To create our SSL certificates for our different we are using a combination of things:
pfsense firewall
HAproxy module
ACME certificate module
letsencrypt
So...lots of layers of complication. This is how it works:
Creating and SSL certificate for OpenVino.org
The website for http://openvino.org runs on alpha, and is provided by an apache server on port 80.
The pfSense firewall is setup to forward HTTPS requests to the alpha:80 backend using the HAProxy module
The firewall stores the http://openvino.org SSL certificate in the ACME certificate module.
The certificate is issued by LetsEncrypt.
HAProxy module:
This is the summary page for the HAProxy module Frontend configurations.
...
In this example, several domains are configured to redirect to 217.75.227.235:443 to alpha.80.
The domains (http://costaflores.com , http://ico.costaflores.com ?, and shop.costaflores.com) all use the SSL certificate managed by the "shared-frontend"
Acme Certificate module
This is the summary page of all the SSL certificates managed by the Acme Certificate module. The Acme module is used to manage certificates issued by letencrypt.
...
Here we create a new certificate for http://openvino.org
...
In the Domain SAN list table we specify the domainname (http://openvino.org ) and the validation Method (Webroot FTP).
Webroot FTP
Webroot FTP is one of many methods that the acme module can validate for LetsEncrypt the ownership of the domain. With webroot ftp, the acme-module, running on pfSense, connects to a sftp server (in this case, alpha) with Username: sftpsens, and password *****, so that it can write the certificate challenge into the directory /.well-known/acme-challenge.
A proper sftp configuration insists that the directories accessible by sftp are held within a chroot jail. However, the apache server on alpha also has a chroot jail for the different htdoc trees for different domains. Therefore, we can't configure sftp to write in the same directory that the acme module wants to find, via http, the challenge. One work around is to create a script that runs, as root, on alpha, to copy the contents of the sftp directory to the challenge directories for the different domains under apache. But this would require that the script run permanently if SSL certs are updated automatically, and this might present some security hazards.
Also, this validation method does not for http://wiki.costaflores.com , as this is a confluence web instance and /.well-known/acme-challenge is not visible.
Setting up SSL for confluence (http://wiki.costaflores.com )
To setup SSL on confluence, first we need to create an exception for the apache proxy to allow access to .well-known/acme-challenge
This is done by editing /etc/httpd/conf.d/website.wiki.costaflores.com.conf and adding the following section in the middle:
Code Block |
---|
ProxyPass /.well-known !
ProxyPassReverse /.well-known !
Alias "/.well-known/acme-challenge/" "/var/www/html/wiki.costaflores.com/.well-known/acme-challenge/" |
To make the changes take effect, restart the apache server:
Code Block |
---|
systemctl restart httpd |
And test accessing the new directory:
Code Block |
---|
http://wiki.costaflores.com/.well-known/acme-challenge/helo.txt
HELO! |
sftp setup
On the wiki server, we need to setup the sftp service.
Create the directory where the certificate challenge will be written:
Code Block |
---|
mkdir -p /var/www/html/wiki.costaflores.com/.well-known/acme-challenge
|
Create the sftp user and group:
Code Block |
---|
groupadd sftpusers
useradd -g sftpusers -d /var/www/html/wiki.costaflores.com -s /sbin/nologin sftpsense
passwd sftpsense |
edit the last section of /etc/ssh/sshd_config
this is the original file:
Code Block |
---|
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server |
this is the new file:
Code Block |
---|
# override default of no subsystems
# Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Match Group sftpusers
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp |
Restart the sshd service to reflect the changes:
Code Block |
---|
systemctl restart sshd |
Change permissions on the sftp directory:
Code Block |
---|
chown -R sftpsens:sftpusers /var/www/html/wiki.costaflores.com/
chown root /var/www/html/wiki.costaflores.com/
chmod 711 /var/www/html/wiki.costaflores.com/
chmod 771 /var/www/html/wiki.costaflores.com/.well-known
chmod 771 /var/www/html/wiki.costaflores.com/.well-known/acme-challenge |
To test sftp, connect from another machine
Code Block |
---|
sftp sftpsens@charlie |
On charlie, check for any errors in loggin in:
Code Block |
---|
tail -f /var/log/secure |
The user sftpsens should be able to connect to charlie, and only able to read and write the contents of .well-known/acme_challenge
Create the new certificate
...
letsencrypt
Renewing Certificates manually
Code Block |
---|
[root@sierra ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/costaflores.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for costaflores.com
Reloading nginx server after certificate renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/costaflores.openvino.exchange.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for costaflores.openvino.exchange
Reloading nginx server after certificate renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ferment.openvino.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for ferment.openvino.org
Reloading nginx server after certificate renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/martianwinefederation.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for martianwinefederation.org
Reloading nginx server after certificate renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/moss.law.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for moss.law
Reloading nginx server after certificate renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nft.openvino.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for nft.openvino.org
Reloading nginx server after certificate renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/openvino.exchange.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for openvino.exchange
Reloading nginx server after certificate renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/openvino.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for openvino.org
Reloading nginx server after certificate renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/theluckhunters.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for theluckhunters.com
Reloading nginx server after certificate renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/vco.costaflores.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for vco.costaflores.com
Reloading nginx server after certificate renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
/etc/letsencrypt/live/costaflores.com/fullchain.pem (success)
/etc/letsencrypt/live/costaflores.openvino.exchange/fullchain.pem (success)
/etc/letsencrypt/live/ferment.openvino.org/fullchain.pem (success)
/etc/letsencrypt/live/martianwinefederation.org/fullchain.pem (success)
/etc/letsencrypt/live/moss.law/fullchain.pem (success)
/etc/letsencrypt/live/nft.openvino.org/fullchain.pem (success)
/etc/letsencrypt/live/openvino.exchange/fullchain.pem (success)
/etc/letsencrypt/live/openvino.org/fullchain.pem (success)
/etc/letsencrypt/live/theluckhunters.com/fullchain.pem (success)
/etc/letsencrypt/live/vco.costaflores.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |