ginx Server (main certificate host)
Current method: DNS-01 challenge with wildcard domain
look at: https://github.com/Neilpang/acme.sh#1-how-to-install AND https://github.com/Neilpang/acme.sh/wiki/dnsapi
---BEGIN--------First time only: ------------
export FREEDNS_User="..." export FREEDNS_Password="..."
# Get certificates
acme.sh --issue --dns dns_freedns -d politick.ca -d '*.politick.ca'
[Fri Apr 5 19:11:55 PDT 2019] Registering account
[Fri Apr 5 19:11:56 PDT 2019] Registered
[Fri Apr 5 19:11:57 PDT 2019] ACCOUNT_THUMBPRINT='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[Fri Apr 5 19:11:57 PDT 2019] Creating domain key
[Fri Apr 5 19:11:57 PDT 2019] The domain key is here: /home/user/.acme.sh/politick.ca/politick.ca.key
[Fri Apr 5 19:11:57 PDT 2019] Multi domain='DNS:politick.ca,DNS:*.politick.ca'
[Fri Apr 5 19:11:57 PDT 2019] Getting domain auth token for each domain
[Fri Apr 5 19:11:59 PDT 2019] Getting webroot for domain='politick.ca'
[Fri Apr 5 19:11:59 PDT 2019] Getting webroot for domain='*.politick.ca'
[Fri Apr 5 19:11:59 PDT 2019] Found domain api file: /home/user/.acme.sh/dnsapi/dns_freedns.sh
[Fri Apr 5 19:11:59 PDT 2019] Add TXT record using FreeDNS
[Fri Apr 5 19:12:03 PDT 2019] Domain politick.ca not found at FreeDNS
[Fri Apr 5 19:12:03 PDT 2019] Retry loading subdomain page (1 attempts remaining)
[Fri Apr 5 19:12:05 PDT 2019] Added acme challenge TXT record for _acme-challenge.politick.ca at FreeDNS
---END--------First time only: ------------
---BEGIN--------Certificate renewal ------------
Make sure that you have 2 free entries in http://freedns.afraid.org/subdomain/
As this script will create 2 TXT entries temporarily. The free version is a maximum of 25 entries. Also make sure that your server IP is in ACL that is allowed to modify the freedns entries : http://freedns.afraid.org/profile/?action=acl
login as regular user, no need to be root to renew certificates.
user@machine~$ cd .acme.sh
user@machine~$ ./acme.sh --issue --dns dns_freedns -d politick.ca -d '*.politick.ca'
[Fri Apr 5 19:12:54 PDT 2019] Multi domain='DNS:politick.ca,DNS:*.politick.ca'
[Fri Apr 5 19:12:54 PDT 2019] Getting domain auth token for each domain
[Fri Apr 5 19:12:56 PDT 2019] Getting webroot for domain='politick.ca'
[Fri Apr 5 19:12:56 PDT 2019] Getting webroot for domain='*.politick.ca'
[Fri Apr 5 19:12:56 PDT 2019] Found domain api file: /home/user/.acme.sh/dnsapi/dns_freedns.sh
[Fri Apr 5 19:12:56 PDT 2019] Add TXT record using FreeDNS
[Fri Apr 5 19:12:59 PDT 2019] Added acme challenge TXT record for _acme-challenge.politick.ca at FreeDNS
[Fri Apr 5 19:12:59 PDT 2019] Found domain api file: /home/user/.acme.sh/dnsapi/dns_freedns.sh
[Fri Apr 5 19:12:59 PDT 2019] Add TXT record using FreeDNS
[Fri Apr 5 19:13:02 PDT 2019] Added acme challenge TXT record for _acme-challenge.politick.ca at FreeDNS
[Fri Apr 5 19:13:02 PDT 2019] Let's check each dns records now. Sleep 20 seconds first.
[Fri Apr 5 19:13:23 PDT 2019] Checking politick.ca for _acme-challenge.politick.ca
[Fri Apr 5 19:13:24 PDT 2019] Domain politick.ca '_acme-challenge.politick.ca' success.
[Fri Apr 5 19:13:24 PDT 2019] Checking politick.ca for _acme-challenge.politick.ca
[Fri Apr 5 19:13:24 PDT 2019] Domain politick.ca '_acme-challenge.politick.ca' success.
[Fri Apr 5 19:13:24 PDT 2019] All success, let's return
[Fri Apr 5 19:13:24 PDT 2019] Verifying: politick.ca
[Fri Apr 5 19:13:27 PDT 2019] Success
[Fri Apr 5 19:13:27 PDT 2019] Verifying: *.politick.ca
[Fri Apr 5 19:13:30 PDT 2019] Success
[Fri Apr 5 19:13:30 PDT 2019] Removing DNS records.
[Fri Apr 5 19:13:30 PDT 2019] Delete TXT record using FreeDNS
[Fri Apr 5 19:13:33 PDT 2019] Deleted acme challenge TXT record for _acme-challenge.politick.ca at FreeDNS
[Fri Apr 5 19:13:33 PDT 2019] Delete TXT record using FreeDNS
[Fri Apr 5 19:13:35 PDT 2019] Deleted acme challenge TXT record for _acme-challenge.politick.ca at FreeDNS
[Fri Apr 5 19:13:35 PDT 2019] Verify finished, start to sign.
[Fri Apr 5 19:13:35 PDT 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/11111111/111111111111
[Fri Apr 5 19:13:37 PDT 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/000000000000000000000000000000
[Fri Apr 5 19:13:37 PDT 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFXTCCBEWgAwIBAgISBK7H5uhW+Ck5bBhrSy ......
Reload Nginx configs
The nginx configs have been modified to read the certificates from the /home/user/.acme.sh/... location
/usr/sbin/service nginx reload
---END--------Certificate renewal ------------
Old method: certbot v0.31.0 (says deprecated but still works for now)
Renew Let's Encrypt using certbot
./certbot-auto --nginx --preferred-challenges tls-sni-01 --agree-tos -w /var/www/html --expand -d politick.ca,www.politick.ca,cloud.politick.ca,esxi.politick.ca,esxi2.politick.ca,jira.politick.ca,plex.politick.ca,unifi.politick.ca,nas.politick.ca,pbx.politick.ca,mail.politick.ca,nvr.politick.ca,irmc.politick.ca
SSL configuration for Nginx
- I've created 2 configuration snipets : ssl-params.conf && ssl-politick.ca.conf. So I could use different certificates for different virtual servers
- Configured as described here: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
- SSL tested with https://www.wormly.com/tools Wormly tools
/etc/nginx/ssl-params.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
/etc/nginx/snippets/ssl-politick.ca.conf
ssl on;
ssl_certificate /etc/letsencrypt/live/politick.ca-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/politick.ca-0001/privkey.pem;
Example of one site config
/etc/nginx/sites-available
# Normal HTTP(80) request that redirects (301) to HTTPS (443)
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name politick.ca www.politick.ca;
include /etc/nginx/snippets/letsencryptauth.conf;
return 301 https://$server_name$request_uri;
}
# HTTPS (443) server that re-directs to the internal server called jira.politick.ca on port 9443
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include snippets/ssl-politick.ca.conf;
include snippets/ssl-params.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name politick.ca www.politick.ca;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
proxy_pass https://jira.politick.ca:9443/;
# try_files $uri $uri/ =404;
}
After a change in configuration, test it, if successful, then reload:
service nginx configtest
service nginx restart
Certification propagation
Import into Keepass, with root privilege:
cd /etc/letsencrypt/live/politick.ca-0001
vi fullchain.pem <cut and paste text>
vi privkey.pem <cut and paste text>
Unifi → Very Easy |
Don't bother as it's running on the nginx server, so we'll just use the redirect directive and use the certificate used by nginx and both names resolve to unifi.politick.ca
FreeNAS → Easy |
- logon
- DONE only ONCE during initial setup until 2035:
Go to CA tab and place LetsEncrypt certificate (https://letsencrypt.org/certs/isrgrootx1.pem.txt) there. Should be required only once as this certificate will expire in 2035... You only need the Certificate part, you DON'T have the key part of course... I've put 2 in the serial number as 20180101 was cut into 3 numbers. - Go to the Certificate tab Right next to the CAs tab and press ImportCertificate. Name this new certificate (Ex: YYYMMLetsEncrypt) in the Identification (for the next step), then Cut and paste your Full chain in the Certificacte and the Private key in the Private section. Leave passphrase empty. (I've not explored if this password protects your private key...it should as I don't like that I can just view the private key here)
- Go to the General tab & select your new certificate Identifier name and hit the save button.
- Voila !
SipXcom → Easy |
- logon
- Goto System→Certificates
- Select radio button called "Certificate & Key Text" (for simple Cut & paste operation)
Certificate is cert_.pem (Essentially the first part of the FullChain)
Key is privkey.pem
Chain is fullchain.pem
CA is located here: https://letsencrypt.org/certs/isrgrootx1.pem.txt - Press the Import button
- shutdown -r now
mail server → Easy |
- ssh to mail.politick.ca
- vi /etc/ssl/certs/mail.politick.ca.pem
- Paste new full chain
- vi /etc/ssl/private/mail.politick.ca.key
- Paste private key
Reboot the server.
May want to:
- apt-get update
- apt-get upgrade
- apt autoremove
- shutdown -r now
Plex in NAS→ OK |
DON''t BOTHER → Use PlexPass certificate instead and does not read our own ...
- http://nas.politick.ca
- View Jails, Select PlexPass
- Open shell, set to 132x50
- cd /etc/ssl/
- Update private.pem (Yeah, the key) ,cert.pem (Top part of FullChain) and chain.pem (bottom part of FullChain)
- openssl pkcs12 -export -out ./certificate.pfx -inkey ./private.pem -in ./cert.pem -certfile chain.pem
- Set password to (your generic level 1 security password)
- restart jail
- cd PlexMediaServer-....
- ./start.sh &
- exit
For FIRST Time setup consult Here.
Before we begin, we need to generate a PKCS #12 (.pfx) file from the Let's Encrypt certificate files. It's all the Let's Encrypt files archived, and bundled into one file.
Create the PCKS #12 file:
Run the package command:
sudo openssl pkcs12 -export -out ~/certificate.pfx \ -inkey /etc/letsencrypt/live/myhostname.no-ip.org/privkey.pem \ -in /etc/letsencrypt/live/myhostname.no-ip.org/cert.pem \ -certfile /etc/letsencrypt/live/myhostname.no-ip.org/chain.pem
You'll first be prompted for your sudo password.
Next you'll be asked to enter a password to encrypt the
.pfx
file. Enter a password you won't mind saving in the Plex settings in plaintext.Hand it over to plex.
sudo mv ~/certificate.pfx /var/lib/plexmediaserver sudo chown plex:plex /var/lib/plexmediaserver/certificate.pfx
Have Plex use your PFX file
Visit the Plex UI on your server: http://myhostname.no-ip.org:32400
Go to Settings (icon on top right corner) > Server (tab) > Network (left navigation column).
Click "SHOW ADVANCED" to see the necessary fields.
Enter the following values:
- Custom certificate location: /var/lib/plexmediaserver/certificate.pfx
- Custom certificate encryption key: The password you entered on step 2 of last section
- Custom certificate domain: https://myhostname.no-ip.org:32400
Save your changes.
That's it. You don't even have to restart plex!
You can check the Plex\ Media\ Server.log
file in /var/lib/plexmediaserver/Library/Application\ Support/Plex\ Media\ Server/Logs
if you want to verify whether there were any errors.
Visit your server at https://myhostname.no-ip.org:32400 (Custom certificate domain) and see the HTTPS in action.
ZoneMinder (Apache2)→ OK |
- SSH to ZoneMinder
The web server is Apache2 and I've configured it to read:
SSLCertificateFile /etc/ssl/MyCerts/politick.ca.pem
SSLCertificateKeyFile /etc/ssl/private/politick.keyvi /etc/ssl/MyCerts/politick.ca.pem
, then "Cut&Paste" the new FullChain into it.vi /etc/ssl/private/politick.key
then "Cut&Paste" the new PrivateKey into it./etc/init.d/apache2 reload
Done once for Apache on ZoneMinder on Ubuntu server 16.04 to enable SSL on server |
Enable SSL on Apache2
cd /etc/apache2/mods-enabled/
ln -s ../mods-available/ssl.conf ssl.conf
ln -s ../mods-available/ssl.load ssl.load
ln -s ../mods-available/socache_shmcb.load socache_shmcb.load
cd /etc/apache2/sites-enabled/
ln -s ../sites-available/default-ssl.conf default-ssl.conf
Edit default_SSL.conf
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
Listen 443
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 300
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin me@politick.ca
ServerName nvr.politick.ca
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/MyCerts/politick.ca.pem
SSLCertificateKeyFile /etc/ssl/private/politick.key
<SNIP...>
in file /ect/apache2/sites-available/ 000-default.conf
ServerName nvr.politick.ca
RedirectMatch ^/$ https://nvr.politick.ca/zm
ServerAdmin martin@politick.ca
DocumentRoot /var/www/html
ESXI → OK, but F#*$& INCONVENIENT ! |
- Go to the VM and Suspend them all !!!! Yeah → Very INCONVENIENT ! This is required to then be able to set the server in maintenance mode.
- Place Esxi server in Maintenance mode
- Start SSH service in the Host->Manage→Services web interface.
- Log in to the host via SSH and then "cd /etc/vmware/ssl".
- Move the 2 rui certificate files to a backup name, such as rui.crt.Old. Note they will be deleted at reboot. If you're superstitious, mv them to /vmfs/volumes/ ...
- Type vi rui.crt to "Cut&Paste" the new FullChain into it.
- vi rui.key to "Cut&Paste" the new PrivateKey into it.
- Note: There should not be any erroneous ^M characters at the end of each line.
- Reboot the eSXI server ()
- Exit the host from Maintenance Mode
- Make sure all VMs are re-started.
OwnCloud → OK Apache |
- SSH to cloud.politick.ca
- vi /etc/ssl/certs/politick.ca.pem
- Cut & Paste full chaing and save file
- vi /etc/ssl/private/politick.ca.key
- service apache2 reload
OBSOLETE, while it was running in NAS Jail
OwnCloud → OK (+cut & paste pain because in jail). |
- Logon to FreeNAS
- goto : Jails → ViewJails → Start OwnCloud Shell
- cd /usr/pbi/owncloud-amd64/etc/apache24/
- vi politick.ca.key "Cut&Paste" the new PrivateKey into it.
- vi politick.ca.cert "Cut&Paste" the new FullChain into it. (will likely need 2 cut&p dues to buffer limitation in paste of jail shell)
- cp politick.ca.crt politick.ca.pem
- service apache24 reload
HOW TO Configure Once only
cd /usr/pbi/owncloud-amd64/etc/apache24/
verify that http.conf contains:
- LoadModule ssl_module modules/mod_ssl.so
Add to http.conf:
Listen 443
<VirtualHost *:443>
ServerName cloud.politick.ca
SSLEngine on
SSLCertificateFile "/usr/pbi/owncloud-amd64/etc/apache24/politick.ca.cert"
SSLCertificateKeyFile "/usr/pbi/owncloud-amd64/etc/apache24/politick.ca.key"
</VirtualHost>
ServerName cloud.politick.ca:443
ServerName cloud.politick.ca:80
/usr/pbi/owncloud-amd64/etc/rc.d/apache24 reload
Unifi → OK ( Java, but scripted) |
I now need to update the certificate so my Guest network login can use SSL
- Login
- sudo su
- gen-unifi-cert.sh -d politick.ca-0001
Run: InstallSSLToUnifi.sh
The OBSOLETE script is:
openssl pkcs12 -export -passout pass:aircontrolenterprise\
-in /etc/letsencrypt/live/politick.ca-0001/cert.pem \
-inkey /etc/letsencrypt/live/politick.ca-0001/privkey.pem \
-out /home/politick/cert.p12 -name unifi \
-CAfile /etc/letsencrypt/live/politick.ca-0001/fullchain.pem -caname root
echo Hit ENTER to Stop Unifi service
read a
service unifi stop
keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
-deststorepass aircontrolenterprise
keytool -trustcacerts -importkeystore \
-deststorepass aircontrolenterprise \
-destkeypass aircontrolenterprise \
-destkeystore /usr/lib/unifi/data/keystore \
-srckeystore /home/politick/cert.p12 -srcstoretype PKCS12 \
-srcstorepass aircontrolenterprise \
-alias unifi
java -jar /usr/lib/unifi/lib/ace.jar import_cert \
/etc/letsencrypt/live/politick.ca-0001/cert.pem \
/etc/letsencrypt/live/politick.ca-0001/chain.pem \
/home/politick/cert.p12
echo Hit ENTER to restart Unifi service
read a
service unifi start
JIRA → Finally Got it ! | ( F*%$ing Java) |
/etc/init.d/jira stop
/etc/init.d/confluence1 stop
- cd /opt/ssl/
- vi PrivPubCa.pem and cut & Paste the Private key, then the full chain certificates. Save the file.
openssl pkcs12 -export -out PrivPubCa.pkcs12 -in PrivPubCa.pem (For the password, look into KeePass database under jira.politick.ca or look into /opt/atlassian/jira/conf/server.xml)
keytool -v -importkeystore -srckeystore PrivPubCa.pkcs12 -srcstoretype PKCS12 -destkeystore .keystore -deststoretype JKS
shutdown -r now
Look into KeePass database to retrieve destination .keystore password. (Yes it's one of them random cut&paste long passwords)
Or it's also in plain text in the file: /opt/atlassian/jira/conf/server.xml
-----------------------------------------------------------------------------
First time Keystore install:
Uncommnet section 8443 for SSL in file: /opt/atlassian/jira/conf/server.xml
server.xml Connector 8443
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
keystoreFile="/opt/ssl/.keystore" keystorePass="xxxxxxxxxxxxxxxxxxxxxxxx"
/>
/opt/atlassian/confluence/conf/server.xml
server.xml Connector 9443
<Connector port="9443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
protocol="org.apache.coyote.http11.Http11NioProtocol"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
URIEncoding="UTF-8" keystoreFile="/opt/ssl/.keystore" keystorePass="xxxxxxxxxxxxxxxxxxxxxxxx"/>
Port 9443
I'm running confluence on port 9443, as JIRA is already running on 8443 and to be consistant with the change from 8 to 9 in 8080 → 8090; So 8443 →9443 seem conistant.
443
I've tried to setup Confluence on normal https port 443 ( Connector port="443"). But of course ports beloow 1024 need root permissions and, at the time, I didn't want to give some random program (tomcat) root rights as this is a likely security hole and didn't want to research it further... Port 9443, with my nginx redirection was good enough for me!
Copied below just in case:
To convert the PEM-format keys to Java KeyStores:
iRMC → Easy ???? →NOT !!!! |
- logon
- Goto iRMC S3 → Certificate Upload
- Cut & paste the FullChain into the textbox,
- PROBLEM for private key ???
- Press the upload button
Add Comment