49 lines
958 B
Markdown
49 lines
958 B
Markdown
|
Save script:
|
||
|
|
|
||
|
|
`vim /etc/letsencrypt/renewal-hooks/deploy/sync-to-passive.sh`
|
||
|
|
|
||
|
|
Make executable:
|
||
|
|
|
||
|
|
`chmod +x /etc/letsencrypt/renewal-hooks/deploy/sync-to-passive.sh`
|
||
|
|
|
||
|
|
Add the user:
|
||
|
|
|
||
|
|
`useradd -r -s /bin/bash -m certbot`
|
||
|
|
|
||
|
|
|
||
|
|
Configure SSH Key auth:
|
||
|
|
|
||
|
|
```
|
||
|
|
ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519_certbot -N ""
|
||
|
|
ssh-copy-id -i /root/.ssh/id_ed25519_certbot certbot@tywaf12.firstderivatives.com
|
||
|
|
```
|
||
|
|
|
||
|
|
Create logdir:
|
||
|
|
|
||
|
|
```
|
||
|
|
mkdir -p /var/log/letsencrypt
|
||
|
|
touch /var/log/letsencrypt/sync.log
|
||
|
|
```
|
||
|
|
|
||
|
|
Put in place the sudo rules:
|
||
|
|
```
|
||
|
|
vim /etc/sudoers.d/certbot
|
||
|
|
|
||
|
|
|
||
|
|
# Allow certbot user to sync certificates and reload web server without password
|
||
|
|
certbot ALL=(ALL) NOPASSWD: /usr/bin/rsync
|
||
|
|
certbot ALL=(ALL) NOPASSWD: /bin/systemctl reload nginx
|
||
|
|
|
||
|
|
```
|
||
|
|
|
||
|
|
Add ssh config for the Primary:
|
||
|
|
|
||
|
|
```
|
||
|
|
tee -a /root/.ssh/config << EOF
|
||
|
|
Host passive-certbot
|
||
|
|
HostName tywaf12.firstderivatives.com
|
||
|
|
User certbot
|
||
|
|
IdentityFile /root/.ssh/id_ed25519_certbot
|
||
|
|
EOF
|
||
|
|
|
||
|
|
```
|