Difference between revisions of "NetMan - SSL Certs"
Line 27: | Line 27: | ||
(Coming soon... I promise...) | (Coming soon... I promise...) | ||
− | * install certbot (assuming a [[SBN - Web Server Notes|LAMP]] install) | + | *install certbot (assuming a [[SBN - Web Server Notes|LAMP]] install) |
− | ** <code>sudo apt-get install certbot python-certbot-apache</code> | + | **<code>sudo apt-get install certbot python-certbot-apache</code> |
− | * Ensure that your firewall is pointing both port 80 and port 443 at this machine. (This is your Webserver after all...) | + | *Ensure that your firewall is pointing both port 80 and port 443 at this machine. (This is your Webserver after all...) |
− | * Obtain & install the certificate | + | *Obtain & install the certificate |
− | ** <code>sudo certbot --apache</code> | + | **<code>sudo certbot --apache</code> |
− | * Verify that automatic renewal works | + | *Verify that automatic renewal works |
− | ** <code>sudo certbot renew --dry-run</code> | + | **<code>sudo certbot renew --dry-run</code> |
=====Installing on a Webserver that will be proxied===== | =====Installing on a Webserver that will be proxied===== | ||
Line 49: | Line 49: | ||
*Add certification for the root of the domain (i.e.: no "www.") | *Add certification for the root of the domain (i.e.: no "www.") | ||
− | **sudo /usr/local/bin/certbot-auto certonly -d www.FOOBAR.net -d FOOBAR.net | + | **<code>sudo /usr/local/bin/certbot-auto certonly -d www.FOOBAR.net -d FOOBAR.net</code> |
*Create certificates for other machines on the network | *Create certificates for other machines on the network | ||
**''<u>Still working on this one...scroll a little bit further...</u>'' | **''<u>Still working on this one...scroll a little bit further...</u>'' |
Revision as of 03:40, 26 June 2020
On an Apache based server
From /usr/share/doc/apache2/README.Debian.gz
Enabling SSL
To enable SSL, type (as user root):
sudo a2ensite default-ssl
sudo a2enmod ssl
If you want to use self-signed certificates, you should install the ssl-cert
package (see below). Otherwise, just adjust the SSLCertificateKeyFile and SSLCertificateFile directives in '/etc/apache2/sites-available/default-ssl.conf' to point to your SSL certificate. Then restart apache:
sudo systemctl restart apache2
The SSL key file should only be readable by root; the certificate file may be globally readable. These files are read by the Apache parent process which runs as root, and it is therefore not necessary to make the files readable by the www-data user.
Getting proper certificates onto the machine
This requires that the server have a legit FQDN that works.
But, it's pretty straightforward.
(if ya wanna get fancier... There's a Documentation Page.)
Installing on a Webserver Directly accessible from the Internet
(Coming soon... I promise...)
- install certbot (assuming a LAMP install)
sudo apt-get install certbot python-certbot-apache
- Ensure that your firewall is pointing both port 80 and port 443 at this machine. (This is your Webserver after all...)
- Obtain & install the certificate
sudo certbot --apache
- Verify that automatic renewal works
sudo certbot renew --dry-run
Installing on a Webserver that will be proxied
(This part of the instructions will probably change...)
For now... We'll pretend this is a normal Webserver. Automatic renewal is gonna fail.
- install certbot (assuming a LAMP install)
sudo apt-get install certbot python-certbot-apache
- Make the machine visible on port 80 to the internet. (see CertGetter)
- Obtain & install the certificate
sudo certbot --apache
A trick or two...
- Add certification for the root of the domain (i.e.: no "www.")
sudo /usr/local/bin/certbot-auto certonly -d www.FOOBAR.net -d FOOBAR.net
- Create certificates for other machines on the network
- Still working on this one...scroll a little bit further...
SSL for the rest of the network
Getting the certs for a manual install
See CertGetter
Installing manual certs on an ESXi server
See SSL - ESXi