tips:ssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
tips:ssl [2016/11/10 20:07] – [certificate integration for nginx] scipiotips:ssl [2022/06/22 07:15] (current) – [letsencrypt staging] sscipioni
Line 5: Line 5:
 [[https://letsencrypt.org/|letsencrypt certification authority]] is free, automated and open. [[https://letsencrypt.org/|letsencrypt certification authority]] is free, automated and open.
  
 +===== letsencrypt staging =====
 +
 +get ca certificate and use with curl
 +<code | download>
 +API_HOST=sso.csgalileo.org
 +echo quit | openssl s_client -showcerts -servername "$API_HOST" -connect "$API_HOST":443 > cacert.pem
 +curl --cacert cacert.pem https://sso.csgalileo.org/
 +</code>
 +
 +in browser import this [[https://letsencrypt.org/certs/staging/letsencrypt-stg-int-r3.pem|CA]]
 +===== certbot ======
 +
 +<code>
 +snap install --classic certbot
 +
 +# or for focal pre
 +add-apt-repository ppa:certbot/certbot
 +apt-get update
 +apt-get install -y certbot python-certbot-nginx
 +</code>
 +
 +<code>
 +certbot certonly --webroot -w /var/www/html -d mail.veronamobile.it
 +</code>
 +
 +wildcard
 +<code>
 +certbot certonly \
 + --manual \
 + --preferred-challenges=dns \
 + --email stefano.scipioni@csgalileo.org \
 + --server https://acme-v02.api.letsencrypt.org/directory \
 + --agree-tos -d *.iotaiuto.it
 +</code>
 +==== nginx ====
 +
 +<file>
 +server {
 +  listen 80;
 +  server_name nextcloud.csgalileo.org;
 +  server_tokens off;
 +
 +  location /.well-known/acme-challenge {
 +    root /var/www;
 +    allow all;
 +  }
 +
 +  location / {
 +    return 301 https://$server_name$request_uri;
 +  }
 +}
 +
 +
 +
 +server {
 +    listen 443;
 +    server_name nnextcloud.csgalileo.org;
 +    
 +    ssl_certificate /etc/letsencrypt/live/nextcloud.csgalileo.org/fullchain.pem;
 +    ssl_certificate_key /etc/letsencrypt/live/nextcloud.csgalileo.org/privkey.pem;
 +  
 +}
 +</file>
 +
 +renew
 +<code>
 +certbot renew [--dry-run]
 +</code>
 +
 +automatic renew
 +<code>
 +systemctl status certbot.service
 +</code>
 +
 +/etc/letsencrypt/cli.ini
 +<code>
 +max-log-backups = 0
 +deploy-hook = systemctl reload nginx
 +</code>
 ===== acme.sh integration for letsencrypt ===== ===== acme.sh integration for letsencrypt =====
  
Line 79: Line 158:
  
 <file yaml apache.conf> <file yaml apache.conf>
- SSLngine on+<VirtualHost *:80> 
 +    ServerName projects.csgalileo.org 
 +    DocumentRoot /var/www/html 
 + 
 +    Alias /.well-known/acme-challenge/ /var/www/html/.well-known/acme-challenge/ 
 +    <Directory "/var/www/html/.well-known/acme-challenge/"> 
 +        Options None 
 +        AllowOverride None 
 +        ForceType text/plain 
 +        RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)" 
 +    </Directory> 
 + 
 +    RewriteEngine On 
 +    RewriteCond %{REQUEST_URI} !^/.well-known.* 
 +    RewriteRule ^/?(.*) https://%{SERVER_NAME}:443/$1 [R,L] 
 +    # Redirect permanent / https://projects.csgalileo.org/ 
 +</VirtualHost> 
 + 
 + 
 +<VirtualHost *:443> 
 + # ... 
 + SSLengine on
  SSLCertificateFile /etc/ssl/certs/mail.csgalileo.org.cer  SSLCertificateFile /etc/ssl/certs/mail.csgalileo.org.cer
  SSLCertificateKeyFile /etc/ssl/private/mail.csgalileo.org.key   SSLCertificateKeyFile /etc/ssl/private/mail.csgalileo.org.key 
  SSLCertificateChainFile /etc/apache2/fullchain.cer  SSLCertificateChainFile /etc/apache2/fullchain.cer
  SSLCACertificateFile /etc/ssl/certs/ca.cer  SSLCACertificateFile /etc/ssl/certs/ca.cer
 +</VirtualHost>
 +
 </file> </file>
  
Line 124: Line 226:
 acme.sh --renew  -d  mail.csgalileo.org  --force --ecc acme.sh --renew  -d  mail.csgalileo.org  --force --ecc
 </code> </code>
 +
 +==== multi server ====
 +
 +i can confirm this works.
 +
 +<code>
 +location ~ /.well-known/acme-challenge/ {
 +proxy_pass http://ctrl.mydomain.com:80;
 +}
 +</code>
 +
 +using nginx i added this location to ALL server blocks.
 +
 +You then run lets encrypt on the machine ctrl.mydomain.com (this machine typically is the controller machine, and is not serving web stuff - its pure purpose from a web POV is to handle incoming cert requests - if you don't know what a controller machine is then read up on ansible)
 +
 +To make it work I had to use the webroot plugin for Let's Encrypt. I could not get standalone mode to work.
 +
 +my A records look like ..
 +
 +<code>
 +www01.mydomain.com1 points to 1.2.3.4
 +www02.mydomain.com points to 2.3.4.5
 +ctrl.mydomain.com points to 3.4.5.6
 +mydomain.com points to 1,2,3,4 and 2,3,4,5 (multiple A records)
 +www.mydomain.com is an alias (cname) for mydomain.com
 +</code>
 +
 +NGINX runs on www01 and www02 on port 80 to load balance requests (e.g. www01 load balances between www01 and www02, www02 ALSO load balances between www01 and www02)
 +
 +the above lets encrypt location block is added to NGINX running on both www01 and www02 for all NGINX server blocks
 +
 +now run lets encrypt in webroot mode (you will need to standup a web server on your controller machine) and request a single certificate for www01.mydomain.com1 www02.mydomain.com mydomain.com www.mydomain.com
 +
 +when you run this command on your controller machine (ctrl.mydomain.com) it will fireoff a request to each of the 4 domains in return. Every single request will be proxied back to ctrl.mydomain.com via NGINX
 +
 +bosh!
 +
 +2 tips
 +
 +1 - to use webroot mode you will need to have a basic web server running on ctrl.domain.com which can serve content from a specified directory
 +
 +2 - do not use standalone mode, i could not get it to work
 +
 +3 - this solution sits very nicely if you are using ansible, since the certs will live on the controller machine and can be copied across to all slave machines with a single command
  • tips/ssl.1478804834.txt.gz
  • Last modified: 2016/11/10 20:07
  • by scipio