How to install Certbot (Let's Encrypt) without interaction? - bash

I am writing a bash script which bootstraps the whole project infrastructure in the freshly installed server and i want to configure ssl installation with letcecrypt certbot. After I execute line:
certbot --nginx -d $( get_server_name ) -d www.$( get_server_name ).com
I get prompted for few questions. Can certbot be run without any interactions while passing some of the params as arguments or something ?

You can run certbot 'silently' by adding the following options:
--non-interactive --agree-tos -m webmaster#example.com
The full list of config options is available here:
https://certbot.eff.org/docs/using.html

There are several inline flags and "subcommands" (their nickname) provided by Certbot that can help to automate the process of generating free SSL certificates using Bash or shell scripts.
The most relevant flag as mentioned by #match is:
--noninteractive ...or alternatively... --non-interactive
However in reality this flag is not very helpful, because it doesn't do very much. If there are critical flags missing from your script, for example, the certificate will still fail to generate. Frankly, I think it would be better for Certbot to cancel the above flag, because it's rather misleading.
Here are the minimum flags required:
--agree-tos
--register-unsafely-without-email ...or... -m username#example.com
-d example.com and/or -d www.example.com
You also must specify what type of Let's Encrypt installer plugin (environment) you want, for example you can choose from "standalone" or "manual" etc... for most cases, like a WordPress web server, you should choose "webroot" so that Certbot can easily verify ownership via the public root (make sure access to /.well-known* is not blocked):
--webroot -w /var/www/html/
Here is the complete command we use in SlickStack to install SSL certs:
## install Certbot SSL certificate ##
certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_TLD} -d www.${SITE_TLD} -d staging.${SITE_TLD} -d dev.${SITE_TLD} --register-unsafely-without-email --webroot -w /var/www/html/
In our case we hardcode the --cert-name to be slickstack because only one website is installed on each VPS server, so it makes other server admin tasks (and scripts) easier to manage. However, if you are installing several domains and SSL certs on the same server, you could change the subcommand --cert-name to be named after each TLD domain instead, etc. This affects the SSL directory names, thus helping to keep your files/folders nice and tidy.

Related

Apache Virtualhost One IP multiple laravel project [duplicate]

The problem is that I have only one domain name on which three different products need to be run (two of them PHP based and one python). So I need to treat the path in the URL as a different virtual host; i.e.:
www.domain.com/first_URL/
www.domain.com/second_URL/
www.domain.com/third_URL/
Where the first to third will act as separate virtual hosts.
How can I do this?
This can be achieved by using the Alias or AliasMatch directive:
Alias /first_url/ /var/www/first_url_resources
More details can be found in Apache Module mod_alias.
A "virtual host" in Apache works on domain names only, not on parts of the path. You cannot achieve what you want.
This example explains how to assign a different PHP version per directory. It can also be adapted to add Python support by running the Python interpreter as fast_cgi on a particular port.
For the purpose of the example, I assume there is a separate directory for each PHP version and they are named according to the PHP version that runs them, but this can be adjusted.
mkdir /home/user/www
mkdir /home/user/www/5.6.5
mkdir /home/user/www/7.0.2
mkdir /home/user/www/7.0.4
mkdir /home/user/www/7.0.6
Create symbolic links to directories that should be handled by different PHP versions:
sudo ln -s /home/user/www/7.0.2/ /var/www/html/7.0.2
sudo ln -s /home/user/www/7.0.4/ /var/www/html/7.0.4
sudo ln -s /home/user/www/7.0.6/ /var/www/html/7.0.6
Then add the following lines to /etc/apache2/sites-enabled/000-default.conf in default virtual host *:80
(For your needs, you can set up one more FastCGI handler here for the website that requires Python). I assume PHP 5.6.5 runs on port 9999, 7.0.2 runs on port 9998, etc.
DirectoryIndex index.html index.php
ProxyPassMatch ^/5.6.5/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9999/var/www/html/
ProxyPassMatch ^/7.0.2/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9998/var/www/html/
ProxyPassMatch ^/7.0.4/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9997/var/www/html/
ProxyPassMatch ^/7.0.6/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9996/var/www/html/
Assuming your server is pointed by example.com, you can test it on:
http://example.com/5.6.5/
http://example.com/7.0.2/
http://example.com/7.0.4/
http://example.com/7.0.6/
You probably want to do something with the apache-config directives, since you're asking for a virtualhost solution. Apache can only work with virtualHosts as actual domains, as cweiske explained.
The solution in this case would be to either use a .htaccess file in the sub-directories you're working in, or to set up a <Directory "/web/root/subdir">..</Directory> block within your current (virtual-)host configuration.
You could also choose to host them on different sub-domains if you per se want to run them as VirtualHosts ('app1.domain.org').

Puppet certificate store

i got a Puppet Enterprise Master Server 2018.1.3 which should get the Code with Code Manager from a git-Repository via https, where the server certificate of the git server is signed by a third party CA.
after getting everything afaik correctly configured, i get following:
> puppet-code deploy --dry-run
Dry-run deploying all environments.
Errors while collecting a list of environments to deploy (exit code: 1).
ERROR -> Unable to determine current branches for Git source 'puppet'
(/etc/puppetlabs/code-staging/environments)
Original exception:
The SSL certificate is invalid
executing directly r10k produces a similar error. which makes sense, since i have not installed the third party CA certificate anywhere yet.
so i thought, r10k most likely runs jruby which runs java (i do not any idea about ruby), so i will install the certificate in the jvm:
keytool -import -file gitCA.cer -alias gitCA -keystore /opt/puppetlabs/server/apps/java/lib/jvm/java/jre/lib/security/cacerts -storepass changeit
but i am still getting the same error, also after a system restart, so ok, it means r10k does not use jruby but ruby, so i will install also the certificate in the OS, put the certificate under /etc/pki/trust/anchors and called update-ca-certificates (on SLES12). After that, i can access the git-Repo-URL with wget without getting any certificate error, so the certificate is installed in the OS correctly, but still, even after a system restart, i am getting the same error with r10k.
after lot of goggling for certificate stores and ruby i found out that
export SSL_CERT_FILE=<path_to_cert>
fixes the direct call of r10k:
> r10k deploy display --fetch ---
:sources:
- :name: :puppet
:basedir: "/etc/puppetlabs/code/environments"
:remote: https://xxx#git.xxx/git/puppet
:environments:
- develop
- master
- production
- puppet_test
but puppet-code still not working with same error message. but i thought, obviously i am right now root and puppet-code is executed by user pe-puppet, so i put the export command in the /etc/profile.local file, so it is available to all users.
still not working. even after system restart and deleting /opt/puppetlabs/server/data/puppetserver/r10k/ that was created with user root while directly calling r10k.
first question: why does r10k works, but puppet-code not?
second question: where is the correct place for that certificate?
many thanks
Michael
UPDATE: 27.AUG.2018
i tried this:
sudo -H -u pe-puppet bash -c '/opt/puppetlabs/puppet/bin/r10k deploy display --fetch'
which did not work, despite i am setting the SSL_CERT_FILE variable in the /etc/profile.local file.
but i got it working by setting the variable in the /etc/environment file.
but puppet code still not working. why?
for those looking for a solution to this problem checkout this post on the Puppet Support Base.
Simply put you have two options:
Use a Git source instead of an HTTPS source to refer to your repository in your Puppetfile. This option requires adding SSH keys to your Puppet master and your repository.
Add a certificate authority (CA) cert for the repository to the list of trusted CAs in /opt/puppetlabs/puppet/ssl/cert.pem.
Option one: Use a Git source instead of an HTTPS source
To deploy code from your repository using a Git source, configure a private SSH key on your Puppet master and a public SSH key on your repository:
In your Puppetfile, change references to your Git repository from an HTTPS source to a Git source:
For example, change:
mod 'site_date', :git: 'https://example.com/user/site_data.git',
to:
mod 'site_data', :git: 'ssh://user#example.com:22/user/site_data.git',
Configure your SSH keys. Configure the private key using our documentation on how to Declare module or data content with SSH private key authentication for PE 2018.1.
Note: Use the version selector to choose the right version of our documentation for your deployment.
The details of configuring your public key depend on how your Git repository is configured. Talk to your Git repository administrator.
Option two: Add a trusted CA cert
If you are unable to specify a Git s
ource, add your repository to the list of CAs trusted by Code Manager by adding a CA cert to the file /opt/puppetlabs/puppet/ssl/cert.pem.
Transfer the cert (ca.pem) file to your CA node.
On the CA node, add the cert to the list of CAs trusted by Code Manager: cat ca.pem >> /opt/puppetlabs/puppet/ssl/cert.pem
Agent runs won't revert changes made to cert.pem because the file isn't managed by PE, but upgrades to PE will overwrite the file. After you upgrade PE, you must add the CA cert to cert.pem again.
so, i got it working, but not happy with the solution.
i turned on debug logging on /etc/puppetlabs/puppetserver/logback.xml, confirming that puppet-code is indeed calling r10k:
2018-08-27T14:54:24.149+02:00 DEBUG [qtp462609859-78] [p.c.core] Invoking shell:
/opt/puppetlabs/bin/r10k deploy --config /opt/puppetlabs/server/data/code-manager/r10k.yaml --verbose warn display --format=json --fetch
2018-08-27T14:54:24.913+02:00 ERROR [qtp462609859-78] [p.c.app] Errors while collecting a list of environments to deploy (exit code: 1).
ERROR -> Unable to determine current branches for Git source 'puppet' (/etc/puppetlabs/code-staging/environments)
Original exception:
The SSL certificate is invalid
so i did it the very quick and dirty way:
cd /opt/puppetlabs/puppet/bin/
mv r10k r10k-bin
touch r10k
chmod +x r10k
vi r10k
and
#!/bin/bash
export SSL_CERT_FILE=<new_cert_path>
/opt/puppetlabs/puppet/bin/r10k-bin "$#"
now it is working:
puppet:~ # puppet-code deploy --dry-run
Dry-run deploying all environments.
Found 5 environments.
but not happy, any better idea?

Problems creating let's encrypt cert on Mac OS: invalid header value

Three months ago I could create Let's Encrypt certs on Mac successfully by following the instructions in this tutorial.
Now that I have tried to do exactly the same, the let's encrypt updated itself and it shows me the following error:
Macbook$ pwd
/Applications/certbot
Macbook$ ./certbot-auto certonly --standalone -d domain1.com -d domain2.com -d domain3.com -d domain4.com
Requesting root privileges to run certbot...
/Users/Me/.local/share/letsencrypt/bin/letsencrypt certonly --standalone -d domain1.com -d domain2.com -d domain3.com -d domain4.com
Password:
An unexpected error occurred:
ValueError: Invalid header value 'CertbotACMEClient/0.8.0 (darwin 10.10.5\n) Authenticator/standalone Installer/None'
Please see the logfiles in /var/log/letsencrypt for more details.
I removed the letsencrypt folder and tried this time installing git clone https://github.com/certbot/certbot but I still get the same error :(
I don't know if this is the same reported issue at github and I don't know either whether this has been solved or not.
I just tried again by downloading one more time the clone file but, it still doesn't work. :(
Does anybody know how to fix this??? Or is there another and simple way out there to get the certs (for example, online)?
I have found this one but it still looks complicated.
I had this problem too, and this pull request (that has been merged to master) seems to have fixed it:
https://github.com/certbot/certbot/pull/3118
Note that after updating your git checkout to this code, you still may still see the issue if a cached version of certbot is used or if certbot-auto updates itself and overwrites the fix from the source code.
Note the recommendation in this comment to remove cached files and run with --no-self-upgrade:
$ rm -fr ~/.local/share/letsencrypt
$ ./certbot-auto --no-self-upgrade --debug certonly ...

Generate a certificate with letsencrypt locally

I'm new to generating certificates and using letsencrypt, so I'm not sure if this is a dumb question or even possible.
I want to create a small example webapplication using node.js. And I want to test how to implement https, and how to get a proper certificate.
So I tried to use letsencrypt. But it doesn't seem to work.
I'm using my local machine (win10) and I'm cloning the git. Afterwards I try to execute the command ./letsencrypt-auto but windows won't recognize the script as a command.
How is it possible to use letsencrypt locally on my win10 machine, where no webserver (usually) is running.
letsencrypt-auto only works with Apache on Debian-based OSes (for now). There's no way to use it on Windows, yet.
That said, people are trying. You might find this project interesting. (Disclaimer: I have no affiliation with that and haven't tried it myself.)
Alternatively you can look at - https://github.com/minio/concert built using golang, you can get a windows binary quite naturally.
Install
You need to have golang installed to compile concert.
$ go get -u github.com/minio/concert
How to run?
Generates certs in certs directory by default.
$ sudo concert gen <EMAIL> <DOMAIN>
Generate certificates in custom directory.
$ sudo concert gen --dir my-certs-dir <EMAIL> <DOMAIN>
Renew certificates in certs directory by default.
$ sudo concert renew <EMAIL>
Generate certificates in custom directory.
$ sudo concert renew --dir my-certs-dir <EMAIL>
Run a server with automatic renewal.
$ sudo concert server <EMAIL> <DOMAIN>
Alternatively, you can use ngrok to expose your local port 80 and make it available to the world via the secure tunnel on subdomain.ngrok.io. There is also a possibility to pass that domain as a CNAME for your own domain name.
All you have to do is:
Create free account with https://ngrok.com/ It works on all operating systems.
Run ngrok http 80 and note your subdomain.ngrok.io
Add the above subdomain to your /etc/hosts as 127.0.0.1 subdomain.ngrok.io. This way you will be able to access that domain locally with SSL, while ngrok will make sure Let's Encrypt is able to access it via the Internet.
Edit: Note that this method might not work reliably. Let's encrypt has 20 certificates rate limit per registered domain. Which means up 20 certificates in total can be generated for all ngrok users per week.
Disclaimer: I have no affiliation with ngrok.io.

Hosting Git Repository in Windows

Is there currently a way to host a shared Git repository in Windows? I understand that you can configure the Git service in Linux with:
git daemon
Is there a native Windows option, short of sharing folders, to host a Git service?
EDIT:
I am currently using the cygwin install of git to store and work with git repositories in Windows, but I would like to take the next step of hosting a repository with a service that can provide access to others.
Here are some steps you can follow to get the git daemon running under Windows:
(Prerequisites: A default Cygwin installation and a git client that supports git daemon)
Step 1: Open a bash shell
Step 2: In the directory /cygdrive/c/cygwin64/usr/local/bin/, create a file named "gitd" with the following content:
#!/bin/bash
/usr/bin/git daemon --reuseaddr --base-path=/git --export-all --verbose --enable=receive-pack
Step 3: Run the following cygrunsrv command from an elevated prompt (i.e. as admin) to install the script as a service (Note: assumes Cygwin is installed at C:\cygwin64):
cygrunsrv --install gitd \
--path c:/cygwin64/bin/bash.exe \
--args c:/cygwin64/usr/local/bin/gitd \
--desc "Git Daemon" \
--neverexits \
--shutdown
Step 4: Run the following command to start the service:
cygrunsrv --start gitd
You are done. If you want to test it, here is a quick and dirty script that shows that you can push over the git protocol to your local machine:
#!/bin/bash
echo "Creating main git repo ..."
mkdir -p /git/testapp.git
cd /git/testapp.git
git init --bare
touch git-daemon-export-ok
echo "Creating local repo ..."
cd
mkdir testapp
cd testapp
git init
echo "Creating test file ..."
touch testfile
git add -A
git commit -m 'Test message'
echo "Pushing master to main repo ..."
git push git://localhost/testapp.git master
GitStack might be your best choice. It is currently free (for up to 2 users) and open source at the time of writing.
Here's a dedicated git server for windows: https://github.com/jakubgarfield/Bonobo-Git-Server/wiki
If you are working in a Windows environment, have you considered Mercurial? It is a distributed version control system like Git, but integrates far more neatly and easily with Windows.
Installing CygWin is an overkill, read this tutorial on how to do it faster and native:
http://code.google.com/p/tortoisegit/wiki/HOWTO_CentralServerWindowsXP
If you get the error cygrunsrv: Error starting a service: QueryServiceStatus: Win32 error 1062: The service has not been started. after running the command:
cygrunsrv --start gitd
that means that you did not create the 'base-path' folder.
Creating the folder '/git' and rerunning the command will fix this.
I'm currently using cygwin's ssh daemon on Windows to serve up and allow remote access to my repo. It works quite well, I have complete control over who accesses my repo by their ssh certificates, and the performance blazes, even over remote WAN and VPN links.
Another solution is to use Gitosis. It is a tool that makes hosting repos much easier.
You do not need to host a service, you can also create a shared repository on a shared drive. Just create a bare repository. You can clone an existing repo into a shared one using: "git clone --bare --shared [source] [dest]". You can also init a new repository using "git init --bare --shared=all".
Henk
Have you considered using the cygwin layer? See this link.
Now msysGit supports git daemon ! It works fine (for me at least). I gonna try to make it run as service...
SCM Manager
Lightweight http-server for Git, Mercurial, Subversion repos from a box (only Java is needed)
Web-interface for management of users, ACLs, repos
On Windows, you can also serve Git repositories with Apache over HTTP or HTTPS, using the DAV extension.
The Git repository path can then be protected with Apache authentication checks such as restricting to certain IP addresses or htpasswd/htdigest type authentication.
The limitation of using htpasswd/htdigest authentication is that the username:password is passed in the requested Git URL, so restricting access to the Git URL to certain IP addresses is better.
Edit: Note, you can leave the password out of the Git URL and Git will prompt you for the password on push and fetch/pull instead.
Using HTTPS means all the data is encrypted in transfer.
It's easy enough to set up, and works.
The following example shows the combination of access control by IP address and user:password over standard HTTP.
Example Apache Virtualhost
## GIT HTTP DAV ##
<VirtualHost *:80>
ServerName git.example.com
DocumentRoot C:\webroot\htdocs\restricted\git
ErrorLog C:\webroot\apache\logs\error-git-webdav.log
<Location />
DAV on
# Restrict Access
AuthType Basic
AuthName "Restricted Area"
AuthUserFile "C:\webroot\apache\conf\git-htpasswd"
# To valid user
Require valid-user
# AND valid IP address
Order Deny,Allow
Deny from all
# Example IP 1
Allow from 203.22.56.67
# Example IP 2
Allow from 202.12.33.44
# Require both authentication checks to be satisfied
Satisfy all
</Location>
</VirtualHost>
Example .git/config
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
fetch = +refs/heads/*:refs/remotes/origin/*
url = http://username:password#git.example.com/codebase.git
[branch "master"]
remote = origin
merge = refs/heads/master
At work I'm using GitBlit GO installed on a Windows Server. Work flawlessly and integrate well with ActiveDirectory for user authentication and authorization. It is also free and opensource (Apache licensed)
GitBlit homepage
Only HTTP(S) access is supported, no SSH, but under Windows you shouldn't need anything more.
this is a 2015 answer to a question that is over 7 years old.
For $10 one time payment, from https://bitbucket.org/product/server, one can purchase a 64-bit Windows licence for up to 10 users.
Apparently 32-bit versions are only available via their archive.
Bitbucket Server was previously known as Stash.
Please note that i have not tried this version but $10 seems like a good deal; here i read that Atlassian gives the $10 to charity. FWIW
I think what Henk is saying is that you can create a shared repository on a drive and then copy it to some common location that both of you have access to. If there is some company server or something that you both have ssh access to, you can put the repository someplace where you can SCP it back to your own computer, and then pull from that. I did this for my self a little while, since I have two computers. It's a hassle, but it does work.
For Windows 7 x64 and Cygwin 1.7.9 I needed to use /usr/bin/gitd as the args argument of cygrunsrv
cygrunsrv --install gitd \
--path c:/cygwin/bin/bash.exe \
--args /usr/bin/gitd \
--desc "Git Daemon" \
--neverexits \
--shutdown
Also, I needed to run bash as an Administrator to install the service.

Resources