Versions Compared

Old Version 21

changes.mady.by.user Mike Tango Bravo

Saved on

compared with

New Version 22

changes.mady.by.user Mike Tango Bravo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Install and configure Lets Encrypt Certificates for the PiKVM

By installing and configuring a Let’s Encrypt Certificate, we can enable validated SSL connections to the PiKVM web interface. To do this, we need a valid domain name. For this, we will register the following names:

Code Block
netrabrick.(bodega).openvino.org
pikvm.(bodega).openvino.org

Replacing (bodega) with the name of the winery…in this example Costaflores.

Currently, the registration of the DNS records for these domain entries is done manually, but eventually, the decentralized OpenVino Netrabricks will assume the DNS functions for the openvino.org domain and subdomains (and openvino.exchange).

1. Configure PST storage.

Code Block
[root@pikvm ~]# kvmd-pstrun -- true
--    INFO -- Opening PST session ...
--    INFO -- PST write is allowed: /var/lib/kvmd/pst/data
--    INFO -- Running the process ...
--    INFO -- Process finished: returncode=0

  1. Enable ports 80 and 443 from the internet to PiKVM (192.168.0.86 in this example).

  2. Request a new certificate

    Code Block
    [root@pikvm ~]# kvmd-certbot certonly_webroot --agree-tos -n --email cert@openvino.org -d pikvm.costaflores.openvino.org
--    INFO -- Opening PST session ...
--    INFO -- PST write is allowed: /var/lib/kvmd/pst/data
--    INFO -- Running the process ...
+ mkdir -p /var/lib/kvmd/pst/data/certbot/runroot
+ chown -R kvmd-certbot: /var/lib/kvmd/pst/data/certbot/runroot/..
--    INFO -- Process finished: returncode=0
--    INFO -- Opening PST session ...
--    INFO -- PST write is allowed: /var/lib/kvmd/pst/data
--    INFO -- Running the process ...
Saving debug log to /var/lib/kvmd/pst/data/certbot/runroot/logs/letsencrypt.log
Requesting a certificate for pikvm.costaflores.openvino.org
Hook 'deploy-hook' ran with error output:
 + chmod 755 /var/lib/kvmd/pst/data/certbot/runroot/config/archive /var/lib/kvmd/pst/data/certbot/runroot/config/live
 + chmod 640 /var/lib/kvmd/pst/data/certbot/runroot/config/live/pikvm.costaflores.openvino.org/privkey.pem

Successfully received certificate.
Certificate is saved at: /var/lib/kvmd/pst/data/certbot/runroot/config/live/pikvm.costaflores.openvino.org/fullchain.pem
Key is saved at:         /var/lib/kvmd/pst/data/certbot/runroot/config/live/pikvm.costaflores.openvino.org/privkey.pem
This certificate expires on 2024-07-14.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--    INFO -- Process finished: returncode=0

  3. Deactive port mapping from the internet to PiVKM on :80 and :443

  4. Test renewing certs

    Code Block
    [root@pikvm ~]# kvmd-certbot renew --force-renewal
Saving debug log to /tmp/kvmd-certbot/runroot/logs/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing
/tmp/kvmd-certbot/runroot/config/renewal/pikvm.costaflores.openvino.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for pikvm.costaflores.openvino.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded: 
  /tmp/kvmd-certbot/runroot/config/live/pikvm.costaflores.openvino.org/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--    INFO -- Opening PST session ...
--    INFO -- PST write is allowed: /var/lib/kvmd/pst/data
--    INFO -- Running the process ...
+ rm -rf /var/lib/kvmd/pst/data/certbot/runroot.new
+ cp -a /tmp/kvmd-certbot/runroot/. /var/lib/kvmd/pst/data/certbot/runroot.new
+ rm /var/lib/kvmd/pst/data/certbot/runroot.new/updated
+ chmod 755 /var/lib/kvmd/pst/data/certbot/runroot.new/config/archive /var/lib/kvmd/pst/data/certbot/runroot.new/config/live
+ chmod 640 /var/lib/kvmd/pst/data/certbot/runroot.new/config/archive/pikvm.costaflores.openvino.org/privkey1.pem /var/lib/kvmd/pst/data/certbot/runroot.new/config/archive/pikvm.costaflores.openvino.org/privkey2.pem /var/lib/kvmd/pst/data/certbot/runroot.new/config/archive/pikvm.costaflores.openvino.org/privkey3.pem
+ sed -s -i -e 's| = /tmp/kvmd-certbot/runroot/| = /var/lib/kvmd/pst/data/certbot/runroot/|g' /var/lib/kvmd/pst/data/certbot/runroot.new/config/renewal/pikvm.costaflores.openvino.org.conf
+ rm -rf /var/lib/kvmd/pst/data/certbot/runroot.new/logs/letsencrypt.log.1 /var/lib/kvmd/pst/data/certbot/runroot.new/config/csr /var/lib/kvmd/pst/data/certbot/runroot.new/config/keys
+ sync
+ kvmd-helper-swapfiles /var/lib/kvmd/pst/data/certbot/runroot.new /var/lib/kvmd/pst/data/certbot/runroot
+ rm -rf /var/lib/kvmd/pst/data/certbot/runroot.new
--    INFO -- Process finished: returncode=0

  5. Automate cert renewal

    Code Block
    [root@pikvm ~]# systemctl enable --now kvmd-certbot.timer
Created symlink /etc/systemd/system/timers.target.wants/kvmd-certbot.timer -> /usr/lib/systemd/system/kvmd-certbot.timer.

Configuring PiSugar

Add a pisugar user to the PiKVM (Raspberry Pi):

...