I've used many tools and methods throughout the years including certbot. I want to use Let'sEncrypt for my certificates, not ZeroSSL. I don't know if it's still the case, but ZeroSSL was (and might still) create the private key on their servers, which means they could keep a copy if they wanted. I started with https://letsencrypt.org/ and want to remain with their service and I'm sure I get to create myprivate key and it never leaves my server.
I'm using:
acme.sh script found here: https://github.com/acmesh-official/acme.sh to update the certificatesfreeDNS https://freedns.afraid.org/ to serve my DNS names (Because I no longer have a static IP address)letsencrypt for my free wildcard certificatesMake sure FreeDNS has less than 23 entries because the challenge will require 2 TXT entries for the DNS verification
ssh to unifi
curl https://get.acme.sh | sh -s email=politick@gmail.com
export FREEDNS_User="..."
export FREEDNS_Password="..."
./acme.sh --issue --server letsencrypt --dns dns_freedns -d politick.ca -d *.politick.ca
#verify if the renew will run automatically
crontab -l
I want to keep using the same private key when I renew my certificate. Although this is slightly less secure in case one of my servers get compromised and I don't know it ... it's much easier to update all my certificates as I don't have it automated in pipelines, but rather in a simpls script local to the web servers that retrieves the latest certificate from my primary web server. Because the private key remains, I can just update the public part of the certificate (the full chain) and not have to distribute private keys.
Renew the certificate (need to test this docuemntation)
acme.sh --upgrade
./acme.sh --force --server letsencrypt --dns dns_freedns --renew --signcsr --csr ~/.acme.sh/politick.ca_ecc/politick.ca.csr -d '*.politick.ca'
[Thu Dec 28 19:37:53 UTC 2023] Copy csr to: /home/politick/.acme.sh/politick.ca_ecc/politick.ca.csr
cp: '/home/politick/.acme.sh/politick.ca_ecc/politick.ca.csr' and '/home/politick/.acme.sh/politick.ca_ecc/politick.ca.csr' are the same file
[Thu Dec 28 19:37:54 UTC 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu Dec 28 19:37:54 UTC 2023] Creating domain key
[Thu Dec 28 19:37:54 UTC 2023] The domain key is here: /home/politick/.acme.sh/politick.ca_ecc/politick.ca.key
[Thu Dec 28 19:37:54 UTC 2023] Multi domain='DNS:politick.ca,DNS:*.politick.ca'
[Thu Dec 28 19:37:54 UTC 2023] Getting domain auth token for each domain
[Thu Dec 28 19:37:56 UTC 2023] Getting webroot for domain='politick.ca'
[Thu Dec 28 19:37:56 UTC 2023] Getting webroot for domain='*.politick.ca'
[Thu Dec 28 19:37:57 UTC 2023] politick.ca is already verified, skip dns-01.
[Thu Dec 28 19:37:57 UTC 2023] *.politick.ca is already verified, skip dns-01.
[Thu Dec 28 19:37:57 UTC 2023] Verify finished, start to sign.
[Thu Dec 28 19:37:57 UTC 2023] Lets finalize the order.
[Thu Dec 28 19:37:57 UTC 2023] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1358149336/232563678606'
[Thu Dec 28 19:38:00 UTC 2023] Downloading cert.
[Thu Dec 28 19:38:00 UTC 2023] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/04bf86f127d79f61bf2743c3639c00f8ef7e'
[Thu Dec 28 19:38:00 UTC 2023] Cert success.
[Fri 13 Oct 2023 04:10:20 AM UTC] Your cert is in: ~/.acme.sh/politick.ca_ecc/politick.ca.cer
[Fri 13 Oct 2023 04:10:20 AM UTC] Your cert key is in: ~/.acme.sh/politick.ca_ecc/politick.ca.key
[Fri 13 Oct 2023 04:10:20 AM UTC] The intermediate CA cert is in: ~/.acme.sh/politick.ca_ecc/ca.cer
[Fri 13 Oct 2023 04:10:20 AM UTC] And the full chain certs is there: ~/.acme.sh/politick.ca_ecc/fullchain.cer
The SSL library is counting the number of DASH in
-----BEGIN EC PRIVATE KEY-----so if it start with 4 dash instead of 5, then it won't read it ...
openssl s_client -connect unifi.politick.ca:443 -showcerts > newcert
vi newcert # remove crap
cp newcert /etc/ssl/MyCerts/politick.ca.pem
/etc/init.d/apache2 reload
# nextcloud
# open shell in truenas jail
root@nextCloud:~/ # cd cert
root@nextCloud:~/cert # /usr/local/etc/rc.d/nginx restart
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Stopping nginx.
Waiting for PIDS: 39184.
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local