Let’s Encrypt wildcard dystrybucja certyfikatu SSL w sieci wewnętrznej

# adres ip kontenera z cerbotem to 192.168.8.36
# z poziomu konsoli serwera Proxmox kopiujemy pliki certyfikatu z kontenera cerbot do lokalnego katalogu
scp 192.168.8.36:/etc/letsencrypt/live/netapps.ovh/fullchain.pem /etc/pve/nodes/pve/pve-ssl.pem
scp 192.168.8.36:/etc/letsencrypt/live/netapps.ovh/privkey.pem /etc/pve/nodes/pve/pve-ssl.key

# restart pveproxy aby pve odczytał nowe certyfikaty
systemctl restart pveproxy

# weryfikacja ważności certyfikatu SSL
openssl x509 -enddate -noout -in /etc/pve/nodes/pve/pve-ssl.pem | awk -F '=' '{print $2}'
Aug 24 09:16:59 2023 GMT

# adres ip kontenera z cerbotem to 192.168.8.36 
# z poziomu konsoli serwera PBS kopiujemy pliki certyfikatu z kontenera cerbot do lokalnego katalogu
scp 192.168.8.36:/etc/letsencrypt/live/netapps.ovh/fullchain.pem /etc/proxmox-backup/proxy.pem
scp 192.168.8.36:/etc/letsencrypt/live/netapps.ovh/privkey.pem /etc/proxmox-backup/proxy.key

# nadajemy stosowne uprawnienia
chown root:backup /etc/proxmox-backup/proxy.pem /etc/proxmox-backup/proxy.key
chmod 640 /etc/proxmox-backup/proxy.pem /etc/proxmox-backup/proxy.key

# restartujemy proxmox-backup-proxy aby pbs odczytał nowe certyfikaty
systemctl reload proxmox-backup-proxy

# weryfikacja ważności certyfikatu SSL 
openssl x509 -enddate -noout -in /etc/proxmox-backup/proxy.pem | awk -F '=' '{print $2}' 
Aug 24 09:16:59 2023 GMT

# sprawdzamy gdzie znajdują się bieżace pliki certyfikatu SSL w konfiguracji vhost Apache 2
grep SSLCert /etc/apache2/sites-enabled/cloud.netapps.ovh.conf
SSLCertificateFile /etc/cert/cloud.netapps.ovh/fullchain.pem
SSLCertificateKeyFile /etc/cert/cloud.netapps.ovh/privkey.pem

# kopiujemy z maszyny certbota
scp 192.168.8.36:/etc/letsencrypt/live/netapps.ovh/fullchain.pem /etc/cert/cloud.netapps.ovh/fullchain.pem
scp 192.168.8.36:/etc/letsencrypt/live/netapps.ovh/privkey.pem /etc/cert/cloud.netapps.ovh/privkey.pem

# restartujemy apache 
systemctl restart apache2

scp 192.168.20.35:/etc/letsencrypt/live/netapps.ovh/fullchain.pem /etc/cert/icinga.netapps.ovh/fullchain.pem 
scp 192.168.20.35:/etc/letsencrypt/live/netapps.ovh/privkey.pem /etc/cert/icinga.netapps.ovh/privkey.pem

c) systemctl restart apache2

# ściągnięcie gotowego certyfikatu SSL z maszyny certbot do lokalnego folderu /etc/letsencrypt/netapps.ovh/
sudo mkdir -p /etc/letsencrypt/live/unifi.netapps.ovh/
sudo scp 192.168.8.36:/etc/letsencrypt/live/netapps.ovh/fullchain.pem /etc/letsencrypt/live/unifi.netapps.ovh/fullchain.pem
sudo scp 192.168.8.36:/etc/letsencrypt/live/netapps.ovh/privkey.pem /etc/letsencrypt/live/unifi.netapps.ovh/privkey.pem

# ściągnięcie skryptu do podmiany certyfikatu SSL w UniFi Controller
sudo wget https://raw.githubusercontent.com/stevejenkins/unifi-linux-utils/master/unifi_ssl_import.sh -O /usr/local/bin/unifi_ssl_import.sh
sudo chmod +x /usr/local/bin/unifi_ssl_import.sh

# edycja ustawień skryptu (wymieniono tylko zmienione linie)
sudo nano -w /usr/local/bin/unifi_ssl_import.sh

UNIFI_HOSTNAME=unifi.netapps.ovh
UNIFI_DIR=/var/lib/unifi
JAVA_DIR=/usr/lib/unifi
LE_MODE=true
LE_LIVE_DIR=/etc/letsencrypt/live
#PRIV_KEY=/etc/ssl/private/hostname.example.com.key
#SIGNED_CRT=/etc/ssl/certs/hostname.example.com.crt
#CHAIN_FILE=/etc/ssl/certs/startssl-chain.crt

# uruchomienie skryptu
sudo /usr/local/bin/unifi_ssl_import.sh

Starting UniFi Controller SSL Import...
Running in Let's Encrypt Mode...
Inspecting current SSL certificate...
Updated SSL certificate available. Proceeding with import...
Importing the following files:
Private Key: /etc/letsencrypt/live/unifi.netapps.ovh/privkey.pem
CA File: /etc/letsencrypt/live/unifi.netapps.ovh/fullchain.pem
Stopping UniFi Controller...
Updating certificate MD5 checksum...
Backup of original keystore exists!
Creating non-destructive backup as keystore.bak...
Exporting SSL certificate and key data into temporary PKCS12 file...
Removing previous certificate data from UniFi keystore...
Importing SSL certificate into UniFi keystore...
Importing keystore /tmp/tmp.QOI963G8jO to /var/lib/unifi//keystore...
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /var/lib/unifi//keystore -destkeystore /var/lib/unifi//keystore -deststoretype pkcs12".
Removing temporary files...
Restarting UniFi Controller to apply new Let's Encrypt SSL certificate...
Done!

# ściągnięcie gotowego certyfikatu SSL z maszyny certbot do lokalnego folderu /etc/letsencrypt/netapps.ovh/
sudo scp 192.168.8.36:/etc/letsencrypt/live/netapps.ovh/fullchain.pem /etc/letsencrypt/live/unifi.netapps.ovh/fullchain.pem
sudo scp 192.168.8.36:/etc/letsencrypt/live/netapps.ovh/privkey.pem /etc/letsencrypt/live/unifi.netapps.ovh/privkey.pem

# uruchomienie skryptu
/usr/local/bin/unifi_ssl_import.sh

a) zalogować się na docker 192.168.8.30
b)

scp 192.168.20.35:/etc/letsencrypt/live/netapps.ovh/privkey.pem /home/dockeruser/docker/appdata/npm/data/custom_ssl/npm-2/privkey.pem
scp 192.168.20.35:/etc/letsencrypt/live/netapps.ovh/fullchain.pem /home/dockeruser/docker/appdata/npm/data/custom_ssl/npm-2/fullchain.pem

c) docker restart nginx-proxy-manager

# z konsoli serwera openmediavault sprawdzamy uuuid certyfikatu
omv-confdbadm read "conf.system.certificate.ssl" | jq -r '.[] | "\(.uuid)"'

d9e56d83-386c-4a74-a828-13d8816e1a53

# zakładamy katalog na pobrane z certbota certyfikaty
mkdir -p /etc/letsencrypt/

# kopiujemy z maszyny certbot potrzebne certyfikaty
sudo scp 192.168.20.35:/etc/letsencrypt/live/netapps.ovh/fullchain.pem /etc/letsencrypt/fullchain.pem
sudo scp 192.168.20.35:/etc/letsencrypt/live/netapps.ovh/privkey.pem /etc/letsencrypt/privkey.pem

# instalujemy skryptem update_cert.sh 
sudo /usr/local/sbin/update_cert.sh d9e56d83-386c-4a74-a828-13d8816e1a53 /etc/letsencrypt/fullchain.pem /etc/letsencrypt/privkey.pem

# restart serwera
sudo reboot