Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL migration tool #10

Open
retlehs opened this issue Jan 17, 2019 · 8 comments
Open

SSL migration tool #10

retlehs opened this issue Jan 17, 2019 · 8 comments
Labels
enhancement New feature or request low priority Low priority

Comments

@retlehs
Copy link
Member

retlehs commented Jan 17, 2019

scenario: you have a trellis site with let's encrypt that's already live and you need to provision a new server

problem: let's encrypt cert issuing will fail since DNS isn't yet pointed to the new server

solution: temporarily copy the let's encrypt certs from the live site and use them on the new server until DNS is updated
@retlehs retlehs added enhancement New feature or request low priority Low priority labels Jan 17, 2019
@retlehs
Copy link
Member Author

retlehs commented Jan 19, 2019

the manual way:

scp [email protected]:/etc/nginx/ssl/letsencrypt/example.com-bundled.cert /local/path
scp [email protected]:/etc/nginx/ssl/letsencrypt/example.com.key /local/path

ssl:
  enabled: true
  # provider: letsencrypt
  provider: manual
  cert: /local/path/example.com-bundled.cert
  key: /local/path/example.com.key

@tangrufus tangrufus mentioned this issue Feb 16, 2020
Closed
@strarsis
Copy link

strarsis commented Jul 25, 2021
edited
Loading

@retlehs: Thanks for this guide! Though using the commands above to download the existing certs doesn't work straightforward as I get a permission denied error (root user needed), and scp doesn't support sudo.

@retlehs
Copy link
Member Author

retlehs commented Jul 25, 2021

@strarsis you're welcome, sorry it's just some rough notes haha!

did you get the permission error when using the admin user?

@strarsis
Copy link

strarsis commented Jul 25, 2021
edited
Loading

@retlehs: Yes, I get this error also as admin user, because the /etc/nginx/ssl directory is read-only for root.

@Twansparant
Copy link

@retlehs: Yes, I get this error also as admin user, because the /etc/nginx/ssl directory is read-only for root.

Did you find a workaround for this? Switching to root user might fix it, but then you need enter the root's password?

@strarsis
Copy link

strarsis commented Nov 14, 2022
edited
Loading

@Twansparant: For root permissions, one logs in as the admin user via SSH and use sudo (for specific commands) (or sudo su for permanent root permissions) and, if asked, enter the admin password (this typical good practice setup, with no root SSH login, and sudoer admin user is what Trellis uses).
With these root permissions one can then list and modify the /etc/nginx/ssl directory and its contents.
You may also want to ensure that the ownership and permissions are the same after you are done:

-rw-r--r-- root root [domain.tld]-bundled.cert
-rw-r--r-- root root [domain.tld]-[hash]-bundled.cert
-rw-r--r-- root root [domain.tld]-[hash]-bundled.cert
[...]
-rw------- root root [domain.tld].key

@Twansparant
Copy link

Thanks @strarsis, I figured it out myself already but switching to root user prompted me for the root password so I had to reset that in DO. All good now, thanks for the help!

@retlehs
Copy link
Member Author

retlehs commented May 1, 2024

Ref https://discourse.roots.io/t/deploying-a-trellis-site-with-ssl-certificates-prior-to-dns-records-being-in-place/24201/9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request low priority Low priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@retlehs @Twansparant @strarsis