Difference between revisions of "NetMan - SSL Certs"

From The TinkerNet Wiki
Jump to navigation Jump to search
Line 44: Line 44:
 
Now you get to retrieve all your certs using the '''Primary Web Server'''.
 
Now you get to retrieve all your certs using the '''Primary Web Server'''.
  
* [[CertGetter - Assign DNS|Assign DNS]] for the name of the machine you're obtaining certs for
+
*[[CertGetter - Assign DNS|Assign DNS]] for the name of the machine you're obtaining certs for
* Wait for the DNS entry to propagate
+
*Wait for the DNS entry to propagate
** You can repeatedly try <code>systemd-resolve ''machinename.yourdomain.net''</code> until it shows your outside address...
+
**You can repeatedly try <code>systemd-resolve ''machinename.yourdomain.net''</code> until it shows your outside address...
** (Tho, you ''might'' need to do this from outside your local network.)
+
**(Tho, you ''might'' need to do this from outside your local network.)
  
 
*Obtain & install the certificate
 
*Obtain & install the certificate
 
**test...
 
**test...
 
***<code>sudo certbot-auto certonly --apache -d bork.tinkernet.ca --dry-run</code>
 
***<code>sudo certbot-auto certonly --apache -d bork.tinkernet.ca --dry-run</code>
 +
***(small note about certbot vs certbot-auto...  seems to be some oddity on its name depending on the install...  :| )
 
**remove <code>--dry-run</code> & repeat to actually get the cert.
 
**remove <code>--dry-run</code> & repeat to actually get the cert.
 
*Copy your shiny new cert to the actual machine it's intended for.
 
*Copy your shiny new cert to the actual machine it's intended for.

Revision as of 01:54, 27 June 2020

On an Apache based server

From /usr/share/doc/apache2/README.Debian.gz

Enabling SSL

To enable SSL, type (as user root):

sudo a2ensite default-ssl

sudo a2enmod ssl

If you want to use self-signed certificates, you should install the ssl-cert
package (see below). Otherwise, just adjust the SSLCertificateKeyFile and SSLCertificateFile directives in '/etc/apache2/sites-available/default-ssl.conf' to point to your SSL certificate. Then restart apache:

sudo systemctl restart apache2

The SSL key file should only be readable by root; the certificate file may be globally readable. These files are read by the Apache parent process which runs as root, and it is therefore not necessary to make the files readable by the www-data user.

Getting proper certificates onto the machine

This requires that the server have a legit FQDN that works.

But, it's pretty straightforward.

certbot

(if ya wanna get fancier... There's a Documentation Page.)

Installing on a Webserver Directly accessible from the Internet

(Coming soon... I promise...)

  • install certbot (assuming a LAMP install)
    • sudo apt-get install certbot python-certbot-apache
  • Ensure that your firewall is pointing both port 80 and port 443 at this machine. (This is your Webserver after all...)
  • Obtain & install the certificate
    • sudo certbot --apache
  • Verify that automatic renewal works
    • sudo certbot renew --dry-run
  • Confirm that certbot worked
    • Visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar.
    • (Somewhat obviously... yourwebsite.com should be replaced with your actual address...)
    • If you want to geek out over it... check it at SSL Labs.
Installing on a Webserver that will be proxied

NEW! NEW! NEW! NEW! NEW! NEW! NEW! NEW! NEW! NEW! NEW! NEW!

Now you get to retrieve all your certs using the Primary Web Server.

  • Assign DNS for the name of the machine you're obtaining certs for
  • Wait for the DNS entry to propagate
    • You can repeatedly try systemd-resolve machinename.yourdomain.net until it shows your outside address...
    • (Tho, you might need to do this from outside your local network.)
  • Obtain & install the certificate
    • test...
      • sudo certbot-auto certonly --apache -d bork.tinkernet.ca --dry-run
      • (small note about certbot vs certbot-auto... seems to be some oddity on its name depending on the install... :| )
    • remove --dry-run & repeat to actually get the cert.
  • Copy your shiny new cert to the actual machine it's intended for.
  • Set up the proxy in /etc/apache2/apache2.conf
A trick or two...
  • Add certification for the root of the domain (i.e.: no "www.")
    • sudo /usr/local/bin/certbot-auto certonly -d www.FOOBAR.net -d FOOBAR.net
  • Create certificates for other machines on the network
    • Still working on this one...scroll a little bit further...

SSL for the rest of the network

Getting the certs for a manual install

certbot instructions

See CertGetter

Installing manual certs on an ESXi server

See SSL - ESXi