- A domain name
- A DNS provider that works with Certbot. I'm using Cloudflare.
- An API token for the DNS provider that is scoped to allow TXT record creation.
- SecurityOnion 2.4 with
sudoprivileges and SSH access.
Administration->ConfigurationOptions->Show all configurable settings, including advanced settings- Filter
"cert" nginx->ssl->Replace Default Cert(ssl/tlsin SO <= 2.4.80)Replace deafult cert: set toTrue- Don't replace the key files yet - we're going to automate this!
Note: some of these commands may seem unnecessary, e.g. the symlinks. Don't skip them. SecurityOnion 2.4 is based on Oracle Linux, which has some quirks.
-
Log in as your admin user and su to root.
sudo su
-
Install
snapd.yum install epel-release yum install -y snapd ln -s /var/lib/snapd/snap /snap
Check to ensure that the snapd service is running.
sudo systemctl status snapd
If it is not running, start the service.
sudo systemctl start snapd
-
Install
certbot.snap install --classic certbot ln -s /snap/bin/certbot /usr/bin/certbot
-
Install certbot Cloudflare DNS plugin.
snap set certbot trust-plugin-with-root=ok snap install certbot-dns-cloudflare -
Initialize the
/etc/letsencryptdirectory by runningcertbotwithout any arguments. Ignore the errors.certbot
-
Add Cloudflare DNS API token.
TOKEN={enter your Cloudflare API token here} echo dns_cloudflare_api_token=$TOKEN > /etc/letsencrypt/cloudflare.ini chmod 400 /etc/letsencrypt/cloudflare.ini -
Request the certificate. Replace
your.fqdn.xyzwith the FQDN of your SecurityOnion server.FQDN=your.fqdn.xyz certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d $FQDN -
Copy the cert and key to SecurityOnion's nginx salt config.
cp -f /etc/letsencrypt/live/$FQDN/privkey.pem /opt/so/saltstack/local/salt/nginx/ssl/ssl.key chmod 644 /opt/so/saltstack/local/salt/nginx/ssl/ssl.key cp -f /etc/letsencrypt/live/$FQDN/fullchain.pem /opt/so/saltstack/local/salt/nginx/ssl/ssl.crt chmod 640 /opt/so/saltstack/local/salt/nginx/ssl/ssl.crt
-
Restart nginx.
so-nginx-restart
Clear your browser cache (or use an incognito window) and visit your SO admin page to ensure that the new certificate is presented.
-
Create a post-hook to perform this each time certs are renewed.
cat <<EOF > /etc/letsencrypt/copy_to_nginx.sh cp -f /etc/letsencrypt/live/$FQDN/privkey.pem /opt/so/saltstack/local/salt/nginx/ssl/ssl.key chmod 644 /opt/so/saltstack/local/salt/nginx/ssl/ssl.key cp -f /etc/letsencrypt/live/$FQDN/fullchain.pem /opt/so/saltstack/local/salt/nginx/ssl/ssl.crt chmod 640 /opt/so/saltstack/local/salt/nginx/ssl/ssl.crt so-nginx-restart EOF chmod +x /etc/letsencrypt/copy_to_nginx.sh
-
Test
certbot renew, and create a cron job for it.certbot renew --dry-run --post-hook /etc/letsencrypt/copy_to_nginx.sh crontab -e
-
Place the following at the TOP of the file and save:
# check certs once a week 10 4 * * 0 certbot renew --post-hook /etc/letsencrypt/copy_to_nginx.sh
If the steps above succeeded, there is no special maintenance required. The cron job will renew the certs automatically before they expire.
Use SecurityOnion's built-in soup utility to maintain your SecurityOnion stack.
Follow up on this- I noticed that my cert had expired and found the cause is that the Cloudflare plugin needs to be updated. Here is the error-
Removing and re installing the Certbot snap doesn't work because that doesn't delete the old plugin.
After a bunch of trial and error I found this could be done with
Once you've removed the old Cloudflare plugin, you can install a new one with
# snap install certbot-dns-cloudflareThere might be easier ways to simply update it, but this cost me a lot of time so worth documenting...