romfast/ROMFASTSQL
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
91b9e08e9d097c9ccd0888f10890310d8af30fe4
ROMFASTSQL/proxmox/vm201-certificat-letsencrypt-iis.md
Marius 90d77704d6 Reorganize Proxmox documentation with clear structure and VM/LXC mapping 
## Changes

### Documentation Reorganization
- **README.md**: Complete restructure with logical sections
  - Infrastructure General (proxmox-ssh-guide.md)
  - LXC Containers (oracle-database-lxc108.md)
  - Virtual Machines (vm201-*.md)
  - Cluster-Wide Resources (cluster-ha-monitor.sh, ups/)
  - Archived/Decommissioned (archived-vm107-monitor.sh)
  - Added quick navigation "Am nevoie să..." section
  - Added recommended workflows
  - Added complete directory structure map

- **proxmox-ssh-guide.md**: Added documentation references section
  - Clear links to all related documentation
  - When to use each document
  - Quick start snippets for each resource

### File Renames for Clarity
- `certificat-letsencrypt-iis.md` → `vm201-certificat-letsencrypt-iis.md`
- `troubleshooting-vm201-backup-nfs.md` → `vm201-troubleshooting-backup-nfs.md`
- `ha-monitor.sh` → `cluster-ha-monitor.sh`
- `vm107-monitor.sh` → `archived-vm107-monitor.sh`

### New Documentation
- **vm201-windows11.md**: Complete VM 201 documentation
  - Hardware configuration
  - Installed services (IIS, SQL*Plus, WinNUT, RDP)
  - Network configuration
  - Backup and recovery procedures
  - Common troubleshooting

## Benefits
- Clear naming convention: VM/LXC/Cluster prefixes
- Central index in README.md with navigation
- Cross-references between documents
- Complete VM 201 documentation suite
- Clear archival of decommissioned resources

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-19 13:43:44 +02:00

5.8 KiB
Raw Blame History

Certificat Let's Encrypt pentru IIS - Ghid Rapid

Instalare Win-ACME

# Download și instalare
Invoke-WebRequest -Uri "https://github.com/win-acme/win-acme/releases/download/v2.2.9.1701/win-acme.v2.2.9.1701.x64.pluggable.zip" -OutFile "$env:TEMP\win-acme.zip"
Expand-Archive -Path "$env:TEMP\win-acme.zip" -DestinationPath "C:\Tools\win-acme" -Force

Prerequisite IIS

Verificare Site ID-uri

Import-Module WebAdministration
Get-Website | Select-Object ID, Name, State, @{N='Bindings';E={$_.Bindings.Collection.bindingInformation}}

Adaugă Binding-uri pentru Domeniu

# Exemplu pentru roa.romfast.ro pe Default Web Site
New-WebBinding -Name "Default Web Site" -Protocol http -Port 80 -HostHeader "roa.romfast.ro"
New-WebBinding -Name "Default Web Site" -Protocol https -Port 443 -HostHeader "roa.romfast.ro"

Generare Certificate

Metoda 1: Comenzi PowerShell (Automat)

cd C:\Tools\win-acme

# Pentru fiecare site (înlocuiește Site ID și email)
.\wacs.exe --source iis --siteid 1 --accepttos --emailaddress your@email.com
.\wacs.exe --source iis --siteid 2 --accepttos --emailaddress your@email.com
.\wacs.exe --source iis --siteid 3 --accepttos --emailaddress your@email.com

Metoda 2: Mod Interactiv

cd C:\Tools\win-acme
.\wacs.exe

# În meniu:
# N - Create certificate (simple for IIS)
# Selectează site-ul
# Confirmă binding-urile
# yes - Accept ToS
# Enter email

Configurare Binding-uri IIS cu SNI

Important: SNI OBLIGATORIU pentru Multiple Certificate pe Același IP

GUI - IIS Manager:

  1. Deschide IIS Manager (inetmgr)
  2. Pentru fiecare site:
    • Site → Bindings → Selectează httpsEdit
    • ☑️ Bifează "Require Server Name Indication"
    • Selectează certificatul corect pentru site
    • OK
  3. Restart IIS: iisreset

PowerShell:

Import-Module WebAdministration

# Exemplu pentru un site
$siteName = "Dokploy"
$hostHeader = "dokploy.romfast.ro"

# Găsește certificatul
$cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object {
    $_.Subject -like "*$hostHeader*" -and $_.NotAfter -gt (Get-Date).AddDays(60)
} | Select-Object -First 1

# Șterge binding vechi și creează cu SNI (SslFlags = 1)
Remove-WebBinding -Name $siteName -Protocol https -HostHeader $hostHeader -ErrorAction SilentlyContinue
New-WebBinding -Name $siteName -Protocol https -Port 443 -HostHeader $hostHeader -SslFlags 1

# Asociază certificatul
$binding = Get-WebBinding -Name $siteName -Protocol https -HostHeader $hostHeader
$binding.AddSslCertificate($cert.Thumbprint, "My")

# Restart IIS
iisreset

Verificare

Listare Certificate Gestionate

cd C:\Tools\win-acme
.\wacs.exe --list

Verificare Certificate în Browser

# Din WSL sau Linux
echo | openssl s_client -connect domain.ro:443 -servername domain.ro 2>/dev/null | openssl x509 -noout -dates -subject

Verificare Task Scheduler

Get-ScheduledTask | Where-Object {$_.TaskName -like "*acme*"}

Verificare Certificate IIS

Get-ChildItem Cert:\LocalMachine\My | Where-Object {
    $_.Issuer -like "*Let's Encrypt*" -and $_.NotAfter -gt (Get-Date)
} | Select-Object Subject, NotAfter, Thumbprint

Reînnoire

Automată

  • Task Scheduler verifică zilnic
  • Reînnoiește automat cu 30 zile înainte de expirare

Manuală

cd C:\Tools\win-acme
.\wacs.exe --renew --force
iisreset

Troubleshooting

Certificat Vechi Încă Servit

# Verifică SNI
Get-WebBinding | Where-Object {$_.Protocol -eq "https"} | Select-Object @{N='Site';E={$_.ItemXPath -replace '.*name=''([^'']+)''.*','$1'}}, bindingInformation, @{N='SNI';E={($_.sslFlags -band 1) -eq 1}}

# Forțează reinstalare
cd C:\Tools\win-acme
.\wacs.exe --renew --force
iisreset

Validare HTTP-01 Eșuează

  • Verifică că portul 80 este accesibil din internet
  • Verifică că DNS pointează corect
  • Verifică că URL Rewrite nu blochează /.well-known/acme-challenge/*

Certificate Nu Se Asociază Automat

Folosește scriptul: configure-iis-sni.ps1

Structură Site-uri IIS

Site ID Nume Hostname Binding HTTPS SNI
1 Default Web Site roa.romfast.ro *:443:roa.romfast.ro ☑️ Activ
2 Dokploy dokploy.romfast.ro *:443:dokploy.romfast.ro ☑️ Activ
3 Gitea gitea.romfast.ro *:443:gitea.romfast.ro ☑️ Activ

Scripturi Utile

Script Complet Configurare SNI

Locație: /mnt/e/proiecte/ROMFASTSQL/proxmox/scripts/configure-iis-sni.ps1

cd D:\kit\ssl
.\configure-iis-sni.ps1

Script Verificare Certificate

Locație: /mnt/e/proiecte/ROMFASTSQL/proxmox/scripts/verify-letsencrypt.ps1

cd D:\kit\ssl
.\verify-letsencrypt.ps1

Comenzi Rapide

# Instalare
Expand-Archive win-acme.zip -DestinationPath C:\Tools\win-acme

# Generare certificate
cd C:\Tools\win-acme
.\wacs.exe --source iis --siteid X --accepttos --emailaddress email@domain.com

# Verificare
.\wacs.exe --list

# Reînnoire
.\wacs.exe --renew --force

# Restart IIS
iisreset

Note Importante

  • SNI este OBLIGATORIU pentru multiple certificate pe același IP:port
  • Certificatele expiră la 90 zile
  • Task Scheduler reînnoiește automat cu 30 zile înainte
  • Fiecare domeniu trebuie să fie accesibil pe port 80 din internet pentru validare HTTP-01
  • DNS trebuie să pointeze corect către IP-ul public