BNMR: SSL certificates

From DaqWiki
Jump to navigation Jump to search

isdaq01 currently runs CentOS 6, which is not supported by certbot. It also doesn't run an Apache/Nginx proxy, but exposes different ports for the different experiments. We also don't want to use self-signed SSL certificates, as browsers are making them harder and harder to accept.

Enter which is a bash script that can talk to LetsEncrypt and other SSL certificate issuers.


As root on isdaq01:

# Install socat so can spin up a "standalone" server
# to issue certificates, as we don't use Apache/nginx.
yum install socat

# Install
git clone
./ --install -m

# Install certificate (see below for the post-hook script) --issue --standalone -d --server letsencrypt --post-hook /root/


Installing automatically creates a cron entry that will run once per day to check if certificates need to be renewed. It is in the root user's crontab.

Post-hook script - deploy for bnmr and bnqr

mhttpd looks for a file called ssl_cert.pem in ~/online. This file should contain both the certificate and private key, and should be readable by the bnmr/bnqr user (so a symlink to the actual files in /root won't work). Therefore a script is run to copy the SSL certificates to the correct locations and restart mhttpd each time they are renewed.

The script in /root/ is:

cd /root/
cat >
cp /home/bnmr/online/ssl_cert.pem
cp /home/bnqr/online/ssl_cert.pem
chown bnmr /home/bnmr/online/ssl_cert.pem
chown bnqr /home/bnqr/online/ssl_cert.pem
pkill -u bnmr mhttpd
pkill -u bnqr mhttpd
su -l bnmr -c 'mhttpd -D'
su -l bnqr -c 'mhttpd -D'