Setup Free HTTS via Let's Encrypt Certbot (Windows) - superseded
0 Votes |
Versioning - This is an older version.
1 | Setup Free HTTS via Let's Encrypt Certbot (Windows) | 10/31/2022 6:33:07 PM |
2 | Setup Free HTTS via Let's Encrypt Certbot (Windows) | 10/31/2022 6:35:24 PM |
3 | Setup Free HTTS via Let's Encrypt Certbot (Windows) | 10/31/2022 6:59:27 PM |
4 | Setup Free HTTS via Let's Encrypt Certbot (Windows) | 10/31/2022 7:02:56 PM |
5 | Setup Free HTTPS via Let's Encrypt Certbot (Windows) | 10/31/2022 7:06:01 PM |
Description
If you have a domain, but don't have a CA and don't want to shell out the $$ for an SSL cert.
Setup a free certificate using Let's Encrypt and Certbot
Will set REST API, Web Reports and WebUI if local to the BigFix server to all share the certificate.
Will prompt you for your domain and the responsible party's e-mail
The server targeted must resolve to the domain name you are using from external (Let's encrypt checks as part of the cert process).
You might have to put your BigFix server in the DMZ for the certbot to work and on renewal of the free certificate every 90 days.
Beta Code - there are lots of links and references in the action script, if you get stuck then read and adapt.
Property Details
26963 | |
Setup Free HTTS via Let's Encrypt Certbot (Windows) | |
BESC | |
Internal | |
10/6/2022 12:00:00 AM | |
certbot SSL webreports rest webui | |
brolly33 on 10/31/2022 6:35:24 PM | |
brolly33 on 10/31/2022 6:35:24 PM | |
1093 Views / 1 Download | |
* Average over 0 ratings. ** Log In or Register to add your rating. |
Relevance
Actions
Action 1 (default)
// based on https://certbot.eff.org/instructions?ws=other&os=windows
// based on https://help.hcltechsw.com/bigfix/10.0/platform/c_SSL_overview.html
// hash as of 10/06/2022
prefetch certbot-beta-installer-win_amd64.exe sha1:a40b5d1a0ec0e4aba1552bde7bdd7a8c87ede9a5 size:22413696 https://dl.eff.org/certbot-beta-installer-win_amd64.exe sha256:a35c7546e9618fe3cfe2bc8ad6a017a4d2b01c90fa4972d1aaeabe91c77afa80
wait {__download\"certbot-beta-installer-win_amd64.exe"} /S
//check the install
continue if {exists file "C:\Program Files\Certbot\bin\certbot.exe"}
//Gen the cert must have these two entries at least.
action parameter query "domain" with description "the Domain for this cert" and with default value "company.com"]
action parameter query "mail" with description "the e-mail address associated with this cert" and with default value "BigFixAdmin@company.com"]
// full command line list here: https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-commands
// NOTE - this will fail if the domain does not route back to where Certbot is running from - Internet routing - probably needs to be in DMZ
// Check C:\Certbot\log\letsencrypt.log for details
wait "C:\Program Files\Certbot\bin\certbot.exe" certonly --noninteractive --agree-tos -d {parameter "domain"} --standalone -m {parameter "mail"}
parameter "crtpath"="C:\Certbot\live\{parameter "domain"}\fullchain.pem"
parameter "pvkpath"="C:\Certbot\live\{parameter "domain"}\privkey.pem"
continue if { exists file (parameter "crtpath") whose (size of it > 0)}
continue if { exists file (parameter "pvkpath") whose (size of it > 0)}
if {exists service "BESRootServer"}
// https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_restapi_https_settings.html
setting "_BESRelay_HTTPServer_UseSSLFlag"="1" on "{parameter "action issue date" of action}" for client
setting "_BESRelay_HTTPServer_SSLCertificateFilePath"="{parameter "crtpath"}" on "{parameter "action issue date" of action}" for client
setting "_BESRelay_HTTPServer_SSLPrivateKeyFilePath"="{parameter "pvkpath"}" on "{parameter "action issue date" of action}" for client
wait sc.exe stop BESRootServer
wait sc.exe start BESRootServer
endif
if {exists service "BESWebReportsServer"}
// https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Web_Reports/c_web_reports_https_settings.html
setting "_WebReports_HTTPServer_UseSSLFlag"="1" on "{parameter "action issue date" of action}" for client
setting "_WebReports_HTTPServer_SSLCertificateFilePath"="{parameter "crtpath"}" on "{parameter "action issue date" of action}" for client
setting "_WebReports_HTTPServer_SSLPrivateKeyFilePath"="{parameter "pvkpath"}" on "{parameter "action issue date" of action}" for client
wait sc.exe stop BESWebReportsServer
wait sc.exe start BESWebReportsServer
endif
if {exists service "BESWebUI"}
// WebUI settings use SSL is automatically on for WebUI, so no separate setting there.
setting "_WebUIAppEnv_WEB_CERT_FILE"="{parameter "crtpath"}" on "{parameter "action issue date" of action}" for client
setting "_WebUIAppEnv_WEB_KEY_FILE"="{parameter "pvkpath"}" on "{parameter "action issue date" of action}" for client
wait sc.exe stop BESWebUI
wait sc.exe start BESWebUI
endif
This action will be considered successful when the applicability relevance evaluates to false.
Sharing
Social Media: |