Difference between revisions of "NetMan - SSL Certs"

From The TinkerNet Wiki
Jump to navigation Jump to search
 
(29 intermediate revisions by the same user not shown)
Line 3: Line 3:
  
 
===Enabling SSL===
 
===Enabling SSL===
To enable SSL, type (as user root):
+
To enable SSL, type:
  
<code>sudo a2ensite default-ssl</code>
+
*<code>sudo a2ensite default-ssl</code>
  
<code>sudo a2enmod ssl</code>
+
*<code>sudo a2enmod ssl</code>
  
 
If you want to use self-signed certificates, you should install the ssl-cert<br /> package (see below). Otherwise, just adjust the SSLCertificateKeyFile and SSLCertificateFile directives in '/etc/apache2/sites-available/default-ssl.conf' to point to your SSL certificate. Then restart apache:
 
If you want to use self-signed certificates, you should install the ssl-cert<br /> package (see below). Otherwise, just adjust the SSLCertificateKeyFile and SSLCertificateFile directives in '/etc/apache2/sites-available/default-ssl.conf' to point to your SSL certificate. Then restart apache:
  
<code>sudo systemctl restart apache2</code>
+
*<code>sudo systemctl restart apache2</code>
  
 
The SSL key file should only be readable by root; the certificate file may be globally readable. These files are read by the Apache parent process which runs as root, and it is therefore not necessary to make the files readable by the www-data user.
 
The SSL key file should only be readable by root; the certificate file may be globally readable. These files are read by the Apache parent process which runs as root, and it is therefore not necessary to make the files readable by the www-data user.
  
====<s>Creating self-signed certificates</s>====
+
====Getting proper certificates onto the machine====
<s>If you install the ssl-cert package, a self-signed certificate will be automatically created using the hostname currently configured on your computer. You can recreate that certificate (e.g. after you have changed '/etc/hosts' or DNS to give the correct hostname) as user root with:</s>
 
  
<code><s>make-ssl-cert generate-default-snakeoil --force-overwrite</s></code>
+
Everything from here down is outdated.
  
<s>To create more certificates with different host names, you can use</s>
+
'''<big>NOTE:  certbot has been updated & some of the rest of the current notes are not quite right.</big>''' (except for the link immediately following this line...)
  
<code><s>make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/cert-file.crt</s></code>
+
* [https://community.letsencrypt.org/t/your-system-is-not-supported-by-certbot-auto-anymore/139606/19 Your system is not supported by certbot-auto anymore]
  
<s>This will ask you for the hostname and place both SSL key and certificate in the file '/path/to/cert-file.crt'. Use this file with the SSLCertificateFile directive in the Apache config (you don't need the SSLCertificateKeyFile in this case as it also contains the key). The file '/path/to/cert-file.crt' should only be readable by root. A good directory to use for the additional certificates/keys is '/etc/ssl/private'.</s>
 
====Getting proper certificates onto the machine====
 
 
This requires that the server have a legit FQDN that works.
 
This requires that the server have a legit FQDN that works.
  
Line 32: Line 29:
 
[https://certbot.eff.org/ certbot]
 
[https://certbot.eff.org/ certbot]
  
(if ya wanna get fancier...  There's a [https://certbot.eff.org/docs/ Documentation Page].)
+
(if ya wanna get fancier...  There's a [https://certbot.eff.org/docs/ Documentation Page]. & [https://certbot.eff.org/docs/using.html#certbot-command-line-options command-line options])
 +
 
 +
=====Installing on a Webserver Directly accessible from the Internet=====
 +
<span style="color:#e74c3c">(Small note about certbot vs certbot-auto...  seems to be some oddity on its name depending on the install...  :|
 +
 
 +
If your machine can't find it by one name, try the other.)
 +
 
 +
*install certbot (assuming a [[SBN - Web Server Notes|LAMP]] install)
 +
**<code>sudo apt-get install certbot python-certbot-apache</code>
 +
*Ensure that your firewall is pointing both port 80 and port 443 at this machine.  (This is your Webserver after all...)
 +
*Obtain & install the certificate
 +
**<code>sudo certbot --apache</code>
 +
*Verify that automatic renewal works
 +
**<code>sudo certbot renew --dry-run</code>
 +
*Confirm that certbot worked
 +
**Visit <code><nowiki>https://yourwebsite.com/</nowiki></code> in your browser and look for the lock icon in the URL bar.
 +
**(Somewhat obviously...  '''yourwebsite.com''' should be replaced with your actual address...)
 +
**If you want to geek out over it...  check it at [https://www.ssllabs.com/ssltest/ SSL Labs].
 +
 
 +
=====Installing on a Webserver that will be proxied=====
 +
'''''<big>NEW! NEW! NEW! NEW! NEW! NEW! NEW! NEW! NEW! NEW! NEW! NEW!</big>'''''
 +
 
 +
Now you get to retrieve all your certs using the '''Primary Web Server'''.
 +
 
 +
*[[CertGetter - Assign DNS|Assign DNS]] for the name of the machine you're obtaining certs for
 +
*Wait for the DNS entry to propagate
 +
**You can repeatedly try <code>systemd-resolve ''machinename.yourdomain.net''</code> until it shows your outside address...
 +
**(Tho, you ''might'' need to do this from outside your local network.)
 +
 
 +
*Obtain & install the certificate
 +
**test... ('''NOTE:''' If your webserver doesn't respond to the address on '''port 80''', this will fail.  You may need to add the address into your '''VirtualHosts'''.)
 +
***<code>sudo certbot-auto certonly --apache -d ''machinename.yourdomain''.net --dry-run</code>
 +
**remove <code>--dry-run</code> & repeat to actually get the cert.
 +
*[[SBN - Copying Certs|Copy your shiny new cert]] to the actual machine it's intended for.
 +
*[[SBN - Proxy Server Notes|Set up the proxy]] in <code>/etc/apache2/apache2.conf</code> or in <code>/etc/apache2/sites-available/machinename.yourdomain.net</code>
  
 
=====A trick or two...=====
 
=====A trick or two...=====
  
 
*Add certification for the root of the domain (i.e.: no "www.")
 
*Add certification for the root of the domain (i.e.: no "www.")
**sudo /usr/local/bin/certbot-auto certonly -d www.FOOBAR.net -d FOOBAR.net
+
**<code>sudo /usr/local/bin/certbot-auto certonly -d www.FOOBAR.net -d FOOBAR.net</code>
 +
*Get status of all the certs on the server
 +
**<code>certbot-auto certificates</code>
 
*Create certificates for other machines on the network
 
*Create certificates for other machines on the network
 
**''<u>Still working on this one...scroll a little bit further...</u>''
 
**''<u>Still working on this one...scroll a little bit further...</u>''
Line 46: Line 79:
 
[https://certbot.eff.org/lets-encrypt/debianbuster-other certbot instructions]
 
[https://certbot.eff.org/lets-encrypt/debianbuster-other certbot instructions]
  
Don't forget to do all your testing with <code>--dry-run</code> on the command line...  :)
+
<s>See [[CertGetter]]</s>
 
 
To use these instructions, you'll need to temporarily make a machine appear as your webserver to the outside world.
 
 
 
*<code>sudo apt-get install certbot</code>
 
*Configure the name you want to give the machine in your outside DNS
 
*confirm DNS is updated (might take a little while...)
 
**<code>systemd-resolve foo.bar.net</code>
 
**Might have to do this from outside the local network...
 
*Temporarily reconfigure your router to make the machine look, to the outside world, like it's your webserver on port 80.
 
**turn off any port forward currently set for port 80
 
**create a port forward for port 80 that points to the IP of the machine you're working on
 
*<code>sudo certbot certonly --standalone --dry-run</code>
 
 
 
I've built a VM named [[CertGetter]]
 
  
*Basic, minimal Linux machine with certbot installed.
+
CertGetter has been made redundant by using the [[SBN - Web Server Notes|main webserver]] on the network as a [[SBN - Proxy Server Notes|proxy server]].
*It can easily be assigned port 80 on the firewall
 
*Used to download certs for any particular machine on the network
 
*Then simply copy (following the procedures for the OS involved) the cert to the machine in need.
 
  
 
===Installing manual certs on an ESXi server===
 
===Installing manual certs on an ESXi server===
PIKEDOM.COM has some very good [https://pikedom.com/replace-self-signed-certificate-on-esxi-6-7-host/ instructions].
 
 
Something to know if you got your certs from certbot:
 
 
*The file you're replacing <code>rui.crt</code> with is either <code>cert.pem</code> or <code>fullchain.pem</code> (depending on whether you've set up with one or more than one domain in your certs.
 
*The file you're replacing <code>rui.key</code> with is either <code>privkey.pem</code>.
 
*Both of the files from certbot may have a number attached to the end of the filename itself.
 
 
So...
 
 
SSH into the server...
 
  
*<code>cd /etc/vmware/ssl</code>
+
See [[SSL - ESXi]]
*<code>mv rui.crt orig.rui.crt</code>
 
*<code>mv rui.key orig.rui.key</code>
 
*<code>vi rui.crt</code>
 
**Paste in the content of <code>fullchain.pem</code>
 
*<code>vi rui.key</code>
 
**Paste in the content of <code>privkey.pem</code>
 
*<code>reboot</code>
 

Latest revision as of 14:34, 1 January 2022

On an Apache based server

From /usr/share/doc/apache2/README.Debian.gz

Enabling SSL

To enable SSL, type:

  • sudo a2ensite default-ssl
  • sudo a2enmod ssl

If you want to use self-signed certificates, you should install the ssl-cert
package (see below). Otherwise, just adjust the SSLCertificateKeyFile and SSLCertificateFile directives in '/etc/apache2/sites-available/default-ssl.conf' to point to your SSL certificate. Then restart apache:

  • sudo systemctl restart apache2

The SSL key file should only be readable by root; the certificate file may be globally readable. These files are read by the Apache parent process which runs as root, and it is therefore not necessary to make the files readable by the www-data user.

Getting proper certificates onto the machine

Everything from here down is outdated.

NOTE: certbot has been updated & some of the rest of the current notes are not quite right. (except for the link immediately following this line...)

This requires that the server have a legit FQDN that works.

But, it's pretty straightforward.

certbot

(if ya wanna get fancier... There's a Documentation Page. & command-line options)

Installing on a Webserver Directly accessible from the Internet

(Small note about certbot vs certbot-auto... seems to be some oddity on its name depending on the install... :|

If your machine can't find it by one name, try the other.)

  • install certbot (assuming a LAMP install)
    • sudo apt-get install certbot python-certbot-apache
  • Ensure that your firewall is pointing both port 80 and port 443 at this machine. (This is your Webserver after all...)
  • Obtain & install the certificate
    • sudo certbot --apache
  • Verify that automatic renewal works
    • sudo certbot renew --dry-run
  • Confirm that certbot worked
    • Visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar.
    • (Somewhat obviously... yourwebsite.com should be replaced with your actual address...)
    • If you want to geek out over it... check it at SSL Labs.
Installing on a Webserver that will be proxied

NEW! NEW! NEW! NEW! NEW! NEW! NEW! NEW! NEW! NEW! NEW! NEW!

Now you get to retrieve all your certs using the Primary Web Server.

  • Assign DNS for the name of the machine you're obtaining certs for
  • Wait for the DNS entry to propagate
    • You can repeatedly try systemd-resolve machinename.yourdomain.net until it shows your outside address...
    • (Tho, you might need to do this from outside your local network.)
  • Obtain & install the certificate
    • test... (NOTE: If your webserver doesn't respond to the address on port 80, this will fail. You may need to add the address into your VirtualHosts.)
      • sudo certbot-auto certonly --apache -d machinename.yourdomain.net --dry-run
    • remove --dry-run & repeat to actually get the cert.
  • Copy your shiny new cert to the actual machine it's intended for.
  • Set up the proxy in /etc/apache2/apache2.conf or in /etc/apache2/sites-available/machinename.yourdomain.net
A trick or two...
  • Add certification for the root of the domain (i.e.: no "www.")
    • sudo /usr/local/bin/certbot-auto certonly -d www.FOOBAR.net -d FOOBAR.net
  • Get status of all the certs on the server
    • certbot-auto certificates
  • Create certificates for other machines on the network
    • Still working on this one...scroll a little bit further...

SSL for the rest of the network

Getting the certs for a manual install

certbot instructions

See CertGetter

CertGetter has been made redundant by using the main webserver on the network as a proxy server.

Installing manual certs on an ESXi server

See SSL - ESXi