Config: Key certificates - HolgerHees/smartserver GitHub Wiki

Keys and certificates

Enable letsencrypt

During the initial deployment, selfsigned certificates are generated. This will also happen if you enable letsencrypt. The reason is that the letsencrypt setup needs a running apache and for that we need some certificates.

If you enable letsencrypt, we will overwrite the selfsigned certificates at the end of the deployment. For the initial deployment, the recommendation is to keep letsencrypt disabled.

To enable letsencrypt you have to follow some steps.

1. The main domain and all subdomains domains must be reachable from outside. The simplest way is to configure a wildcard dns for your domain.

2. Configure port forwarding for port 80. There, only the path /.well-known/ is reachable. Everything else will be redirected to https.

3. Change the variable vault_ssl_certificate in the file vault.yml from selfsigned to letsencrypt

4. Run ansible-playbook -i config/myserver/server.ini --tags "apache,apache_letsencrypt" server.yml

The role will create a valid certificate for your domain and all used subdomains. Additionally it will create a cron job to renew this certificate automatically shortly before it expires. To keep this running, port 80 must remain open.

Backup created keys

After the first deployment, initial openvpn and wireguard keys are created.

To make them part of your deployment config, copy all files to your 'vault' folder by running the following commands on your deployed server.

# copied all certificate files to
# - 'config/myserver/vault_backup/easy-rsa/'
# - 'config/myserver/vault_backup/openvpn/'
# - 'config/myserver/vault_backup/wireguard_mobile/'
# - 'config/myserver/vault_backup/wireguard_cloud/'
ansible-playbook -i config/myserver/server.ini utils/backup_keys.yml

# copied all files to your vault folder.
mv config/myserver/vault_backup/* config/myserver/vault/
rmdir config/myserver/vault_backup/

# encrypts all new vault files
./vault.sh encrypt