Category Archives: Internet

Letsencrypt and Certbot

Posted on by
Reply

Certbot User Guide
https://eff-certbot.readthedocs.io/en/latest/using.html

Instructions to install Certbot and a DNS plugin:
https://certbot.eff.org/instructions?ws=nginx&os=snap&tab=wildcard

Request a certificate via Cloudflare plugin:

Remove Snap Certbot (if exists)

sudo snap remove certbot

Install Certbot via APT (Debian/Ubuntu package):

sudo apt update
sudo apt install certbot python3-certbot-dns-cloudflare

Request a certificate:

# certbot-dns-cloudflare plugin
# https://certbot-dns-cloudflare.readthedocs.io/en/stable/

sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini \
  --dns-cloudflare-propagation-seconds 60 \
  -d mycompliancetracker.com \
  -d *.mycompliancetracker.com \
  -d myctracker.com \
  -d *.myctracker.com \
  -d myctrackerpro.com \
  -d *.myctrackerpro.com

cloudflare.ini content

# cloudflare.ini
# Cloudflare API token used by Certbot
# Get if from https://dash.cloudflare.com/profile/api-tokens
# You have to create a new one - you cannot see the value of an existing one.
# The token needs Zone:DNS:Edit permission
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

Change the permissions of the file:

chmod 600 cloudflare.ini

Test automatic renewal

sudo certbot renew --dry-run

Delete a certificate

certbot delete --cert-name mycompliancetracker.com

# or to choose from a list:
certbot delete

Sync the certificates

 ssh-keygen -t rsa -b 4096 -C "Let's Encrypt sync key" -f ~/.ssh/letsencrypt_sync_key
 
 ssh-copy-id ubuntu@dev-server.mycompliancetracker.com
 
 ssh-copy-id -f -i ~/.ssh/letsencrypt_sync_key.pub -o IdentityFile=~/.ssh/dev-server.mycompliancetracker.com ubuntu@dev-server.mycompliancetracker.com
 
 ssh-copy-id -f -i ~/.ssh/letsencrypt_sync_key.pub angel@ionos-ubuntu-01.anichin.com
 
 -- Test to log in with the new key - Works
 ssh -o 'IdentityFile=/root/.ssh/letsencrypt_sync_key' 'ubuntu@dev-server.mycompliancetracker.com'
 
 ssh -o 'IdentityFile=/root/.ssh/letsencrypt_sync_key' 'angel@ionos-ubuntu-01.anichin.com'
 
 ssh -o 'IdentityFile=/root/.ssh/letsencrypt_sync_key' 'root@ionos-ubuntu-01.anichin.com'

Transfer Certificates to Target Server

 rsync -avz -e "ssh -i /root/.ssh/letsencrypt_sync_key" --rsync-path="mkdir -p /home/angel/letsencrypt/live/anichin.com && rsync" /etc/letsencrypt/live/anichin.com/ angel@ionos-ubuntu-01.anichin.com:/home/angel/letsencrypt/live/anichin.com/

 rsync -avz -e "ssh -i /root/.ssh/letsencrypt_sync_key" --rsync-path="mkdir -p /home/angel/letsencrypt/archive/anichin.com && rsync" /etc/letsencrypt/archive/anichin.com/ angel@ionos-ubuntu-01.anichin.com:/home/angel/letsencrypt/archive/anichin.com/

 rsync -avz -e "ssh -i /root/.ssh/letsencrypt_sync_key" --rsync-path="mkdir -p /home/angel/letsencrypt/renewal && rsync" /etc/letsencrypt/renewal/anichin.com.conf angel@ionos-ubuntu-01.anichin.com:/home/angel/letsencrypt/renewal/


 rsync -avz -e "ssh -i /root/.ssh/letsencrypt_sync_key" --rsync-path="mkdir -p /home/angel/letsencrypt/live/pautalia.ca && rsync" /etc/letsencrypt/live/pautalia.ca/ angel@ionos-ubuntu-01.anichin.com:/home/angel/letsencrypt/live/pautalia.ca/

 rsync -avz -e "ssh -i /root/.ssh/letsencrypt_sync_key" --rsync-path="mkdir -p /home/angel/letsencrypt/archive/pautalia.ca && rsync" /etc/letsencrypt/archive/pautalia.ca/ angel@ionos-ubuntu-01.anichin.com:/home/angel/letsencrypt/archive/pautalia.ca/

 rsync -avz -e "ssh -i /root/.ssh/letsencrypt_sync_key" --rsync-path="mkdir -p /home/angel/letsencrypt/renewal && rsync" /etc/letsencrypt/renewal/pautalia.ca.conf angel@ionos-ubuntu-01.anichin.com:/home/angel/letsencrypt/renewal/
 
 rsync -avz -e "ssh -i /root/.ssh/letsencrypt_sync_key" --rsync-path="mkdir -p /home/angel/letsencrypt/live/vickisplace.org && rsync" /etc/letsencrypt/live/vickisplace.org/ angel@ionos-ubuntu-01.anichin.com:/home/angel/letsencrypt/live/vickisplace.org/

 rsync -avz -e "ssh -i /root/.ssh/letsencrypt_sync_key" --rsync-path="mkdir -p /home/angel/letsencrypt/archive/vickisplace.org && rsync" /etc/letsencrypt/archive/vickisplace.org/ angel@ionos-ubuntu-01.anichin.com:/home/angel/letsencrypt/archive/vickisplace.org/

 rsync -avz -e "ssh -i /root/.ssh/letsencrypt_sync_key" --rsync-path="mkdir -p /home/angel/letsencrypt/renewal && rsync" /etc/letsencrypt/renewal/vickisplace.org.conf angel@ionos-ubuntu-01.anichin.com:/home/angel/letsencrypt/renewal/

Option 1: Use sudo Without Password Prompt

sudo visudo
angel ALL=(ALL) NOPASSWD: /bin/systemctl reload nginx

OpenSSH SSH-2 private key (old PEM format)

Posted on by
Reply

Taken from here: https://stackoverflow.com/questions/60884217/openssh-ssh-2-private-key-old-pem-format-on-azure-linux-vm

You’ve used ssh-keygen to create a private key file called id_rsa.ppk. However this is an OpenSSH-format private key and needs to be converted to Putty’s own format to use in Putty.

Your options are:

  1. Use this key with command-line SSH (it’s in the correct format). You can either
    1. specify the file on the command line e.g. ssh -i id_rsa.ppk azureuser@vm
    2. make a folder C:\Users\Aquib\.ssh and move it there as C:\Users\Aquib\.ssh\id_rsa (no extension): ssh will now load this file by default to use for all servers that you try to connect to
    3. if you don’t want to use this for all servers, or e.g. if you already have a default id_rsa that you use with git, you can set up a C:\Users\Aquib\.ssh\config file that tells SSH where to find the key and tell it which servers it should use it for.
  2. Convert this file into the right format to use with Putty:
    1. In Puttygen, in the ‘Conversions’ menu choose ‘Import’ and load id_rsa.ppk
    2. ‘Save private key’ to a different file
    3. Use this new file with Putty, either on the connection properties menu or run Pageant (the Putty key agent) and ‘Add key’ the new file. (You can e.g. create a shortcut to pageant in your Startup menu and give it the key file name as a commandline parameter so this is loaded automatically for you.)