Page tree
Skip to end of metadata
Go to start of metadata

ginx Server (main certificate host)

Current method: DNS-01 challenge with wildcard domain

look at:    https://github.com/Neilpang/acme.sh#1-how-to-install     AND    https://github.com/Neilpang/acme.sh/wiki/dnsapi

---BEGIN--------First time only: ------------

export FREEDNS_User="..."
export FREEDNS_Password="..."
# Get certificates
  acme.sh --issue --dns dns_freedns -d politick.ca -d '*.politick.ca'

[Fri Apr 5 19:11:55 PDT 2019] Registering account
[Fri Apr 5 19:11:56 PDT 2019] Registered
[Fri Apr 5 19:11:57 PDT 2019] ACCOUNT_THUMBPRINT='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[Fri Apr 5 19:11:57 PDT 2019] Creating domain key
[Fri Apr 5 19:11:57 PDT 2019] The domain key is here: /home/user/.acme.sh/politick.ca/politick.ca.key
[Fri Apr 5 19:11:57 PDT 2019] Multi domain='DNS:politick.ca,DNS:*.politick.ca'
[Fri Apr 5 19:11:57 PDT 2019] Getting domain auth token for each domain
[Fri Apr 5 19:11:59 PDT 2019] Getting webroot for domain='politick.ca'
[Fri Apr 5 19:11:59 PDT 2019] Getting webroot for domain='*.politick.ca'
[Fri Apr 5 19:11:59 PDT 2019] Found domain api file: /home/user/.acme.sh/dnsapi/dns_freedns.sh
[Fri Apr 5 19:11:59 PDT 2019] Add TXT record using FreeDNS
[Fri Apr 5 19:12:03 PDT 2019] Domain politick.ca not found at FreeDNS
[Fri Apr 5 19:12:03 PDT 2019] Retry loading subdomain page (1 attempts remaining)
[Fri Apr 5 19:12:05 PDT 2019] Added acme challenge TXT record for _acme-challenge.politick.ca at FreeDNS

---END--------First time only: ------------


---BEGIN--------Certificate renewal ------------

Make sure that you have 2 free entries in http://freedns.afraid.org/subdomain/

As this script will create 2 TXT entries temporarily.  The free version is a maximum of 25 entries.  Also make sure that your server IP is in ACL that is allowed to modify the freedns entries : http://freedns.afraid.org/profile/?action=acl

login as regular user, no need to be root to renew certificates.

user@machine~$ cd .acme.sh
user@machine~$ ./acme.sh --issue --dns dns_freedns -d politick.ca -d '*.politick.ca'
[Fri Apr 5 19:12:54 PDT 2019] Multi domain='DNS:politick.ca,DNS:*.politick.ca'
[Fri Apr 5 19:12:54 PDT 2019] Getting domain auth token for each domain
[Fri Apr 5 19:12:56 PDT 2019] Getting webroot for domain='politick.ca'
[Fri Apr 5 19:12:56 PDT 2019] Getting webroot for domain='*.politick.ca'
[Fri Apr 5 19:12:56 PDT 2019] Found domain api file: /home/user/.acme.sh/dnsapi/dns_freedns.sh
[Fri Apr 5 19:12:56 PDT 2019] Add TXT record using FreeDNS
[Fri Apr 5 19:12:59 PDT 2019] Added acme challenge TXT record for _acme-challenge.politick.ca at FreeDNS
[Fri Apr 5 19:12:59 PDT 2019] Found domain api file: /home/user/.acme.sh/dnsapi/dns_freedns.sh
[Fri Apr 5 19:12:59 PDT 2019] Add TXT record using FreeDNS
[Fri Apr 5 19:13:02 PDT 2019] Added acme challenge TXT record for _acme-challenge.politick.ca at FreeDNS
[Fri Apr 5 19:13:02 PDT 2019] Let's check each dns records now. Sleep 20 seconds first.
[Fri Apr 5 19:13:23 PDT 2019] Checking politick.ca for _acme-challenge.politick.ca
[Fri Apr 5 19:13:24 PDT 2019] Domain politick.ca '_acme-challenge.politick.ca' success.
[Fri Apr 5 19:13:24 PDT 2019] Checking politick.ca for _acme-challenge.politick.ca
[Fri Apr 5 19:13:24 PDT 2019] Domain politick.ca '_acme-challenge.politick.ca' success.
[Fri Apr 5 19:13:24 PDT 2019] All success, let's return
[Fri Apr 5 19:13:24 PDT 2019] Verifying: politick.ca
[Fri Apr 5 19:13:27 PDT 2019] Success
[Fri Apr 5 19:13:27 PDT 2019] Verifying: *.politick.ca
[Fri Apr 5 19:13:30 PDT 2019] Success
[Fri Apr 5 19:13:30 PDT 2019] Removing DNS records.
[Fri Apr 5 19:13:30 PDT 2019] Delete TXT record using FreeDNS
[Fri Apr 5 19:13:33 PDT 2019] Deleted acme challenge TXT record for _acme-challenge.politick.ca at FreeDNS
[Fri Apr 5 19:13:33 PDT 2019] Delete TXT record using FreeDNS
[Fri Apr 5 19:13:35 PDT 2019] Deleted acme challenge TXT record for _acme-challenge.politick.ca at FreeDNS
[Fri Apr 5 19:13:35 PDT 2019] Verify finished, start to sign.
[Fri Apr 5 19:13:35 PDT 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/11111111/111111111111
[Fri Apr 5 19:13:37 PDT 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/000000000000000000000000000000
[Fri Apr 5 19:13:37 PDT 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFXTCCBEWgAwIBAgISBK7H5uhW+Ck5bBhrSy ......



Reload Nginx configs

The nginx configs have been modified to read the certificates from the /home/user/.acme.sh/... location

/usr/sbin/service nginx reload


---END--------Certificate renewal ------------


Old method:  certbot v0.31.0  (says deprecated but still works for now)

Renew Let's Encrypt using certbot

./certbot-auto --nginx  --preferred-challenges tls-sni-01 --agree-tos -w /var/www/html --expand -d politick.ca,www.politick.ca,cloud.politick.ca,esxi.politick.ca,esxi2.politick.ca,jira.politick.ca,plex.politick.ca,unifi.politick.ca,nas.politick.ca,pbx.politick.ca,mail.politick.ca,nvr.politick.ca,irmc.politick.ca


SSL configuration for Nginx

/etc/nginx/ssl-params.conf

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

/etc/nginx/snippets/ssl-politick.ca.conf

ssl on;
ssl_certificate /etc/letsencrypt/live/politick.ca-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/politick.ca-0001/privkey.pem;


Example of one site config

/etc/nginx/sites-available

# Normal HTTP(80) request that redirects (301) to HTTPS (443)
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name politick.ca www.politick.ca;
include /etc/nginx/snippets/letsencryptauth.conf;
return 301 https://$server_name$request_uri;
}

# HTTPS (443) server that re-directs to the internal server called jira.politick.ca on port 9443
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include snippets/ssl-politick.ca.conf;
include snippets/ssl-params.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name politick.ca www.politick.ca;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
proxy_pass https://jira.politick.ca:9443/;
# try_files $uri $uri/ =404;
}


After a change in configuration, test it, if successful, then reload: 

  • service nginx configtest 
  • service nginx restart



19

Certification propagation

Import into Keepass, with root privilege:

cd  /etc/letsencrypt/live/politick.ca-0001
vi fullchain.pem      <cut and paste text>
vi privkey.pem        <cut and paste text>

Unifi → Very Easy

Don't bother as it's running on the nginx server, so we'll just use the redirect directive and use the certificate used by nginx and both names resolve to unifi.politick.ca

FreeNAS → Easy


  1. logon
  2. DONE only ONCE during initial setup until 2035:
    Go to CA tab and place LetsEncrypt certificate (https://letsencrypt.org/certs/isrgrootx1.pem.txt) there.  Should be required only once as this certificate will expire in 2035...   You only need the Certificate part, you DON'T have the key part of course...  I've put 2 in the serial number as 20180101 was cut into 3 numbers.
  3. Go to the Certificate tab Right next to the CAs tab and press ImportCertificate.  Name this new certificate (Ex: YYYMMLetsEncrypt) in the Identification (for the next step), then Cut and paste your Full chain in the Certificacte and the Private key in the Private section.  Leave passphrase empty. (I've not explored if this password protects your private key...it should as I don't like that I  can just view the private key here)
  4. Go to the General tab & select your new certificate Identifier name and hit the save button.

  5. Voila !

SipXcom  → Easy

  1. logon
  2. Goto System→Certificates
  3. Select radio button called "Certificate & Key Text" (for simple Cut & paste operation)
    Certificate is cert_.pem   (Essentially the first part of the FullChain)
    Key is privkey.pem
    Chain is fullchain.pem
    CA is located here: https://letsencrypt.org/certs/isrgrootx1.pem.txt
  4. Press the Import button
  5. shutdown -r now


mail server → Easy

  1. ssh to mail.politick.ca
  2. vi  /etc/ssl/certs/mail.politick.ca.pem
  3. Paste new full chain
  4. vi  /etc/ssl/private/mail.politick.ca.key
  5. Paste private key

Reboot the server.

May want to:

  • apt-get update
  • apt-get upgrade
  • apt autoremove
  • shutdown -r now



Plex in NAS→ OK

DON''t BOTHER → Use PlexPass certificate instead and does not read our own ...

  1. http://nas.politick.ca
  2. View Jails, Select PlexPass
  3. Open shell, set to 132x50
  4. cd /etc/ssl/
  5. Update private.pem (Yeah, the key) ,cert.pem (Top part of FullChain) and chain.pem  (bottom part of FullChain)
  6. openssl pkcs12 -export -out ./certificate.pfx -inkey ./private.pem -in ./cert.pem -certfile chain.pem
  7. Set password to (your generic level 1 security password)
  8. restart jail
  9. cd PlexMediaServer-....
  10. ./start.sh &
  11. exit


For FIRST Time setup consult Here.

Before we begin, we need to generate a PKCS #12 (.pfx) file from the Let's Encrypt certificate files. It's all the Let's Encrypt files archived, and bundled into one file.

Create the PCKS #12 file:

  1. Run the package command:

      sudo openssl pkcs12 -export -out ~/certificate.pfx \
        -inkey /etc/letsencrypt/live/myhostname.no-ip.org/privkey.pem \
        -in /etc/letsencrypt/live/myhostname.no-ip.org/cert.pem \
        -certfile /etc/letsencrypt/live/myhostname.no-ip.org/chain.pem
  2. You'll first be prompted for your sudo password.

    Next you'll be asked to enter a password to encrypt the .pfx file. Enter a password you won't mind saving in the Plex settings in plaintext.

  3. Hand it over to plex.

    sudo mv ~/certificate.pfx /var/lib/plexmediaserver
    sudo chown plex:plex /var/lib/plexmediaserver/certificate.pfx

Have Plex use your PFX file

  1. Visit the Plex UI on your server: http://myhostname.no-ip.org:32400

  2. Go to Settings (icon on top right corner) > Server (tab) > Network (left navigation column).

    Click "SHOW ADVANCED" to see the necessary fields.

  3. Enter the following values:

    • Custom certificate location: /var/lib/plexmediaserver/certificate.pfx
    • Custom certificate encryption key: The password you entered on step 2 of last section
    • Custom certificate domain: https://myhostname.no-ip.org:32400
  4. Save your changes.

That's it. You don't even have to restart plex!

You can check the Plex\ Media\ Server.log file in /var/lib/plexmediaserver/Library/Application\ Support/Plex\ Media\ Server/Logs if you want to verify whether there were any errors.

Visit your server at https://myhostname.no-ip.org:32400 (Custom certificate domain) and see the HTTPS in action.

ZoneMinder (Apache2)→ OK

  1. SSH to ZoneMinder
  2. The web server is Apache2 and I've configured it to read:
    SSLCertificateFile /etc/ssl/MyCerts/politick.ca.pem
    SSLCertificateKeyFile /etc/ssl/private/politick.key

  3. vi /etc/ssl/MyCerts/politick.ca.pem
    , then  "Cut&Paste" the new FullChain into it.
  4. vi /etc/ssl/private/politick.key
    then "Cut&Paste" the new PrivateKey into it.
  5. /etc/init.d/apache2 reload


Done once for Apache on ZoneMinder on Ubuntu server 16.04 to enable SSL on server



Enable SSL on Apache2

cd /etc/apache2/mods-enabled/
ln -s ../mods-available/ssl.conf   ssl.conf
ln -s ../mods-available/ssl.load   ssl.load
ln -s ../mods-available/socache_shmcb.load socache_shmcb.load
cd /etc/apache2/sites-enabled/
ln -s ../sites-available/default-ssl.conf default-ssl.conf 

Edit default_SSL.conf

LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
Listen 443
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 300
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin me@politick.ca
ServerName nvr.politick.ca
DocumentRoot /var/www/html
  ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
 SSLEngine on
 SSLCertificateFile    /etc/ssl/MyCerts/politick.ca.pem
 SSLCertificateKeyFile /etc/ssl/private/politick.key

<SNIP...>


in file /ect/apache2/sites-available/ 000-default.conf

     ServerName nvr.politick.ca
     RedirectMatch  ^/$ https://nvr.politick.ca/zm
        ServerAdmin martin@politick.ca
        DocumentRoot /var/www/html




ESXI → OK, but F#*$& INCONVENIENT !

  1. Go to the VM and Suspend them all !!!!  Yeah → Very INCONVENIENT !  This is required to then be able to set the server in maintenance mode.

  2. Place Esxi server in Maintenance mode

  3. Start SSH service in the Host->Manage→Services web interface.
  4. Log in to the host via SSH and then "cd /etc/vmware/ssl".
  5. Move the 2 rui certificate files to a backup name, such as rui.crt.Old. Note they will be deleted at reboot.  If you're superstitious, mv them to /vmfs/volumes/ ...
  6. Type vi rui.crt to "Cut&Paste" the new FullChain into it.
  7. vi rui.key to "Cut&Paste" the new PrivateKey into it.
  8. Note: There should not be any erroneous ^M characters at the end of each line.
  9. Reboot the eSXI server ()
  10. Exit the host from Maintenance Mode
  11. Make sure all VMs are re-started.

OwnCloud → OK Apache

  1. SSH to cloud.politick.ca
  2. vi  /etc/ssl/certs/politick.ca.pem
  3. Cut & Paste full chaing and save file
  4. vi /etc/ssl/private/politick.ca.key
  5. service apache2 reload


OBSOLETE, while it was running in NAS Jail

OwnCloud → OK (+cut & paste pain because in jail).

  1. Logon to FreeNAS
  2. goto : Jails → ViewJails → Start OwnCloud Shell
  3. cd /usr/pbi/owncloud-amd64/etc/apache24/
  4. vi politick.ca.key     "Cut&Paste" the new PrivateKey into it.
  5. vi politick.ca.cert       "Cut&Paste" the new FullChain into it.  (will likely need 2 cut&p dues to buffer limitation in paste of jail shell)
  6. cp politick.ca.crt  politick.ca.pem
  7. service apache24 reload


HOW TO Configure Once only

cd /usr/pbi/owncloud-amd64/etc/apache24/

verify that http.conf contains:

Add to http.conf:

Listen 443
<VirtualHost *:443>
ServerName cloud.politick.ca
SSLEngine on
SSLCertificateFile "/usr/pbi/owncloud-amd64/etc/apache24/politick.ca.cert"
SSLCertificateKeyFile "/usr/pbi/owncloud-amd64/etc/apache24/politick.ca.key"
</VirtualHost>

ServerName cloud.politick.ca:443
ServerName cloud.politick.ca:80


/usr/pbi/owncloud-amd64/etc/rc.d/apache24 reload



Unifi → OK ( Java, but scripted)

I now need to update the certificate so my Guest network login can use SSL 

  1. Login
  2. sudo su
  3.  gen-unifi-cert.sh -d politick.ca-0001       Run: InstallSSLToUnifi.sh

Source of gen-unifi-cert

The OBSOLETE script is:

openssl pkcs12 -export -passout pass:aircontrolenterprise\
-in /etc/letsencrypt/live/politick.ca-0001/cert.pem \
-inkey /etc/letsencrypt/live/politick.ca-0001/privkey.pem \
-out /home/politick/cert.p12 -name unifi \
-CAfile /etc/letsencrypt/live/politick.ca-0001/fullchain.pem -caname root
echo Hit ENTER to Stop Unifi service
read a
service unifi stop

keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
-deststorepass aircontrolenterprise
keytool -trustcacerts -importkeystore \
-deststorepass aircontrolenterprise \
-destkeypass aircontrolenterprise \
-destkeystore /usr/lib/unifi/data/keystore \
-srckeystore /home/politick/cert.p12 -srcstoretype PKCS12 \
-srcstorepass aircontrolenterprise \
-alias unifi
java -jar /usr/lib/unifi/lib/ace.jar import_cert \
/etc/letsencrypt/live/politick.ca-0001/cert.pem \
/etc/letsencrypt/live/politick.ca-0001/chain.pem \
/home/politick/cert.p12

echo Hit ENTER to restart Unifi service
read a
service unifi start

JIRA → Finally Got it !

( F*%$ing Java)


  1. /etc/init.d/jira   stop
  2. /etc/init.d/confluence1  stop
  3. cd /opt/ssl/
  4. vi PrivPubCa.pem and cut & Paste the Private key, then the full chain certificates.  Save the file.
  5. openssl pkcs12 -export -out PrivPubCa.pkcs12 -in PrivPubCa.pem    (For the password, look into KeePass database under jira.politick.ca or look into /opt/atlassian/jira/conf/server.xml)
  6. keytool -v -importkeystore -srckeystore PrivPubCa.pkcs12 -srcstoretype PKCS12 -destkeystore .keystore -deststoretype JKS
  7. shutdown -r now

Look into KeePass database to retrieve destination .keystore password.  (Yes it's one of them random cut&paste long passwords)

Or it's also in plain text in the file: /opt/atlassian/jira/conf/server.xml


-----------------------------------------------------------------------------

First time Keystore install:

Uncommnet section 8443 for SSL in file: /opt/atlassian/jira/conf/server.xml

server.xml Connector 8443

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
keystoreFile="/opt/ssl/.keystore" keystorePass="xxxxxxxxxxxxxxxxxxxxxxxx"
/>

/opt/atlassian/confluence/conf/server.xml

server.xml Connector 9443

<Connector port="9443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
protocol="org.apache.coyote.http11.Http11NioProtocol"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
URIEncoding="UTF-8" keystoreFile="/opt/ssl/.keystore" keystorePass="xxxxxxxxxxxxxxxxxxxxxxxx"/>

Port 9443

I'm running confluence on port 9443, as JIRA is already running on 8443 and to be consistant with the change from 8 to 9 in 8080 → 8090; So 8443 →9443 seem conistant.

443

I've tried to setup Confluence on normal https port 443 ( Connector port="443"). But of course ports beloow 1024 need root permissions and, at the time, I didn't want to give some random program (tomcat) root rights as this is a likely security hole and didn't want to research it further... Port 9443, with my nginx redirection was good enough for me!


from Oracle here.

Copied below just in case:

To convert the PEM-format keys to Java KeyStores:

  1. Convert the certificate from PEM to PKCS12, using the following command:
    openssl pkcs12 -export -out eneCert.pkcs12 -in eneCert.pem
    You may ignore the warning message this command issues.
  2. Enter and repeat the export password.
  3. Create and then delete an empty truststore using the following commands:
    keytool -genkey -keyalg RSA -alias endeca -keystore truststore.ks
    keytool -delete -alias endeca -keystore truststore.ks
    The -genkey command creates the default certificate shown below. (This is a temporary certificate that is subsequently deleted by the -delete command, so it does not matter what information you enter here.)
    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
      [Unknown]: 
    What is the name of your organizational unit?
      [Unknown]:  
    What is the name of your organization?
      [Unknown]:  
    What is the name of your City or Locality?
      [Unknown]: 
    What is the name of your State or Province?
      [Unknown]: 
    What is the two-letter country code for this unit?
      [Unknown]: 
    Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
      [no]: yes
    
    Enter key password for <endeca>
            (RETURN if same as keystore password):
    Re-enter new password:
  4. Import the CA into the truststore, using the following command:
    keytool -import -v -trustcacerts -alias endeca-ca -file eneCA.pem -keystore truststore.ks
  5. Enter the keystore password).
  6. At the prompt, "Trust this certificate?" type yes.
  7. Create an empty Java KeyStore, using the following commands:
    keytool -genkey -keyalg RSA -alias endeca -keystore keystore.ks
    keytool -delete -alias endeca -keystore keystore.ks
    The -genkey command creates the default certificate shown below. (This is a temporary certificate that is subsequently deleted by the -delete command, so it does not matter what information you enter here.)
    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
      [Unknown]: 
    What is the name of your organizational unit?
      [Unknown]:  
    What is the name of your organization?
      [Unknown]:  
    What is the name of your City or Locality?
      [Unknown]: 
    What is the name of your State or Province?
      [Unknown]: 
    What is the two-letter country code for this unit?
      [Unknown]: 
    Is CN="Unknown", OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
      [no]: yes
    
  8. Import your private key into the empty JKS, using the following command:
    keytool -v -importkeystore -srckeystore eneCert.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.ks -deststoretype JKS





iRMC  → Easy ???? →NOT !!!!

  1. logon
  2. Goto iRMC S3 → Certificate Upload
  3. Cut & paste the FullChain into the textbox, 
  4. PROBLEM for private key  ???
  5. Press the upload button
Write a comment…