====== Let's encrypt ======

Сервис по выдаче и автоматическому обновлению бесплатных SSL-сертификатов. Для Windows пока нет стандартной процедуры, но есть [[https://community.letsencrypt.org/t/list-of-client-implementations/2103|сторонние разработки]].

===== Установка =====

[[https://certbot.eff.org/#ubuntuxenial-apache|Вариант для Apache on Ubuntu 16.04 (xenial)]]

Чтобы сделать сертификат для домена, отличающегося от имени сервера, запустить certbot с параметром --domain, например
<code bash>
certbot --apache --domain test.example.org
</code>

===== Настройка автообновления =====
Проверять актуальность сертификата и обновлять при необходимости каждый день в 8:00 и 20:00.
<code bash>
nano /etc/crontab
</code>

Добавить туда
<code>
0 8,20 * * * root letsencrypt renew
</code>

===== Для Haproxy =====
Штука в том, что порты 80 и 443 заняты, и certbot должен работать на другом порту (здесь: 54321). Помимо этого, нужно настроить Haproxy на проброс его URL на localhost сервера Haproxy. Затем необходимо слепить сертификат с ключом в единый .pem и положить их в каталог, куда Haproxy смотрит.

<file bash /etc/haproxy/haproxy.cfg>
# На фронтенде :80
  # Let's Encrypt URL
  acl letsencrypt_url path_beg /.well-known/acme-challenge/
  # Не пробрасывать на HTTPS
  http-request redirect scheme https if !{ ssl_fc } !no-https-domains !letsencrypt_url
  # Let's Encrypt backend
  use_backend be_letsencrypt if letsencrypt_url

# Бэкенд
  backend be_letsencrypt
    server letsencrypt 127.0.0.1:54321
</file>

<code bash>
# Получить сертификат для example.com и www.example.com
certbot certonly --standalone --preferred-challenges http-01 --http-01-port 54321 --keep --agree-tos --expand -m ssl@example.com -d example.com -d www.example.com
:'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for example.com and www.example.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2022-08-18.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let`s Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
'
</code>
<WRAP round info>
"Certbot has set up a scheduled task to automatically renew this certificate in the background."\\
Если Certbot установлен через snap, то вместо cron он добавляет задачи на обновление сертификата в systemd timer. Посмотреть:
<code bash>
systemctl list-timers
</code>
</WRAP>
https://eff-certbot.readthedocs.io/en/stable/using.html#automated-renewals\\
[[https://habr.com/ru/company/ruvds/blog/512868/|Использование таймеров systemd вместо заданий cron]]


<file bash /scripts/concat-certs-for-haproxy.sh>
#!/bin/bash

LE_CERT_DIR=/etc/letsencrypt/live
HAPROXY_CERT_DIR=/etc/ssl/certs/haproxy

# Cat the certificate chain and the private key together for haproxy
for path in $(find $LE_CERT_DIR/* -type d -exec basename {} \;); do
  cat $LE_CERT_DIR/$path/{fullchain.pem,privkey.pem} > $HAPROXY_CERT_DIR/${path}.pem
done
</file>
https://certbot.eff.org/instructions?ws=haproxy&os=ubuntufocal\\
https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options\\
https://gist.github.com/lmmendes/7fad9a2c8f389b39b6661d0945b72cb7\\
https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-ubuntu-14-04\\
https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-ubuntu-20-04

==== Выпуск сертификата для HAProxy ====
<file bash /scripts/haproxy-cert-issue.sh>
#!/bin/bash

for d in "$@"; do
        domains+="-d $d "
done

certbot certonly --standalone --preferred-challenges http-01 --http-01-port 54321 --keep --agree-tos --expand -m ssl@example.com $domains && \
cat /etc/letsencrypt/live/$1/{fullchain.pem,privkey.pem} > /etc/ssl/certs/haproxy/$1.pem && \
systemctl reload haproxy
</file>
Использование:
<code bash>
chmod u+x /scripts/haproxy-cert-issue.sh
# Файл сертификата будет назван по имени первого аргумента (/etc/ssl/certs/haproxy/example.com.pem)
# Все аргументы будут добавлены в команду как домены (-d example.com -d www.example.com и т. д.)
/scripts/haproxy-cert-issue.sh example.com www.example.com example2.com www.example2.com
</code>

==== Перевыпуск сертификата для HAProxy (автомат) ====
<file bash /etc/letsencrypt/renewal-hooks/deploy/make-pem-for-haproxy.sh>
#!/bin/bash
cat $RENEWED_LINEAGE/{fullchain.pem,privkey.pem} > /etc/ssl/certs/haproxy/$(basename $RENEWED_LINEAGE).pem

# --deploy-hook DEPLOY_HOOK
#    Command to be run in a shell once for each
#    successfully issued certificate. For this command, the
#    shell variable $RENEWED_LINEAGE will point to the
#    config live subdirectory (for example,
#    "/etc/letsencrypt/live/example.com") containing the
#    new certificates and keys; the shell variable
#    $RENEWED_DOMAINS will contain a space-delimited list
#    of renewed certificate domains (for example,
#    "example.com www.example.com") (default: None)
</file>

Перезапуск HAProxy
<code bash>
### /scripts/haproxy-reload-if-new-certs.sh

#!/bin/bash
if [[ $(find /etc/ssl/certs/haproxy/* -mtime -1) ]]
then
systemctl reload haproxy.service
fi

# to cron
echo -e "\n# Reload HAProxy if there are new certs\n0 3\t* * *\troot\t/scripts/haproxy-reload-if-new-certs.sh" >> /etc/crontab
</code>

===== Для Cisco ASA =====
Сама она не умеет (asa5545X). Сетевики должны прокинуть на ней 80-й порт на внутренний/DMZ-сервер, завести отдельную учётку и разрешить для этой учётки некоторые команды и вход на ASA по ssh.

Далее всё делается на сервере.
<code bash>
# Необходимо установить certbot и expect для автоматизации работы с Cisco через ssh.
sudo snap install --classic certbot
sudo apt install expect -y
# Выпустить сертификат
certbot certonly --standalone --preferred-challenges http-01 --keep --agree-tos --expand -m ssl@example.com -d vpn.example.com
</code>

Конфиг состоит из 3 файлов.
<code bash>
# скрипт, выполняющийся при обновлении сертификата
touch /etc/letsencrypt/renewal-hooks/deploy/vpncert-asa.sh
chmod 700 /etc/letsencrypt/renewal-hooks/deploy/vpncert-asa.sh
# скрипт expect
touch /scripts/vpncert-install.exp
chmod 700 /scripts/vpncert-install.exp
# пароль экспорта сертификата для openssl
touch /scripts/vpncert-asa.txt
chmod 600 /scripts/vpncert-asa.txt
# Записать пароль в файл пароля
nano /scripts/vpncert-asa.txt
</code>

<file bash /etc/letsencrypt/renewal-hooks/deploy/vpncert-asa.sh>
#!/bin/bash

openssl pkcs12 -export \
-password file:/scripts/vpncert-asa.txt \
-in $RENEWED_LINEAGE/fullchain.pem \
-inkey $RENEWED_LINEAGE/privkey.pem \
-out /root/gate.pfx && \

openssl base64 -in /root/gate.pfx -out /root/gate.base64 && \

/scripts/vpncert-install.exp
</file>

<file tcl /scripts/vpncert-install.exp>
#!/usr/bin/expect -f

set timeout 5
set send_slow {10 .001}
set sshUser "sshuser"
set sshIP "192.168.1.254"
set sshPass "sshPass12345"
set exportPass [exec cat /scripts/vpncert-asa.txt]
#set log "/root/vpncert.log"

#log_file -noappend $log
#log_user 0

spawn ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa -o StrictHostKeyChecking=no $sshUser@$sshIP
expect "password:"
send -- "$sshPass\r"
expect ">"
send -- "enable\r"
expect "Password:"
send -- "$sshPass\r"
expect "#"
#log_user 1
send -- "configure terminal\r"
expect "(config)#"
send -- "no crypto ca trustpoint ca_le\r"
expect {
  "]:" {send -- "yes\r"; exp_continue}
  "(config)#"
}
send -- "crypto ca trustpoint ca_le\r"
expect "trustpoint)#"
send -- "enrollment terminal\r"

expect "#"
send -- "exit\r"
expect "(config)#"

#log_user 0
send -- "crypto ca import ca_le pkcs12 $exportPass\r"
expect "itself:"
send -- [exec cat /root/gate.base64]\n
send -s "quit\r"

# % The CA cert is not self-signed.
# % Do you also want to create trustpoints for CAs higher in the hierarchy? [yes/no]:
# OR
# % You already have RSA or ECDSA keys named ca_le.
# % If you replace them, all device certs issued using these keys
# % will be removed.
# % Do you really want to replace them? [yes/no]:
expect {
  "]:" {send -- "yes\r"; exp_continue}
  "(config)#"
}
#log_user 1

send -- "ssl trust-point ca_le outside\r"

expect "(config)#"
send -- "exit\r"
expect "#"
send -- "exit\r"
expect eof
</file>

++++ Пример выполнения скрипта |
<code>
spawn ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa -o StrictHostKeyChecking=no sshuser@192.168.1.254
sshuser@192.168.1.254's password:
User sshuser logged in to gate
Logins over the last 91 days: 54.  Last login: 11:39:24 MSK Jan 9 2023 from 192.168.1.100
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
gate> enable
Password: **********
gate# configure terminal
gate(config)# no crypto ca trustpoint ca_le
WARNING: Removing an enrolled trustpoint will destroy all
certificates received from the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes
INFO: Be sure to ask the CA administrator to revoke your certificates.
gate(config)# crypto ca trustpoint ca_le
gate(config-ca-trustpoint)# enrollment terminal
gate(config-ca-trustpoint)# exit
gate(config)# crypto ca import ca_le pkcs12 verySecretPassword12345

Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
MIIWzwIBAzCCFoUGCSqGSIb3DQEHAaCCFnYEghZyMIIWbjCCEOIGCSqGSIb3DQEH
BqCCENMwghDPAgEAMIIQyAYJKoZIhvcNAQcBMFcGCSqGSIb3DQEFDTBKMCkGCSqG
...
dt/zTsIeIqQq05PLFpOTIzBBMDEwDQYJYIZIAWUDBAIBBQAEIMyVqqTQhaaqlHOH
D3XnctPJR1TYytiVRCaVWuZHz+G0BAiEKmqw9Y6C4AICCAA=
quit
% You already have RSA or ECDSA keys named ca_le.
% If you replace them, all device certs issued using these keys
% will be removed.
% Do you really want to replace them? [yes/no]: yes

Trustpoint 'ca_le' is a subordinate CA and holds a non self-signed certificate.

Trustpoint CA certificate accepted.
WARNING: CA certificates can be used to validate VPN connections,
by default.  Please adjust the validation-usage of this
trustpoint to limit the validation scope, if necessary.
INFO: Import PKCS12 operation completed successfully.
gate(config)# ssl trust-point ca_le outside
gate(config)# exit
gate# exit

Logoff

Connection to 192.168.1.254 closed by remote host.
Connection to 192.168.1.254 closed.
</code>
++++

[[https://linux.die.net/man/1/expect|expect(1)]]\\
[[https://likegeeks.com/expect-command/|Expect command and how to automate shell scripts like magic]]\\
[[https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc15|SSL Certificate Installation on the ASA: Installation of a PEM Certificate with the CLI]]\\