From here I found that 2 commands for that:
https://www.keycloak.org/docs/4.8/server_admin/
kcadm.sh config credentials --server http://[IPv6 here]:8080/auth --realm master --user admin
kcadm.sh update realms/realmname -s sslRequired=NONE
But after run the first command it got:
HTTPS required [invalid_request]
Related
I setup a wordpress instance on AWS Lightsail and enabled HTTPS using bncert-tool as per this guide. Today I received an urgent email from Let's Encrypt asking to renew my TLS certificate(s) that were issued from Let's Encrypt using the TLS-ALPN-01 validation method.
How do I renew the certificate?
SSH into your lightsail instance and run the following commands:
sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start
In the preceding commands, replace EMAIL-ADDRESS and DOMAIN with the correct values.
You can use any of your working email addresses. Or, you can use the same email address that you used when you installed the certificate. You can retrieve the email you used when installing the certificate by running the following command:
sudo ls /opt/bitnami/letsencrypt/accounts/acm*
You can confirm the domain name by running the following command:
sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt list
For more info, please refer to this documentation
Now by default Bitnami bncert-tool renew the certificate automatically each month.
Source: generate-install-lets-encrypt-ssl
Run the following command:
sudo /opt/bitnami/bncert-tool
If you encounter Account [EMAIL ADDRESS] is not registered. Use 'run' to register a new account.
Use this command to register a new account and create a new certificate:
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/opt/bitnami/letsencrypt" run
Source: letsencrypt community
Cloudinit can handle basic configuration like creating users and groups, installing packages, mount storage points, and more (see Cloud Config Examples). But can it handle more complex tasks like the below, and if so, how? A minimal working example would be appreciated.
# KNOWN: Replicating the below user creation with sudo privelges and a home
# directory is possible through cloudinit
sudo adduser johnny
sudo usermod -aG sudo johnny
# KNOWN: Replicating the below public/private key creation is possible through
# cloudinit
ssh johny#10.0.0.1 "ssh-keygen -t rsa"
# UNKNOWN: Is it possible to update the firewall rules in cloudinit or should
# one simply SSH in afterwards like so
ssh johnny#10.0.0.1 "
sudo ufw enable
sudo ufw allow http
sudo ufw allow https"
# UNKNOWN: Is it possible to deploy LetsEncrypt cetrificates or should one
# simply SSH in afterwrds like so
ssh johnny#10.0.0.1 "
sudo service apache2 restart
sudo certbot --apache"
# UNKNOWN: Is it possible to clone and install git repositories or should one
# simply SSH in afterwards like so
ssh johnny#10.0.0.1 "
GIT_NAME=johnny
GIT_EMAIL=johnny.rico#citizen.federation
git confing --global user.name $GIT_NAME
git confing --global user.email $GIT_EMAIL
git clone git#github.com:Federation:clandathu.git
cd clandathu/install
make --kill-em-all
sudo make install"
If you're referring specifically to the cloud-config, then all of the unknowns that you have listed don't have specific modules for them. However, you can also run arbitrary shell scripts via the runcmd module, or by specifying a script as your user data instead of a cloud config. It just has to start with #! rather than #cloud-config. If you want both a cloud config and a custom shell script, you can build a mime multi part archive with a cloud-init helper command.
The full error message I'm getting is:
Attempting to renew cert from /etc/letsencrypt/renewal/somedomain.com.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6.. Skipping.
This is running on an AWS ubuntu 14.04 instance. All ports are open outgoing and 443 is open incoming.
You just need to stop all running servers like Apache, nginx or OpenShift before doing this.
Stop Nginx
sudo systemctl stop nginx
Stop Apache2
sudo systemctl stop apache2
you probably run the script with (preconfigurated) --standalone when your server is already running at port 443.
You can stop server before renew and start them after.
man says:
--apache Use the Apache plugin for authentication & installation
--standalone Run a standalone webserver for authentication
--nginx Use the Nginx plugin for authentication & installation
--webroot Place files in a server's webroot folder for authentication
--manual Obtain certificates interactively, or using shell script hooks
If I run renew with --apache I can't get any error.
As hinted in the other answers, you need to pass the option for your running webserver, for example:
Without webserver param:
sudo certbot renew
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:tls-sni-01 challenge for example.com
Cleaning up challenges
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected
error:
Problem binding to port 443: Could not bind to IPv4 or IPv6..
Skipping.
Then, again with the webserver param (success):
sudo certbot renew --nginx
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges: tls-sni-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
Congratulations, all renewals succeeded. The following certs have been
renewed: /etc/letsencrypt/live/example.com/fullchain.pem (success)
[This is specifically for ubuntu]
Login as root user to your server
Stop your server using the following command (for nginx)
service nginx stop
Then renew your certificate
certbot renew
Start your server
service nginx start
[TIP] To check the expiry date of your renewed certificate, enter the command below
ssl-cert-check -c [Path_to_your_certificate]/fullchain.pem
For example
ssl-cert-check -c /etc/letsencrypt/live/[your_domain_name]/fullchain.pem
Or
ssl-cert-check -c /etc/letsencrypt/live/[your_domain_name]/cert.pem
If you don't have ssl-cert-check already installed in your server, install it using
apt install ssl-cert-check
Note: The certificate can be renewed only if it is not expired. If it is expired, you have to create new one.
For NodeJS/PM2 users
I was using PM2 for my NodeJS service and when trying to renew the certificate I also got the "Problem binding to port 80: Could not bind to IPv4 or IPv6." error message.
As mentioned in above answers for Apache/Ngnix, Stopping my service and then trying to renew solved the problem.
pm2 stop all
sudo certbot renew
pm2 start all
First you need to install NGiNX lets encrypt plugin (if you work with NGiNX):
sudo apt install python-certbot-nginx
Then you can safely run:
sudo certbot renew --nginx
and it will work.
Note: certbot should already be installed.
For ngnix
sudo certbot renew --nginx
This happened because you used --standalone. The purpose of that option is to launch a temporary webserver because you don't have one running.
Next time use the --webroot method, and you'll be able to use your already running nginx server.
Borrowing from #JKLIR Simply run
/etc/letsencrypt/letsencrypt-auto renew --apache >> /var/log/letsencrypt/renew.log
to renew the ssl certificate
If you're trying to perform the certbot command as a regular user, you may not have access to bind to port 80 and other lower ports. If this is the case, you can grant python access to bind via:
First, see if you can find python 3+ (adjust as needed)
echo "$(readlink -f "$(which python3)")"
Allow python to open port 80 as a regular user (adjust as needed)
sudo setcap CAP_NET_BIND_SERVICE=+eip "$(readlink -f "$(which python3)")"
Re-run the failing certbot command.
Important: On Ubuntu 18.04, Python is called python3. It may be called a number of different things depending on the OS and how you obtained certbot. This command WILL VARY between OSs.
Warning: These lower ports are restricted for good reason. There are security considerations with the setcap command. You may read more about them here: https://superuser.com/a/892391
I use Nginx and needed to stop the server before I can proceed. Then I run the command:
$ sudo ./certbot-auto certonly --standalone -d chaklader.ddns.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for chaklader.ddns.net
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: xxx.chakfffder#gmail.com).
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/cdddddder.ddns.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/chaklader.ddns.net/privkey.pem
Your cert will expire on 2045-01-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
I had a similar issue when I was running two websites (hosts) on a single instance. I stopped Nginx and then ran sudo certbot certonly --standalone --preferred-challenges http -d domain.com -d www.domain.com. After restarting Nginx everything started to work fine.
Trying to use Envoy via Vagrant (Homestead) to deploy to a server on EC2 that I would normally use a .PEM file when I SSH into it.
When using: #servers(['web' => 'ec2-user#myserver.com']) in my Envoy.blade.php
I get: Permission denied (publickey).
Any help would be huge!
Answer is here: https://stackoverflow.com/a/32088143/13346162
You need to pass the -A (as per the man page it - Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file) in you ssh string.
You will also need add your ssh key for agent forwarding (on the machine which can access the git remote which I assume be your localhost)
ssh-add -K ~/.ssh/your_private_key
Something like this
#servers(['web' => '-A user#domain.com'])
#task('deploy')
cd /path/to/site
git status
#endtask
Git remote commands should now work.
when I run bootstrap command, it asks for password many times
Running Chef on 123.123.123.123...
Installing Librarian cookbooks...
Uploading the kitchen...
Enter the password for root#123.123.123.123:
root#123.123.123.123's password:
root#123.123.123.123's password:
root#123.123.123.123's password:
root#123.123.123.123's password:
root#123.123.123.123's password:
root#123.123.123.123's password:
root#123.123.123.123's password:
root#123.123.123.123's password:
Generating solo config...
root#123.123.123.123's password:
Running Chef...
Starting Chef Client, version 11.10.4
Is there some way to stop this and use password one single time?
Looking at the knife bootstrap -h documentation:
knife bootstrap FQDN (options)
--bootstrap-no-proxy [NO_PROXY_URL|NO_PROXY_IP]
Do not proxy locations for the node being bootstrapped; this option is used internally by Opscode
--bootstrap-proxy PROXY_URL The proxy server for the node being bootstrapped
--bootstrap-version VERSION The version of Chef to install
-N, --node-name NAME The Chef node name for your new node
--server-url URL Chef Server URL
--chef-zero-port PORT Port to start chef-zero on
-k, --key KEY API Client Key
--[no-]color Use colored output, defaults to false on Windows, true otherwise
-c, --config CONFIG The configuration file to use
--defaults Accept default values for all questions
--disable-editing Do not open EDITOR, just accept the data as is
-d, --distro DISTRO Bootstrap a distro using a template
-e, --editor EDITOR Set the editor to use for interactive commands
-E, --environment ENVIRONMENT Set the Chef environment
-j JSON_ATTRIBS, A JSON string to be added to the first run of chef-client
--json-attributes
-F, --format FORMAT Which format to use for output
-A, --forward-agent Enable SSH agent forwarding
--hint HINT_NAME[=HINT_FILE] Specify Ohai Hint to be set on the bootstrap target. Use multiple --hint options to specify multiple hints.
--[no-]host-key-verify Verify host key, enabled by default.
-i IDENTITY_FILE, The SSH identity file used for authentication
--identity-file
-z, --local-mode Point knife commands at local repository instead of server
-u, --user USER API Client Username
--prerelease Install the pre-release chef gems
--print-after Show the data after a destructive operation
-r, --run-list RUN_LIST Comma separated list of roles/recipes to apply
-s, --secret The secret key to use to encrypt data bag item values
--secret-file SECRET_FILE A file containing the secret key to use to encrypt data bag item values
-G, --ssh-gateway GATEWAY The ssh gateway
-P, --ssh-password PASSWORD The ssh password
-p, --ssh-port PORT The ssh port
-x, --ssh-user USERNAME The ssh username
--template-file TEMPLATE Full path to location of template to use
--sudo Execute the bootstrap via sudo
--use-sudo-password Execute the bootstrap via sudo with password
-V, --verbose More verbose output. Use twice for max verbosity
-v, --version Show chef version
-y, --yes Say yes to all prompts for confirmation
-h, --help Show this message
You can see there's the option to pass the --sudo, --use-sudo-password, and --ssh-password options. Without more information, I can't tell you which one to use, but one of those will let you specify the password during bootstrap.