Versions Compared

Old Version 1

changes.mady.by.user Mike Tango Bravo

Saved on

compared with

New Version Current

changes.mady.by.user Mike Tango Bravo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

To create our SSL certificates for our different we are using a combination of things:

  • pfsense firewall

  • HAproxy module

  • ACME certificate module

  • letsencrypt

So...lots of layers of complication. This is how it works:

Creating and SSL certificate for OpenVino.org

The website for http://openvino.org runs on alpha, and is provided by an apache server on port 80.

The pfSense firewall is setup to forward HTTPS requests to the alpha:80 backend using the HAProxy module

The firewall stores the http://openvino.org SSL certificate in the ACME certificate module.

The certificate is issued by LetsEncrypt.

HAProxy module:

This is the summary page for the HAProxy module Frontend configurations.

...

In this example, several domains are configured to redirect to 217.75.227.235:443 to alpha.80.

The domains (http://costaflores.com , http://ico.costaflores.com ?, and shop.costaflores.com) all use the SSL certificate managed by the "shared-frontend"

Acme Certificate module

This is the summary page of all the SSL certificates managed by the Acme Certificate module. The Acme module is used to manage certificates issued by letencrypt.

...

Here we create a new certificate for http://openvino.org

...

In the Domain SAN list table we specify the domainname (http://openvino.org ) and the validation Method (Webroot FTP).

Webroot FTP

Webroot FTP is one of many methods that the acme module can validate for LetsEncrypt the ownership of the domain. With webroot ftp, the acme-module, running on  pfSense, connects to a sftp server (in this case, alpha) with Username: sftpsens, and password *****, so that it can write the certificate challenge into the directory /.well-known/acme-challenge.

A proper sftp configuration insists that the directories accessible by sftp are held within a chroot jail. However, the apache server on alpha also has a chroot jail for the different htdoc trees for different domains. Therefore, we can't configure sftp to write in the same directory that the acme module wants to find, via http, the challenge. One work around is to create a script that runs, as root, on alpha, to copy the contents of the sftp directory to the challenge directories for the different domains under apache. But this would require that the script run permanently if SSL certs are updated automatically, and this might present some security hazards.

Also, this validation method does not for http://wiki.costaflores.com , as this is a confluence web instance and /.well-known/acme-challenge is not visible. 

Setting up SSL for confluence (http://wiki.costaflores.com )

To setup SSL on confluence, first we need to create an exception for the apache proxy to allow access to .well-known/acme-challenge

This is done by editing /etc/httpd/conf.d/website.wiki.costaflores.com.conf and adding the following section in the middle:

Code Block

    ProxyPass /.well-known !
    ProxyPassReverse /.well-known !
    Alias "/.well-known/acme-challenge/" "/var/www/html/wiki.costaflores.com/.well-known/acme-challenge/"

To make the changes take effect, restart the apache server:

Code Block
systemctl restart httpd

And test accessing the new directory: 

Code Block
http://wiki.costaflores.com/.well-known/acme-challenge/helo.txt
HELO!

sftp setup

On the wiki server, we need to setup the sftp service.

Create the directory where the certificate challenge will be written:

Code Block

mkdir -p /var/www/html/wiki.costaflores.com/.well-known/acme-challenge

Create the sftp user and group:

Code Block
groupadd sftpusers
useradd -g sftpusers -d /var/www/html/wiki.costaflores.com -s /sbin/nologin sftpsense
passwd sftpsense

edit the last section of /etc/ssh/sshd_config

this is the original file:

Code Block
# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

this is the new file:

Code Block
# override default of no subsystems
# Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

Match Group sftpusers
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp

Restart the sshd service to reflect the changes:

Code Block
systemctl restart sshd

Change permissions on the sftp directory:

Code Block
chown -R sftpsens:sftpusers /var/www/html/wiki.costaflores.com/
chown root /var/www/html/wiki.costaflores.com/
chmod 711 /var/www/html/wiki.costaflores.com/
chmod 771 /var/www/html/wiki.costaflores.com/.well-known
chmod 771 /var/www/html/wiki.costaflores.com/.well-known/acme-challenge

To test sftp, connect from another machine

Code Block
sftp sftpsens@charlie

On charlie, check for any errors in loggin in: 

Code Block
tail -f /var/log/secure

The user sftpsens should be able to connect to charlie, and only able to read and write the contents of .well-known/acme_challenge

Create the new certificate

...

  • letsencrypt

Renewing Certificates manually

Code Block
[root@sierra ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/costaflores.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for costaflores.com
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/costaflores.openvino.exchange.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for costaflores.openvino.exchange
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ferment.openvino.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for ferment.openvino.org
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/martianwinefederation.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for martianwinefederation.org
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/moss.law.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for moss.law
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nft.openvino.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for nft.openvino.org
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/openvino.exchange.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for openvino.exchange
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/openvino.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for openvino.org
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/theluckhunters.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for theluckhunters.com
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/vco.costaflores.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for vco.costaflores.com
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded: 
  /etc/letsencrypt/live/costaflores.com/fullchain.pem (success)
  /etc/letsencrypt/live/costaflores.openvino.exchange/fullchain.pem (success)
  /etc/letsencrypt/live/ferment.openvino.org/fullchain.pem (success)
  /etc/letsencrypt/live/martianwinefederation.org/fullchain.pem (success)
  /etc/letsencrypt/live/moss.law/fullchain.pem (success)
  /etc/letsencrypt/live/nft.openvino.org/fullchain.pem (success)
  /etc/letsencrypt/live/openvino.exchange/fullchain.pem (success)
  /etc/letsencrypt/live/openvino.org/fullchain.pem (success)
  /etc/letsencrypt/live/theluckhunters.com/fullchain.pem (success)
  /etc/letsencrypt/live/vco.costaflores.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -