92
edits
Setting Up Wildcard Subdomains with SSL on a Debian Application: Difference between revisions
Jump to navigation
Jump to search
m
Setting Up Wildcard Subdomains with SSL on a Debian Application (view source)
Revision as of 02:17, 31 October 2024
, 31 October 2024→Configuring SSL and Wildcard Subdomains
| Line 112: | Line 112: | ||
These values shall be set or updated once the whole config is over, by running the following command: | These values shall be set or updated once the whole config is over, by running the following command: | ||
<code>sudo dpkg-reconfigure <pkg-name></code> | <code>sudo dpkg-reconfigure <pkg-name></code> | ||
=== 2. Automating SSL and Wildcard Domain Setup in postinst === | |||
Here we will break down concern by concern how to configure the <code>debian/postinst</code> file. | |||
==== a. Creating the dns-auth.conf File ==== | |||
The <code>dns-auth.conf</code> file will be generated from the DNS_AUTHENTICATION variable, which contains the details for Certbot’s DNS challenge configuration. Add the following to the <code>debian/postinst</code> file to create this file: | |||
<pre lang="bash"> | |||
dns_hostname_path="$(cut -d'@' -f2- <<<"$DNS_AUTHENTICATION")" | |||
dns_schema_auth="$(cut -d'@' -f1 <<<"$DNS_AUTHENTICATION")" | |||
dns_hostname="$(cut -d'/' -f1 <<<"$dns_hostname_path")" | |||
dns_auth="$(cut -d'/' -f3- <<<"$dns_schema_auth")" | |||
dns_auth_keyname="$(cut -d':' -f1 <<<"$dns_auth")" | |||
dns_auth_algorithm="$(cut -d':' -f2- <<<"$dns_auth" | cut -d'~' -f1 | tr '[:lower:]' '[:upper:]')" | |||
dns_auth_secret="$(cut -d':' -f2- <<<"$dns_auth" | cut -d'~' -f2-)" | |||
dns_host_aaaa="$(dig +short AAAA "$dns_hostname" | head -n1)" | |||
[ -d <path-to-dns-conf-file> ] || mkdir -p <path-to-dns-conf-file> | |||
umask 266 | |||
cat > <path-to-dns-conf-file>/dns-auth.conf <<CONF | |||
# Managed by apt, please use dpkg-reconfigure <pkg-name> to modify | |||
dns_rfc2136_server = $dns_host_aaaa | |||
dns_rfc2136_port = 53 | |||
dns_rfc2136_name = $dns_auth_keyname | |||
dns_rfc2136_secret = $dns_auth_secret | |||
dns_rfc2136_algorithm = $dns_auth_algorithm | |||
CONF | |||
umask 022 | |||
</pre> | |||
This configuration file will be used by Certbot to authenticate and verify domain ownership via DNS challenges. | |||
In the case of our guide with the kaboom-api example, <code><path-to-dns-conf-file></code> is <code>/etc/kaboom</code>, it's up to you to select the right naming for your case. | |||
Once the script has been executed The <code>dns-auth.conf</code> file should look something like this: | |||
<pre lang="bash"> | |||
dns_rfc2136_server = 2a0c:8187::120 | |||
dns_rfc2136_port = 53 | |||
dns_rfc2136_name = staging-elearning_nl__certbot._keys.delftsolutions.signaldomain._internal.usersignal.nl. | |||
dns_rfc2136_secret = <secret-key> | |||
dns_rfc2136_algorithm = HMAC-SHA256 | |||
</pre> | |||
Make sure that proper letter case is observed as this would cause the script to fail with unclear error messages. | |||