# Creating an SSL certificate for a domain name

# I- Installations

Install certbot on the server

apt install certbot

# II- Normal domains

certbot certonly --force-renewal --non-interactive --agree-tos -m khacloud.saas@gmail.com --webroot -w /var/khacloud/ssl/public/ -d "domain.com" -d "www.domain.com" -d "admin.domain.com"

# III- Wildcard domains

Install DigitalOcean plugin (certbot-dns-digitalocean) or a Manual plugin (certbot-dns-manual) for manual DNS verification on the server

# DigitalOcean plugin :

apt install python3-certbot-dns-digitalocean

Create folder and edit the digitalocean.ini file with the text bellow

mkdir ~/.secrets/
mkdir ~/.secrets/certbot/
nano ~/.secrets/certbot/digitalocean.ini
# DigitalOcean API credentials used by Certbot
dns_digitalocean_token = <TOKEN_HERE>

# Manual plugin :

pip install certbot-dns-manual

# Certs (SSL) creation

For cert creation you can run this command

certbot certonly --dns-digitalocean --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini --dns-digitalocean-propagation-seconds 140 -d "*.domain.com" -d "domain.com"

IMPORTANT You have to manually create all.pem and sync cert to all loadbalancers (Task: 'ssl-sync-all')

# III- Coding Server Domain

Stop code-server

sudo systemctl stop code-server@root.service

(If certbot_venv environment not installed) follow these instructions to install it and initiate it

python3 -m venv certbot_venv
source certbot_venv/bin/activate
pip install certbot
pip install certbot-nginx

(If certbot_venv environment is installed) Then activate it

source certbot_venv/bin/activate

Renew the SSL cert

certbot --non-interactive --redirect --agree-tos --nginx -d coding.cyberocean.tn -m khacloud.saas@gmail.com

Start code-server

sudo systemctl start code-server@root.service

# III- KhaCloud Server

Certficate Generation

certbot certonly --force-renewal --non-interactive --agree-tos -m khacloud.saas@gmail.com --webroot -w /var/khacloud/ssl/public/ -d "khacloud.xyz" -d "www.khacloud.xyz" -d "ww3.khacloud.xyz" -d "admin.khacloud.xyz" -d "api.khacloud.xyz" -d "console.khacloud.xyz" -d "dashboard.khacloud.xyz" -d "cloud.khacloud.xyz" -d "mail.khacloud.xyz" -d "ns.khacloud.xyz" -d "blog.khacloud.xyz" -d "crm.khacloud.xyz" -d "cpanel.khacloud.xyz" -d "board.khacloud.xyz" -d "chat.khacloud.xyz" -d "support.khacloud.xyz" -d "company.khacloud.xyz" -d "learn.khacloud.xyz" -d "wiki.khacloud.xyz" -d "doc.khacloud.xyz" -d "docs.khacloud.xyz" -d "help.khacloud.xyz" -d "devops.khacloud.xyz" -d "developers.khacloud.xyz" -d "groups.khacloud.xyz" -d "answers.khacloud.xyz" -d "forum.khacloud.xyz" -d "hack.khacloud.xyz" -d "my.khacloud.xyz" -d "edu.khacloud.xyz" -d "book.khacloud.xyz"
cd /etc/letsencrypt/live/khacloud.xyz/
cat cert.pem chain.pem fullchain.pem privkey.pem > all.pem

Add cert location to the import list of HAProxy

echo "/etc/letsencrypt/live/khacloud.xyz/all.pem" >> /etc/letsencrypt/live/certs.list

Reload HAProxy

service haproxy reload