ginx Server (main certificate host)

Current method: DNS-01 challenge with wildcard domain

look at:    https://github.com/Neilpang/acme.sh#1-how-to-install     AND    https://github.com/Neilpang/acme.sh/wiki/dnsapi

---BEGIN--------First time only: ------------

export FREEDNS_User="..."
export FREEDNS_Password="..."

# Get certificates

  acme.sh --issue --dns dns_freedns -d politick.ca -d '*.politick.ca'

[Fri Apr 5 19:11:55 PDT 2019] Registering account
[Fri Apr 5 19:11:56 PDT 2019] Registered
[Fri Apr 5 19:11:57 PDT 2019] ACCOUNT_THUMBPRINT='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[Fri Apr 5 19:11:57 PDT 2019] Creating domain key
[Fri Apr 5 19:11:57 PDT 2019] The domain key is here: /home/user/.acme.sh/politick.ca/politick.ca.key
[Fri Apr 5 19:11:57 PDT 2019] Multi domain='DNS:politick.ca,DNS:*.politick.ca'
[Fri Apr 5 19:11:57 PDT 2019] Getting domain auth token for each domain
[Fri Apr 5 19:11:59 PDT 2019] Getting webroot for domain='politick.ca'
[Fri Apr 5 19:11:59 PDT 2019] Getting webroot for domain='*.politick.ca'
[Fri Apr 5 19:11:59 PDT 2019] Found domain api file: /home/user/.acme.sh/dnsapi/dns_freedns.sh
[Fri Apr 5 19:11:59 PDT 2019] Add TXT record using FreeDNS
[Fri Apr 5 19:12:03 PDT 2019] Domain politick.ca not found at FreeDNS
[Fri Apr 5 19:12:03 PDT 2019] Retry loading subdomain page (1 attempts remaining)
[Fri Apr 5 19:12:05 PDT 2019] Added acme challenge TXT record for _acme-challenge.politick.ca at FreeDNS

---END--------First time only: ------------

---BEGIN--------Certificate renewal ------------

Make sure that you have 2 free entries in http://freedns.afraid.org/subdomain/

As this script will create 2 TXT entries temporarily.  The free version is a maximum of 25 entries.  Also make sure that your server IP is in ACL that is allowed to modify the freedns entries : http://freedns.afraid.org/profile/?action=acl

login as regular user, no need to be root to renew certificates.

user@machine~$ cd .acme.sh

user@machine~$ ./acme.sh --issue --dns dns_freedns -d politick.ca -d '*.politick.ca'
[Fri Apr 5 19:12:54 PDT 2019] Multi domain='DNS:politick.ca,DNS:*.politick.ca'
[Fri Apr 5 19:12:54 PDT 2019] Getting domain auth token for each domain
[Fri Apr 5 19:12:56 PDT 2019] Getting webroot for domain='politick.ca'
[Fri Apr 5 19:12:56 PDT 2019] Getting webroot for domain='*.politick.ca'
[Fri Apr 5 19:12:56 PDT 2019] Found domain api file: /home/user/.acme.sh/dnsapi/dns_freedns.sh
[Fri Apr 5 19:12:56 PDT 2019] Add TXT record using FreeDNS
[Fri Apr 5 19:12:59 PDT 2019] Added acme challenge TXT record for _acme-challenge.politick.ca at FreeDNS
[Fri Apr 5 19:12:59 PDT 2019] Found domain api file: /home/user/.acme.sh/dnsapi/dns_freedns.sh
[Fri Apr 5 19:12:59 PDT 2019] Add TXT record using FreeDNS
[Fri Apr 5 19:13:02 PDT 2019] Added acme challenge TXT record for _acme-challenge.politick.ca at FreeDNS
[Fri Apr 5 19:13:02 PDT 2019] Let's check each dns records now. Sleep 20 seconds first.
[Fri Apr 5 19:13:23 PDT 2019] Checking politick.ca for _acme-challenge.politick.ca
[Fri Apr 5 19:13:24 PDT 2019] Domain politick.ca '_acme-challenge.politick.ca' success.
[Fri Apr 5 19:13:24 PDT 2019] Checking politick.ca for _acme-challenge.politick.ca
[Fri Apr 5 19:13:24 PDT 2019] Domain politick.ca '_acme-challenge.politick.ca' success.
[Fri Apr 5 19:13:24 PDT 2019] All success, let's return
[Fri Apr 5 19:13:24 PDT 2019] Verifying: politick.ca
[Fri Apr 5 19:13:27 PDT 2019] Success
[Fri Apr 5 19:13:27 PDT 2019] Verifying: *.politick.ca
[Fri Apr 5 19:13:30 PDT 2019] Success
[Fri Apr 5 19:13:30 PDT 2019] Removing DNS records.
[Fri Apr 5 19:13:30 PDT 2019] Delete TXT record using FreeDNS
[Fri Apr 5 19:13:33 PDT 2019] Deleted acme challenge TXT record for _acme-challenge.politick.ca at FreeDNS
[Fri Apr 5 19:13:33 PDT 2019] Delete TXT record using FreeDNS
[Fri Apr 5 19:13:35 PDT 2019] Deleted acme challenge TXT record for _acme-challenge.politick.ca at FreeDNS
[Fri Apr 5 19:13:35 PDT 2019] Verify finished, start to sign.
[Fri Apr 5 19:13:35 PDT 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/11111111/111111111111
[Fri Apr 5 19:13:37 PDT 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/000000000000000000000000000000
[Fri Apr 5 19:13:37 PDT 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFXTCCBEWgAwIBAgISBK7H5uhW+Ck5bBhrSy ......

Reload Nginx configs

The nginx configs have been modified to read the certificates from the /home/user/.acme.sh/... location

/usr/sbin/service nginx reload

---END--------Certificate renewal ------------

Old method:  certbot v0.31.0  (says deprecated but still works for now)

SSL configuration for Nginx

• I've created 2 configuration snipets :   ssl-params.conf  &&  ssl-politick.ca.conf.  So I could use different certificates for different virtual servers
• Configured as described here: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
• SSL tested with https://www.wormly.com/tools   Wormly tools

Example of one site config

# Normal HTTP(80) request that redirects (301) to HTTPS (443)

server {
 listen 80 default_server;
 listen [::]:80 default_server;
 server_name politick.ca www.politick.ca;
 include /etc/nginx/snippets/letsencryptauth.conf;
 return 301 https://$server_name$request_uri;
 }

# HTTPS (443) server that re-directs to the internal server called jira.politick.ca on port 9443

server {
 listen 443 ssl http2 default_server;
 listen [::]:443 ssl http2 default_server;
 include snippets/ssl-politick.ca.conf;
 include snippets/ssl-params.conf;

root /var/www/html;

# Add index.php to the list if you are using PHP
 index index.html index.htm index.nginx-debian.html;

server_name politick.ca www.politick.ca;

location / {
 # First attempt to serve request as file, then
 # as directory, then fall back to displaying a 404.
 proxy_pass https://jira.politick.ca:9443/;
 # try_files $uri $uri/ =404;
 }

After a change in configuration, test it, if successful, then reload: 

• service nginx configtest 

• service nginx restart

Certification propagation

Import into Keepass, with root privilege:

cd  /etc/letsencrypt/live/politick.ca-0001

vi fullchain.pem      <cut and paste text>

vi privkey.pem        <cut and paste text>

Don't bother as it's running on the nginx server, so we'll just use the redirect directive and use the certificate used by nginx and both names resolve to unifi.politick.ca

1. logon
2. DONE only ONCE during initial setup until 2035:
   Go to CA tab and place LetsEncrypt certificate (https://letsencrypt.org/certs/isrgrootx1.pem.txt) there.  Should be required only once as this certificate will expire in 2035...   You only need the Certificate part, you DON'T have the key part of course...  I've put 2 in the serial number as 20180101 was cut into 3 numbers.
   
3. Go to the Certificate tab Right next to the CAs tab and press ImportCertificate.  Name this new certificate (Ex: YYYMMLetsEncrypt) in the Identification (for the next step), then Cut and paste your Full chain in the Certificacte and the Private key in the Private section.  Leave passphrase empty. (I've not explored if this password protects your private key...it should as I don't like that I  can just view the private key here)
4. Go to the General tab & select your new certificate Identifier name and hit the save button.
   
   
5. Voila !

1. logon
2. Goto System→Certificates
3. Select radio button called "Certificate & Key Text" (for simple Cut & paste operation)
   Certificate is cert_.pem   (Essentially the first part of the FullChain)
   Key is privkey.pem
   Chain is fullchain.pem
   CA is located here: https://letsencrypt.org/certs/isrgrootx1.pem.txt
4. Press the Import button
   
5. shutdown -r now

1. ssh to mail.politick.ca
2. vi  /etc/ssl/certs/mail.politick.ca.pem
3. Paste new full chain
4. vi  /etc/ssl/private/mail.politick.ca.key
5. Paste private key

Reboot the server.

May want to:

• apt-get update
• apt-get upgrade
• apt autoremove
• shutdown -r now

DON''t BOTHER → Use PlexPass certificate instead and does not read our own ...

1. http://nas.politick.ca
2. View Jails, Select PlexPass
3. Open shell, set to 132x50
4. cd /etc/ssl/
5. Update private.pem (Yeah, the key) ,cert.pem (Top part of FullChain) and chain.pem  (bottom part of FullChain)
6. openssl pkcs12 -export -out ./certificate.pfx -inkey ./private.pem -in ./cert.pem -certfile chain.pem
7. Set password to (your generic level 1 security password)
8. restart jail
9. cd PlexMediaServer-....
10. ./start.sh &
11. exit
    
    
    

For FIRST Time setup consult Here.

Before we begin, we need to generate a PKCS #12 (.pfx) file from the Let's Encrypt certificate files. It's all the Let's Encrypt files archived, and bundled into one file.

Create the PCKS #12 file:

1. Run the package command:

     sudo openssl pkcs12 -export -out ~/certificate.pfx \
       -inkey /etc/letsencrypt/live/myhostname.no-ip.org/privkey.pem \
       -in /etc/letsencrypt/live/myhostname.no-ip.org/cert.pem \
       -certfile /etc/letsencrypt/live/myhostname.no-ip.org/chain.pem

2. You'll first be prompted for your sudo password.

   Next you'll be asked to enter a password to encrypt the .pfx file. Enter a password you won't mind saving in the Plex settings in plaintext.

3. Hand it over to plex.

   sudo mv ~/certificate.pfx /var/lib/plexmediaserver
   sudo chown plex:plex /var/lib/plexmediaserver/certificate.pfx

Have Plex use your PFX file

1. Visit the Plex UI on your server: http://myhostname.no-ip.org:32400

2. Go to Settings (icon on top right corner) > Server (tab) > Network (left navigation column).

   Click "SHOW ADVANCED" to see the necessary fields.

3. Enter the following values:

   • Custom certificate location: /var/lib/plexmediaserver/certificate.pfx
   • Custom certificate encryption key: The password you entered on step 2 of last section
   • Custom certificate domain: https://myhostname.no-ip.org:32400

4. Save your changes.

That's it. You don't even have to restart plex!

You can check the Plex\ Media\ Server.log file in /var/lib/plexmediaserver/Library/Application\ Support/Plex\ Media\ Server/Logs if you want to verify whether there were any errors.

Visit your server at https://myhostname.no-ip.org:32400 (Custom certificate domain) and see the HTTPS in action.

1. SSH to ZoneMinder

2. The web server is Apache2 and I've configured it to read:
   SSLCertificateFile    /etc/ssl/MyCerts/politick.ca.pem
   SSLCertificateKeyFile /etc/ssl/private/politick.key

   
   

3. vi /etc/ssl/MyCerts/politick.ca.pem

   , then  "Cut&Paste" the new FullChain into it.

4. vi /etc/ssl/private/politick.key

   then "Cut&Paste" the new PrivateKey into it.

5. /etc/init.d/apache2 reload

cd /etc/apache2/mods-enabled/

ln -s ../mods-available/ssl.conf   ssl.conf

ln -s ../mods-available/ssl.load   ssl.load

ln -s ../mods-available/socache_shmcb.load socache_shmcb.load

cd /etc/apache2/sites-enabled/

ln -s ../sites-available/default-ssl.conf default-ssl.conf 

LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so

Listen 443

SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 300

<IfModule mod_ssl.c>
 <VirtualHost *:443>
 ServerAdmin me@politick.ca
 ServerName nvr.politick.ca
 DocumentRoot /var/www/html

  ErrorLog ${APACHE_LOG_DIR}/error.log

 CustomLog ${APACHE_LOG_DIR}/access.log combined

 SSLEngine on

 SSLCertificateFile    /etc/ssl/MyCerts/politick.ca.pem

 SSLCertificateKeyFile /etc/ssl/private/politick.key

<SNIP...>

in file /ect/apache2/sites-available/ 000-default.conf

     ServerName nvr.politick.ca
     RedirectMatch  ^/$ https://nvr.politick.ca/zm
        ServerAdmin martin@politick.ca
        DocumentRoot /var/www/html

1. Go to the VM and Suspend them all !!!!  Yeah → Very INCONVENIENT !  This is required to then be able to set the server in maintenance mode.
   
   
2. Place Esxi server in Maintenance mode
   
   
3. Start SSH service in the Host->Manage→Services web interface.
   
4. Log in to the host via SSH and then "cd /etc/vmware/ssl".
5. Move the 2 rui certificate files to a backup name, such as rui.crt.Old. Note they will be deleted at reboot.  If you're superstitious, mv them to /vmfs/volumes/ ...
   
6. Type vi rui.crt to "Cut&Paste" the new FullChain into it.
7. vi rui.key to "Cut&Paste" the new PrivateKey into it.
8. Note: There should not be any erroneous ^M characters at the end of each line.
9. Reboot the eSXI server ()
10. Exit the host from Maintenance Mode
11. Make sure all VMs are re-started.
    
    

1. SSH to cloud.politick.ca
2. vi  /etc/ssl/certs/politick.ca.pem
3. Cut & Paste full chaing and save file
4. vi /etc/ssl/private/politick.ca.key
5. service apache2 reload

OBSOLETE, while it was running in NAS Jail

1. Logon to FreeNAS
2. goto : Jails → ViewJails → Start OwnCloud Shell
3. cd /usr/pbi/owncloud-amd64/etc/apache24/
4. vi politick.ca.key     "Cut&Paste" the new PrivateKey into it.
5. vi politick.ca.cert       "Cut&Paste" the new FullChain into it.  (will likely need 2 cut&p dues to buffer limitation in paste of jail shell)
6. cp politick.ca.crt  politick.ca.pem
7. service apache24 reload

HOW TO Configure Once only

cd /usr/pbi/owncloud-amd64/etc/apache24/

verify that http.conf contains:

• LoadModule ssl_module modules/mod_ssl.so

Add to http.conf:

Listen 443
<VirtualHost *:443>
 ServerName cloud.politick.ca
 SSLEngine on
 SSLCertificateFile "/usr/pbi/owncloud-amd64/etc/apache24/politick.ca.cert"
 SSLCertificateKeyFile "/usr/pbi/owncloud-amd64/etc/apache24/politick.ca.key"
</VirtualHost>

ServerName cloud.politick.ca:443

ServerName cloud.politick.ca:80

/usr/pbi/owncloud-amd64/etc/rc.d/apache24 reload

I now need to update the certificate so my Guest network login can use SSL 

1. Login
2. sudo su
3.  gen-unifi-cert.sh -d politick.ca-0001       Run: InstallSSLToUnifi.sh

Source of gen-unifi-cert

The OBSOLETE script is:

openssl pkcs12 -export -passout pass:aircontrolenterprise\
 -in /etc/letsencrypt/live/politick.ca-0001/cert.pem \
 -inkey /etc/letsencrypt/live/politick.ca-0001/privkey.pem \
 -out /home/politick/cert.p12 -name unifi \
 -CAfile /etc/letsencrypt/live/politick.ca-0001/fullchain.pem -caname root

echo Hit ENTER to Stop Unifi service
read a

service unifi stop

keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
 -deststorepass aircontrolenterprise

keytool -trustcacerts -importkeystore \
 -deststorepass aircontrolenterprise \
 -destkeypass aircontrolenterprise \
 -destkeystore /usr/lib/unifi/data/keystore \
 -srckeystore /home/politick/cert.p12 -srcstoretype PKCS12 \
 -srcstorepass aircontrolenterprise \
 -alias unifi

java -jar /usr/lib/unifi/lib/ace.jar import_cert \
 /etc/letsencrypt/live/politick.ca-0001/cert.pem \
 /etc/letsencrypt/live/politick.ca-0001/chain.pem \
 /home/politick/cert.p12

echo Hit ENTER to restart Unifi service
read a

service unifi start

1. /etc/init.d/jira   stop

2. /etc/init.d/confluence1  stop

3. cd /opt/ssl/
4. vi PrivPubCa.pem and cut & Paste the Private key, then the full chain certificates.  Save the file.

5. openssl pkcs12 -export -out PrivPubCa.pkcs12 -in PrivPubCa.pem    (For the password, look into KeePass database under jira.politick.ca or look into /opt/atlassian/jira/conf/server.xml)

6. keytool -v -importkeystore -srckeystore PrivPubCa.pkcs12 -srcstoretype PKCS12 -destkeystore .keystore -deststoretype JKS

7. shutdown -r now

Look into KeePass database to retrieve destination .keystore password.  (Yes it's one of them random cut&paste long passwords)

Or it's also in plain text in the file: /opt/atlassian/jira/conf/server.xml

-----------------------------------------------------------------------------

First time Keystore install:

Uncommnet section 8443 for SSL in file: /opt/atlassian/jira/conf/server.xml

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
 maxHttpHeaderSize="8192" SSLEnabled="true"
 maxThreads="150" minSpareThreads="25"
 enableLookups="false" disableUploadTimeout="true"
 acceptCount="100" scheme="https" secure="true"
 clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
 keystoreFile="/opt/ssl/.keystore" keystorePass="xxxxxxxxxxxxxxxxxxxxxxxx"

/>

/opt/atlassian/confluence/conf/server.xml

<Connector port="9443" maxHttpHeaderSize="8192"
 maxThreads="150" minSpareThreads="25"
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 enableLookups="false" disableUploadTimeout="true"
 acceptCount="100" scheme="https" secure="true"
 clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
 URIEncoding="UTF-8" keystoreFile="/opt/ssl/.keystore" keystorePass="xxxxxxxxxxxxxxxxxxxxxxxx"/>

from Oracle here.

Copied below just in case:

1. Convert the certificate from PEM to PKCS12, using the following command:

   openssl pkcs12 -export -out eneCert.pkcs12 -in eneCert.pem

   You may ignore the warning message this command issues.
2. Enter and repeat the export password.
3. Create and then delete an empty truststore using the following commands:

   keytool -genkey -keyalg RSA -alias endeca -keystore truststore.ks
   keytool -delete -alias endeca -keystore truststore.ks

   The -genkey command creates the default certificate shown below. (This is a temporary certificate that is subsequently deleted by the -delete command, so it does not matter what information you enter here.)

   Enter keystore password:
   Re-enter new password:
   What is your first and last name?
     [Unknown]: 
   What is the name of your organizational unit?
     [Unknown]:  
   What is the name of your organization?
     [Unknown]:  
   What is the name of your City or Locality?
     [Unknown]: 
   What is the name of your State or Province?
     [Unknown]: 
   What is the two-letter country code for this unit?
     [Unknown]: 
   Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
     [no]: yes
   
   Enter key password for <endeca>
           (RETURN if same as keystore password):
   Re-enter new password:

4. Import the CA into the truststore, using the following command:

   keytool -import -v -trustcacerts -alias endeca-ca -file eneCA.pem -keystore truststore.ks

5. Enter the keystore password).
6. At the prompt, "Trust this certificate?" type yes.
7. Create an empty Java KeyStore, using the following commands:

   keytool -genkey -keyalg RSA -alias endeca -keystore keystore.ks
   keytool -delete -alias endeca -keystore keystore.ks

   The -genkey command creates the default certificate shown below. (This is a temporary certificate that is subsequently deleted by the -delete command, so it does not matter what information you enter here.)

   Enter keystore password:
   Re-enter new password:
   What is your first and last name?
     [Unknown]: 
   What is the name of your organizational unit?
     [Unknown]:  
   What is the name of your organization?
     [Unknown]:  
   What is the name of your City or Locality?
     [Unknown]: 
   What is the name of your State or Province?
     [Unknown]: 
   What is the two-letter country code for this unit?
     [Unknown]: 
   Is CN="Unknown", OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
     [no]: yes
   

8. Import your private key into the empty JKS, using the following command:

   keytool -v -importkeystore -srckeystore eneCert.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.ks -deststoretype JKS

1. logon
2. Goto iRMC S3 → Certificate Upload
3. Cut & paste the FullChain into the textbox, 
4. PROBLEM for private key  ???
5. Press the upload button