To create our SSL certificates for our different we are using a combination of things:
pfsense firewall
HAproxy module
ACME certificate module
letsencrypt
So...lots of layers of complication. This is how it works:
Creating and SSL certificate for OpenVino.org
The website for http://openvino.org runs on alpha, and is provided by an apache server on port 80.
The pfSense firewall is setup to forward HTTPS requests to the alpha:80 backend using the HAProxy module
The firewall stores the http://openvino.org SSL certificate in the ACME certificate module.
The certificate is issued by LetsEncrypt.
HAProxy module:
This is the summary page for the HAProxy module Frontend configurations.
In this example, several domains are configured to redirect to 217.75.227.235:443 to alpha.80.
The domains (http://costaflores.com , http://ico.costaflores.com ?, and shop.costaflores.com) all use the SSL certificate managed by the "shared-frontend"
Acme Certificate module
This is the summary page of all the SSL certificates managed by the Acme Certificate module. The Acme module is used to manage certificates issued by letencrypt.
Here we create a new certificate for http://openvino.org
In the Domain SAN list table we specify the domainname (http://openvino.org ) and the validation Method (Webroot FTP).
Webroot FTP
Webroot FTP is one of many methods that the acme module can validate for LetsEncrypt the ownership of the domain. With webroot ftp, the acme-module, running on pfSense, connects to a sftp server (in this case, alpha) with Username: sftpsens, and password *****, so that it can write the certificate challenge into the directory /.well-known/acme-challenge.
A proper sftp configuration insists that the directories accessible by sftp are held within a chroot jail. However, the apache server on alpha also has a chroot jail for the different htdoc trees for different domains. Therefore, we can't configure sftp to write in the same directory that the acme module wants to find, via http, the challenge. One work around is to create a script that runs, as root, on alpha, to copy the contents of the sftp directory to the challenge directories for the different domains under apache. But this would require that the script run permanently if SSL certs are updated automatically, and this might present some security hazards.
Also, this validation method does not for http://wiki.costaflores.com , as this is a confluence web instance and /.well-known/acme-challenge is not visible.
Setting up SSL for confluence (http://wiki.costaflores.com )
To setup SSL on confluence, first we need to create an exception for the apache proxy to allow access to .well-known/acme-challenge
This is done by editing /etc/httpd/conf.d/website.wiki.costaflores.com.conf and adding the following section in the middle:
ProxyPass /.well-known ! ProxyPassReverse /.well-known ! Alias "/.well-known/acme-challenge/" "/var/www/html/wiki.costaflores.com/.well-known/acme-challenge/"
To make the changes take effect, restart the apache server:
systemctl restart httpd
And test accessing the new directory:
http://wiki.costaflores.com/.well-known/acme-challenge/helo.txt HELO!
sftp setup
On the wiki server, we need to setup the sftp service.
Create the directory where the certificate challenge will be written:
mkdir -p /var/www/html/wiki.costaflores.com/.well-known/acme-challenge
Create the sftp user and group:
groupadd sftpusers useradd -g sftpusers -d /var/www/html/wiki.costaflores.com -s /sbin/nologin sftpsense passwd sftpsense
edit the last section of /etc/ssh/sshd_config
this is the original file:
# override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server
this is the new file:
# override default of no subsystems # Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server Match Group sftpusers X11Forwarding no AllowTcpForwarding no ChrootDirectory %h ForceCommand internal-sftp
Restart the sshd service to reflect the changes:
systemctl restart sshd
Change permissions on the sftp directory:
chown -R sftpsens:sftpusers /var/www/html/wiki.costaflores.com/ chown root /var/www/html/wiki.costaflores.com/ chmod 711 /var/www/html/wiki.costaflores.com/ chmod 771 /var/www/html/wiki.costaflores.com/.well-known chmod 771 /var/www/html/wiki.costaflores.com/.well-known/acme-challenge
To test sftp, connect from another machine
sftp sftpsens@charlie
On charlie, check for any errors in loggin in:
tail -f /var/log/secure
The user sftpsens should be able to connect to charlie, and only able to read and write the contents of .well-known/acme_challenge