RCL CertificateBot for Linux

V6.0.10

RCL CertificateBot runs as a Daemon in a Linux Server. The daemon will run every seven (7) days to automatically renew and save SSL/TLS certificates from a user’s subscription in the RCL Portal to a Linux hosting machine.

Automatically Renew TLS/SSL Certificates

You can use RCL CertificateBot to automatically renew SSL/TLS certificates created in the RCL Portal using the the following creation options :

• Azure DNS (including SAN) - Recommended

‘Stand Alone’ certificates are not supported by RCL CertificateBot.

Installing RCL CertificateBot

Download and Extract the Daemon Files to the Linux Server

In this section, you will download the files from the RCL CertificateBot GitHub Project Page in the Releases section; and extract it to your Linux Server in the /usr/sbin folder:

• In your Linux server, navigate to the /usr/sbin folder

cd /usr/sbin

• Run the command in the folder to download and extract the linux-x64 files:

wget -c https://github.com/rcl-ssl/RCL.CertificateBot/releases/download/V6.0.10/certificatebot-linux-x64.tar.gz -O - | sudo tar -xz

or linux-arm files :

wget -c https://github.com/rcl-ssl/RCL.CertificateBot/releases/download/V2.1/certificatebot-linux-arm.tar.gz -O - | sudo tar -xz

Configure the Daemon

Register an AAD Application

An Azure Active Directory (AAD) application must be registered to obtain permission to access a user’s Azure resources (DNS Zone).

Please refer to the following link to register an AAD application:

• Registering an AAD Application

Set Access Control for the AAD Application

Access control must be set for the AAD application to access resources (DNS Zone) in a user’s Azure subscription. Please refer to the following link to set access control :

• Setting Access Control for the AAD Application

Get the AAD Application Credentials

To obtain the following credentials from the AAD application:

• ClientId
• ClientSecret
• TenantId

follow the instructions in this link :

• Get the AAD Application Credentials

Get the SubscriptionId

Get the Subscription Id in the RCL Portal.

• Scroll down and copy the ‘Subscription Id’

Register the AAD Application’s Client Id in the RCL Portal

The AAD Application must be associated with a user’s RCL subscription. This is achieved by registering the AAD Application’s Client Id in the RCL Portal.

To add the AAD Application’s Client Id to the portal, please follow the instructions in this link :

• Add the Client Id in the RCL Portal

Add the Configuration variables

• Navigate to the folder you downloaded and extracted the daemon files :

cd /usr/sbin/certificatebot-linux-x64

or for arm

cd /usr/sbin/certificatebot-linux-arm

• Use nano (or other text editor) to edit the appsettings.json file in the folder

sudo nano appsettings.json

• Add the credentials for the AAD Application and SubscriptionId in the RCLSDK section :
  • ClientId
  • ClientSecret
  • TenantId
  • SubscriptionId

• In the CertificateBot section, set a folder path to save the SSL/TLS certificates. Recommended path : /etc/ssl/certificatebot

  • saveCertificatePath
• Create the folder in the server and ensure it has read/write permissions so that the certificates can be saved to it.

sudo mkdir -m 777 /etc/ssl/certificatebot

• The includeCertificates settings will allow for including specific certificates by its name (eg: “contoso.com” or “contoso.com, *.contoso.com” - for SAN) for the certificate(s) you want to save on the server.

Example

  "CertificateBot": {
    "saveCertificatePath": "/etc/ssl/certificatebot",
     "includeCertificates": [
       "contoso.com",
       "fabricam.com",
       "acme.com,*.acme.com",
       "adworks.com, www.adworks.com"
       ],
  },

Example of a configured appsettings.json file

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  },
  "RCLSDK": {
    "ApiBaseUrl": "https://rclapi.azure-api.net/public",
    "SourceApplication": "RCL CertificateBot Linux",
    "ClientId": "35ca82aa-9ff3-5a67-bb7f-c3c71027eecf",
    "ClientSecret": "hdytev539dgw~_8-g4lNI84V01.yIDUMHh",
    "TenantId": "22cd4a8c-bc2c-3618-b1c3-4610c1b9b3e8",
    "SubscriptionId": "879"
  },
  "CertificateBot": {
    "IISBindings": [],
    "SaveCertificatePath": "/etc/ssl/certificatebot",
    "IncludeCertificates": [
      "shopeneur.com,*.shopeneur.com"
    ]
  }
}

• Save the updated appsettings.json file when you are done

Add the Linux Daemon

Create the Daemon

• Navigate to the /etc/systemd/system folder

cd /etc/systemd/system

• Create the daemon file

sudo touch certificatebot.service

• Use nano (or other text editor) to edit the service file

sudo nano certificatebot.service

• Add the following code to the file

[Unit]
Description=RCL CertificateBot

[Service]
Type=notify
WorkingDirectory=/usr/sbin/certificatebot-linux-x64
ExecStart=/usr/sbin/certificatebot-linux-x64/RCL.CertificateBot.Linux

[Install]
WantedBy=multi-user.target

If you installed the arm version, change the directory to the arm path /usr/sbin/certificatebot-linux-arm instead of /usr/sbin/certificatebot-linux-x64 in the ‘WorkingDirectory’ and ‘ExecStart’ settings

• Save the file when you are done

Reload the Daemon

• Reload the daemon anytime you make changes to the service file

sudo systemctl daemon-reload

Start the Daemon

• Run the code to start the daemon

sudo systemctl start certificatebot

View the Status of the Daemon

• Run the code to view the status of the daemon

sudo systemctl status certificatebot

• You will see the status of the daemon. The most recent logs will also be displayed.

• Ensure that there are no errors in the logs. If there are errors, the daemon is misconfigured and will not function

View the Detailed Logs

• Run the command to view the daemon’s detailed logs

sudo journalctl -u certificatebot --no-pager

• If the application is working correctly you should see messages similar to the one below :

RCL.CertificateBot.Linux.Worker[0] Found 1 certificate(s) to save locally.  Successfully saved : shopeneur.com,*.shopeneur.com.  Did not find any certificates to renew.

When you need to Stop the Daemon

• Run the code when you need to stop the daemon. When the daemon is stopped, CertificateBot will discontinue certificate renewals and installation in the server.

sudo systemctl stop certificatebot

Fixing Errors

If you encounter errors in the logs for the daemon, please stop the daemon. Ensure the ‘appsettings’ configuration is correct for the AAD Application credentials and the certificate save path settings.

The folder to save the certificate must have read/write access.

Reload and restart the daemon after you make changes and check if the errors were resolved.

Installing Certificates in Web Servers

RCL CertificateBot will automatically save renewed SSL/TLS certificate files to a folder in the server. You should then configure the web server to use these files to implement SSL/TLS in your website.

Certificate Files

The SSL/TLS certificate files will be stored at the path you specified in the appsettings.json configuration file. In this example, we used the path /etc/ssl/certificatebot to store the certificate files.

When configuring the web servers, you will reference the specific certificate files stored at that path in a folder generated by CertificateBot for a specified domain.

The following files are downloaded and saved on the server :

• certificate.pfx - The PFX certificate file
• primaryCertificate.crt The primary certificate file
• fullChainCertificate.crt - The full chain certificate file
• caBundle.crt - The intermediate certificate file
• privateKey.key - The certificate’s private key file

Configuring the Web Servers

Please follow the links below to configure your web server:

• Installing SSL/TLS Certificates in Apache Server
• Installing SSL/TLS Certificates in Apache Tomcat
• Installing SSL/TLS Certificates in NGINX
• Installing SSL/TLS Certificates in Web Servers and Hosting Services