Setup Free HTTS via Let's Encrypt Certbot (Windows) - superseded
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is an older version.

1Setup Free HTTS via Let's Encrypt Certbot (Windows)10/31/2022 6:33:07 PM
2Setup Free HTTS via Let's Encrypt Certbot (Windows)10/31/2022 6:35:24 PM
3Setup Free HTTS via Let's Encrypt Certbot (Windows)10/31/2022 6:59:27 PM
4Setup Free HTTS via Let's Encrypt Certbot (Windows)10/31/2022 7:02:56 PM
5Setup Free HTTPS via Let's Encrypt Certbot (Windows)10/31/2022 7:06:01 PM

Description

If you have a domain, but don't have a CA and don't want to shell out the $$ for an SSL cert.

Setup a free certificate using Let's Encrypt and Certbot

Will set REST API, Web Reports and WebUI if local to the BigFix server to all share the certificate.

Will prompt you for your domain and the responsible party's e-mail

The server targeted must resolve to the domain name you are using from external (Let's encrypt checks as part of the cert process).

You might have to put your BigFix server in the DMZ for the certbot to work and on renewal of the free certificate every 90 days.

Beta Code - there are lots of links and references in the action script, if you get stuck then read and adapt.


Property Details

ID26963
TitleSetup Free HTTS via Let's Encrypt Certbot (Windows)
DomainBESC
SourceInternal
Source Release Date10/6/2022 12:00:00 AM
Keywordscertbot SSL webreports rest webui
Added by on 10/31/2022 6:35:24 PM
Last Modified by on 10/31/2022 6:35:24 PM
Counters 1093 Views / 1 Download
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 106 fixlets and 5 analyses   * Results in a true/false
Show indented relevance
exists main gather service
isWindows (Relevance 1172)
Used in 1152 fixlets and 538 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 4 fixlets   * Results in a true/false
Show indented relevance
version of client >= "10.0"

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
// based on https://certbot.eff.org/instructions?ws=other&os=windows
// based on https://help.hcltechsw.com/bigfix/10.0/platform/c_SSL_overview.html
// hash as of 10/06/2022
prefetch certbot-beta-installer-win_amd64.exe sha1:a40b5d1a0ec0e4aba1552bde7bdd7a8c87ede9a5 size:22413696 https://dl.eff.org/certbot-beta-installer-win_amd64.exe sha256:a35c7546e9618fe3cfe2bc8ad6a017a4d2b01c90fa4972d1aaeabe91c77afa80
wait {__download\"certbot-beta-installer-win_amd64.exe"} /S

//check the install
continue if {exists file "C:\Program Files\Certbot\bin\certbot.exe"}

//Gen the cert must have these two entries at least.
action parameter query "domain" with description "the Domain for this cert" and with default value "company.com"]
action parameter query "mail" with description "the e-mail address associated with this cert" and with default value "BigFixAdmin@company.com"]

// full command line list here: https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-commands
// NOTE - this will fail if the domain does not route back to where Certbot is running from - Internet routing - probably needs to be in DMZ
// Check C:\Certbot\log\letsencrypt.log for details

wait "C:\Program Files\Certbot\bin\certbot.exe" certonly --noninteractive --agree-tos -d {parameter "domain"} --standalone -m {parameter "mail"}

parameter "crtpath"="C:\Certbot\live\{parameter "domain"}\fullchain.pem"
parameter "pvkpath"="C:\Certbot\live\{parameter "domain"}\privkey.pem"

continue if { exists file (parameter "crtpath") whose (size of it > 0)}
continue if { exists file (parameter "pvkpath") whose (size of it > 0)}

if {exists service "BESRootServer"}
// https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_restapi_https_settings.html
    setting "_BESRelay_HTTPServer_UseSSLFlag"="1" on "{parameter "action issue date" of action}" for client
    setting "_BESRelay_HTTPServer_SSLCertificateFilePath"="{parameter "crtpath"}" on "{parameter "action issue date" of action}" for client
    setting "_BESRelay_HTTPServer_SSLPrivateKeyFilePath"="{parameter "pvkpath"}" on "{parameter "action issue date" of action}" for client
    wait sc.exe stop BESRootServer
    wait sc.exe start BESRootServer
endif

if {exists service "BESWebReportsServer"}
// https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Web_Reports/c_web_reports_https_settings.html
    setting "_WebReports_HTTPServer_UseSSLFlag"="1" on "{parameter "action issue date" of action}" for client
    setting "_WebReports_HTTPServer_SSLCertificateFilePath"="{parameter "crtpath"}" on "{parameter "action issue date" of action}" for client
    setting "_WebReports_HTTPServer_SSLPrivateKeyFilePath"="{parameter "pvkpath"}" on "{parameter "action issue date" of action}" for client
    wait sc.exe stop BESWebReportsServer
    wait sc.exe start BESWebReportsServer
endif

if {exists service "BESWebUI"}
// WebUI settings use SSL is automatically on for WebUI, so no separate setting there.
    setting "_WebUIAppEnv_WEB_CERT_FILE"="{parameter "crtpath"}" on "{parameter "action issue date" of action}" for client
    setting "_WebUIAppEnv_WEB_KEY_FILE"="{parameter "pvkpath"}" on "{parameter "action issue date" of action}" for client
    wait sc.exe stop BESWebUI
    wait sc.exe start BESWebUI
endif
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!