Generating certificates for use in pound

Help
1

Hi! I was using certbot and successfully generating certificates for use in apache (in my server apache managed https).

Trying to manage https with pound instead, I put in pound config file the certificates files I had in apache virtual host config, but I had to realize they aren’t usable with pound as they are.

My question is: is there a way to automatically generate the certificate files that pound needs, as they are generated for apache?

Second question: how would I renew those certificates?

Any help is appreciated!

2

I’m not familiar with Pound, or what format it needs certificates in. If it’s as simple as converting them to a pkcs7 or der-encoded certificate (or something along those lines) you could add a --post-hook or --renew-hook flag to execute the relevant openssl commands to perform that conversion. You would also likely need to add commands to reload the Pound server’s configuration so that it uses the new certificate, so writing a script would probably be best.

If you know the format Pound expects these in, I can give you an openssl command that would do the conversion.

At this point, renewal is just as normal, because the hooks will automatically porter the conversion and installation each time.

3

https://knowledge.symantec.com/kb/index?page=content&id=SO8180&actp=search&viewlocale=en_US&searchid=1264523460902

If that document from another CA is still correct, it needs to “cat privkey.pem fullchain.pem >/somewhere/pound-cert.pem”.

4

ok, that’s correct, it works! thank you!

What about making certbot generate that concatenation directly?

5

Hi @paolobenve,

As @jared.m said, you can use a --renew-hook or --post-hook to perform these actions using your own script once your cert is renewed.

Note: Since certbot version 0.17.0 --renew-hook is named --deploy-hook you could still use --renew-hook it will work but it is better that if you are using this or new version use --deploy-hook instead.

Note 2: If you are using certbot 0.19.0 instead of using --deploy-hook you could put your script on dir /etc/letsencrypt/renewal-hooks/deploy/

So, you need a script to concatenate privkey.pem and fullchain.pem in another file, let's call it combined-for-pound.pem

Create script combine-certs-for-pound.sh (variable $RENEWED_LINEAGE is passed by certbot to the script):

#!/bin/sh

privkey="$RENEWED_LINEAGE/privkey.pem"
fullchain="$RENEWED_LINEAGE/fullchain.pem"
combined="$RENEWED_LINEAGE/combined-for-pound.pem"

cat "$privkey" "$fullchain" > "$combined"
chmod 400 $combined

Note 3: Remember to give executable permissions to this script.

So, if you run certbot renew --renew-hook /path/to/combine-certs-for-pound.sh every time it renew your certs it will concatenate the files, so, for example, if you cert name is domain.tld you will have the combined cert here /etc/letsencrypt/live/domain.tld/combined-for-pound.pem

Note 4: Keep in mind that this script will run on every renew fo each of your certs so it will concatenate the files for all your certs (each one in its own dir of course). Also, you could add a command to restart/reload your pound service so it loads the renewed cert (you can also use --post-hook to accomplish this task) or you can copy the combined cert to another location, etc. Take it as an example and you should review and modify it to accomodate the script to your goals and conf.

Note 5: No more notes :stuck_out_tongue:

For more info about renew and hooks take a look to certbot doc.

Cheers,
sahsanu

2 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.