restart =================================" &gt;&gt; $LOGFILE service apache2 stop &gt;&gt; $LOGFILE 2&gt;&amp;1 service apache2 start &gt;&gt; $LOGFILE 2&gt;&amp;1 echo "Dovecot restart =================================" &gt;&gt; $LOGFILE service dovecot stop &gt;&gt; $LOGFILE 2&gt;&amp;1 service dovecot start &gt;&gt; $LOGFILE 2&gt;&amp;1 echo "Exim4 restart =================================" &gt;&gt; $LOGFILE service apache2 stop &gt;&gt; $LOGFILE 2&gt;&amp;1 service apache2 start &gt;&gt; $LOGFILE 2&gt;&amp;1 </code></pre><p> </p> <p><img alt="" class="image-large colorbox" data-entity-type="file" data-entity-uuid="insert-large-6fa223cd-558b-4cd3-b14a-557267a82c21" data-insert-class="image-large colorbox" data-insert-type="image" src="/sites/default/files/2020-06/ecc_0.gif" /></p> </div> <div class="field field--name-field-images field--type-image field--label-hidden field--items"> <div class="field--item"> <a href="https://ff.co.za/sites/default/files/2020-06/ecc_0.gif" aria-controls="colorbox" aria-label="{&quot;alt&quot;:&quot;&quot;}" role="button" title="ECC and certbot automated renewal" data-colorbox-gallery="gallery-book-220-yzAciDvVY04" class="colorbox" data-cbox-img-attrs="{&quot;alt&quot;:&quot;&quot;}"><img src="/sites/default/files/styles/thumbnail/public/2020-06/ecc_0.gif?itok=qJikefds" width="100" height="100" alt="" loading="lazy" typeof="foaf:Image" class="img-responsive" /> </a> </div> </div> <div class="field field--name-field-category field--type-entity-reference field--label-above"> <div class="field--label">Category</div> <div class="field--item"><a href="/documentation" hreflang="en">Documentation</a></div> </div> <div class="fftags field field--name-field-tags field--type-entity-reference field--label-inline"> <div class="field--label">Tags</div> <div class="field--items"> <div class="field--item"><a href="/tags/ecc" hreflang="en">ECC</a></div> <div class="field--item"><a href="/tags/lets-encrypt" hreflang="en">Lets Encrypt</a></div> <div class="field--item"><a href="/tags/certbot" hreflang="en">certbot</a></div> </div> </div> </div> </div> Sun, 21 Jun 2020 09:34:17 +0000 Admin 220 at https://ff.co.za https://ff.co.za/documentation/elliptic-curve-crypto-letsencrypt <span property="schema:name">Elliptic Curve Crypto &amp; LetsEncrypt</span> <span rel="schema:author"><span lang="" about="/user/admin" typeof="schema:Person" property="schema:name" datatype="">Admin</span></span> <span property="schema:dateCreated" content="2020-06-21T08:53:23+00:00">Sun, 21/06/2020 - 10:53</span> <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <drupal-render-placeholder callback="flag.link_builder:build" arguments="0=node&amp;1=219&amp;2=bookmark" token="CUwtsbk6l7KTVbz_BCrK3PCnIrW8Jr3DAEKj8IOnIbs"></drupal-render-placeholder><drupal-render-placeholder callback="flag.link_builder:build" arguments="0=node&amp;1=219&amp;2=like" token="cgqfuvX6JfyKCmnRFnY74ZisRg0dF-ymIXv63IKqqSk"></drupal-render-placeholder> </div> </div> Sun, 21 Jun 2020 08:53:23 +0000 Admin 219 at https://ff.co.za