Galileo Labs

User Tools

Site Tools

You are here: start » tips » ssl
tips:ssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
tips:ssl [2017/04/19 14:31] scipiotips:ssl [2025/11/21 09:11] (current) sscipioni
Line 5: Line 5:
 [[https://letsencrypt.org/|letsencrypt certification authority]] is free, automated and open. [[https://letsencrypt.org/|letsencrypt certification authority]] is free, automated and open.
  
 +===== letsencrypt staging =====
 +
 +get ca certificate and use with curl
 +<code | download>
 +API_HOST=sso.csgalileo.org
 +echo quit | openssl s_client -showcerts -servername "$API_HOST" -connect "$API_HOST":443 > cacert.pem
 +curl --cacert cacert.pem https://sso.csgalileo.org/
 +</code>
 +
 +in browser import this [[https://letsencrypt.org/certs/staging/letsencrypt-stg-int-r3.pem|CA]]
 +===== certbot ======
 +
 +<code>
 +snap install --classic certbot
 +
 +# or for focal pre
 +add-apt-repository ppa:certbot/certbot
 +apt-get update
 +apt-get install -y certbot python-certbot-nginx
 +</code>
 +
 +<code>
 +certbot certonly --webroot -w /var/www/html -d mail.veronamobile.it
 +</code>
 +
 +wildcard
 +<code>
 +certbot certonly \
 + --manual \
 + --preferred-challenges=dns \
 + --email stefano.scipioni@csgalileo.org \
 + --server https://acme-v02.api.letsencrypt.org/directory \
 + --agree-tos -d *.iotaiuto.it
 +</code>
 +==== nginx ====
 +
 +<file>
 +server {
 +  listen 80;
 +  server_name nextcloud.csgalileo.org;
 +  server_tokens off;
 +
 +  location /.well-known/acme-challenge {
 +    root /var/www;
 +    allow all;
 +  }
 +
 +  location / {
 +    return 301 https://$server_name$request_uri;
 +  }
 +}
 +
 +
 +
 +server {
 +    listen 443;
 +    server_name nnextcloud.csgalileo.org;
 +    
 +    ssl_certificate /etc/letsencrypt/live/nextcloud.csgalileo.org/fullchain.pem;
 +    ssl_certificate_key /etc/letsencrypt/live/nextcloud.csgalileo.org/privkey.pem;
 +  
 +}
 +</file>
 +
 +renew
 +<code>
 +certbot renew [--dry-run]
 +</code>
 +
 +automatic renew
 +<code>
 +systemctl status certbot.service
 +</code>
 +
 +/etc/letsencrypt/cli.ini
 +<code>
 +max-log-backups = 0
 +deploy-hook = systemctl reload nginx
 +</code>
 ===== acme.sh integration for letsencrypt ===== ===== acme.sh integration for letsencrypt =====
  
Line 94: Line 173:
     RewriteCond %{REQUEST_URI} !^/.well-known.*     RewriteCond %{REQUEST_URI} !^/.well-known.*
     RewriteRule ^/?(.*) https://%{SERVER_NAME}:443/$1 [R,L]     RewriteRule ^/?(.*) https://%{SERVER_NAME}:443/$1 [R,L]
-    Redirect permanent / https://projects.csgalileo.org/+    Redirect permanent / https://projects.csgalileo.org/
 </VirtualHost> </VirtualHost>
  
Line 191: Line 270:
  
 3 - this solution sits very nicely if you are using ansible, since the certs will live on the controller machine and can be copied across to all slave machines with a single command 3 - this solution sits very nicely if you are using ansible, since the certs will live on the controller machine and can be copied across to all slave machines with a single command
 +
 +
 +
 +{{ :tips:isrgrootx1.txt |}}
tips/ssl.1492605110.txt.gz · Last modified: by scipio

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki