tips:ssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
tips:ssl [2017/04/03 11:55] – [certificate integration for apache] scipiotips:ssl [2022/06/22 07:15] (current) – [letsencrypt staging] sscipioni
Line 5: Line 5:
 [[https://letsencrypt.org/|letsencrypt certification authority]] is free, automated and open. [[https://letsencrypt.org/|letsencrypt certification authority]] is free, automated and open.
  
 +===== letsencrypt staging =====
 +
 +get ca certificate and use with curl
 +<code | download>
 +API_HOST=sso.csgalileo.org
 +echo quit | openssl s_client -showcerts -servername "$API_HOST" -connect "$API_HOST":443 > cacert.pem
 +curl --cacert cacert.pem https://sso.csgalileo.org/
 +</code>
 +
 +in browser import this [[https://letsencrypt.org/certs/staging/letsencrypt-stg-int-r3.pem|CA]]
 +===== certbot ======
 +
 +<code>
 +snap install --classic certbot
 +
 +# or for focal pre
 +add-apt-repository ppa:certbot/certbot
 +apt-get update
 +apt-get install -y certbot python-certbot-nginx
 +</code>
 +
 +<code>
 +certbot certonly --webroot -w /var/www/html -d mail.veronamobile.it
 +</code>
 +
 +wildcard
 +<code>
 +certbot certonly \
 + --manual \
 + --preferred-challenges=dns \
 + --email stefano.scipioni@csgalileo.org \
 + --server https://acme-v02.api.letsencrypt.org/directory \
 + --agree-tos -d *.iotaiuto.it
 +</code>
 +==== nginx ====
 +
 +<file>
 +server {
 +  listen 80;
 +  server_name nextcloud.csgalileo.org;
 +  server_tokens off;
 +
 +  location /.well-known/acme-challenge {
 +    root /var/www;
 +    allow all;
 +  }
 +
 +  location / {
 +    return 301 https://$server_name$request_uri;
 +  }
 +}
 +
 +
 +
 +server {
 +    listen 443;
 +    server_name nnextcloud.csgalileo.org;
 +    
 +    ssl_certificate /etc/letsencrypt/live/nextcloud.csgalileo.org/fullchain.pem;
 +    ssl_certificate_key /etc/letsencrypt/live/nextcloud.csgalileo.org/privkey.pem;
 +  
 +}
 +</file>
 +
 +renew
 +<code>
 +certbot renew [--dry-run]
 +</code>
 +
 +automatic renew
 +<code>
 +systemctl status certbot.service
 +</code>
 +
 +/etc/letsencrypt/cli.ini
 +<code>
 +max-log-backups = 0
 +deploy-hook = systemctl reload nginx
 +</code>
 ===== acme.sh integration for letsencrypt ===== ===== acme.sh integration for letsencrypt =====
  
Line 94: Line 173:
     RewriteCond %{REQUEST_URI} !^/.well-known.*     RewriteCond %{REQUEST_URI} !^/.well-known.*
     RewriteRule ^/?(.*) https://%{SERVER_NAME}:443/$1 [R,L]     RewriteRule ^/?(.*) https://%{SERVER_NAME}:443/$1 [R,L]
-    Redirect permanent / https://projects.csgalileo.org/+    Redirect permanent / https://projects.csgalileo.org/
 </VirtualHost> </VirtualHost>
  
Line 147: Line 226:
 acme.sh --renew  -d  mail.csgalileo.org  --force --ecc acme.sh --renew  -d  mail.csgalileo.org  --force --ecc
 </code> </code>
 +
 +==== multi server ====
 +
 +i can confirm this works.
 +
 +<code>
 +location ~ /.well-known/acme-challenge/ {
 +proxy_pass http://ctrl.mydomain.com:80;
 +}
 +</code>
 +
 +using nginx i added this location to ALL server blocks.
 +
 +You then run lets encrypt on the machine ctrl.mydomain.com (this machine typically is the controller machine, and is not serving web stuff - its pure purpose from a web POV is to handle incoming cert requests - if you don't know what a controller machine is then read up on ansible)
 +
 +To make it work I had to use the webroot plugin for Let's Encrypt. I could not get standalone mode to work.
 +
 +my A records look like ..
 +
 +<code>
 +www01.mydomain.com1 points to 1.2.3.4
 +www02.mydomain.com points to 2.3.4.5
 +ctrl.mydomain.com points to 3.4.5.6
 +mydomain.com points to 1,2,3,4 and 2,3,4,5 (multiple A records)
 +www.mydomain.com is an alias (cname) for mydomain.com
 +</code>
 +
 +NGINX runs on www01 and www02 on port 80 to load balance requests (e.g. www01 load balances between www01 and www02, www02 ALSO load balances between www01 and www02)
 +
 +the above lets encrypt location block is added to NGINX running on both www01 and www02 for all NGINX server blocks
 +
 +now run lets encrypt in webroot mode (you will need to standup a web server on your controller machine) and request a single certificate for www01.mydomain.com1 www02.mydomain.com mydomain.com www.mydomain.com
 +
 +when you run this command on your controller machine (ctrl.mydomain.com) it will fireoff a request to each of the 4 domains in return. Every single request will be proxied back to ctrl.mydomain.com via NGINX
 +
 +bosh!
 +
 +2 tips
 +
 +1 - to use webroot mode you will need to have a basic web server running on ctrl.domain.com which can serve content from a specified directory
 +
 +2 - do not use standalone mode, i could not get it to work
 +
 +3 - this solution sits very nicely if you are using ansible, since the certs will live on the controller machine and can be copied across to all slave machines with a single command
  • tips/ssl.1491213308.txt.gz
  • Last modified: 2017/04/03 11:55
  • by scipio