Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

To create our SSL certificates for our different we are using a combination of things:

  • pfsense firewall

  • HAproxy module

  • ACME certificate module

  • letsencrypt

So...lots of layers of complication. This is how it works:

Creating and SSL certificate for OpenVino.org

The website for http://openvino.org runs on alpha, and is provided by an apache server on port 80.

The pfSense firewall is setup to forward HTTPS requests to the alpha:80 backend using the HAProxy module

The firewall stores the http://openvino.org SSL certificate in the ACME certificate module.

The certificate is issued by LetsEncrypt.

HAProxy module:

This is the summary page for the HAProxy module Frontend configurations.

In this example, several domains are configured to redirect to 217.75.227.235:443 to alpha.80.

The domains (http://costaflores.com , http://ico.costaflores.com ?, and shop.costaflores.com) all use the SSL certificate managed by the "shared-frontend"

Acme Certificate module

This is the summary page of all the SSL certificates managed by the Acme Certificate module. The Acme module is used to manage certificates issued by letencrypt.

Here we create a new certificate for http://openvino.org

In the Domain SAN list table we specify the domainname (http://openvino.org ) and the validation Method (Webroot FTP).

Webroot FTP

Webroot FTP is one of many methods that the acme module can validate for LetsEncrypt the ownership of the domain. With webroot ftp, the acme-module, running on  pfSense, connects to a sftp server (in this case, alpha) with Username: sftpsens, and password *****, so that it can write the certificate challenge into the directory /.well-known/acme-challenge.

A proper sftp configuration insists that the directories accessible by sftp are held within a chroot jail. However, the apache server on alpha also has a chroot jail for the different htdoc trees for different domains. Therefore, we can't configure sftp to write in the same directory that the acme module wants to find, via http, the challenge. One work around is to create a script that runs, as root, on alpha, to copy the contents of the sftp directory to the challenge directories for the different domains under apache. But this would require that the script run permanently if SSL certs are updated automatically, and this might present some security hazards.

Also, this validation method does not for http://wiki.costaflores.com , as this is a confluence web instance and /.well-known/acme-challenge is not visible. 

Setting up SSL for confluence (http://wiki.costaflores.com )

To setup SSL on confluence, first we need to create an exception for the apache proxy to allow access to .well-known/acme-challenge

This is done by editing /etc/httpd/conf.d/website.wiki.costaflores.com.conf and adding the following section in the middle:

    ProxyPass /.well-known !
    ProxyPassReverse /.well-known !
    Alias "/.well-known/acme-challenge/" "/var/www/html/wiki.costaflores.com/.well-known/acme-challenge/"

To make the changes take effect, restart the apache server:

systemctl restart httpd

And test accessing the new directory: 

http://wiki.costaflores.com/.well-known/acme-challenge/helo.txt
HELO!

sftp setup

On the wiki server, we need to setup the sftp service.

Create the directory where the certificate challenge will be written:

mkdir -p /var/www/html/wiki.costaflores.com/.well-known/acme-challenge

Create the sftp user and group:

groupadd sftpusers
useradd -g sftpusers -d /var/www/html/wiki.costaflores.com -s /sbin/nologin sftpsense
passwd sftpsense

edit the last section of /etc/ssh/sshd_config

this is the original file:

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

this is the new file:

# override default of no subsystems
# Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

Match Group sftpusers
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp

Restart the sshd service to reflect the changes:

systemctl restart sshd

Change permissions on the sftp directory:

chown -R sftpsens:sftpusers /var/www/html/wiki.costaflores.com/
chown root /var/www/html/wiki.costaflores.com/
chmod 711 /var/www/html/wiki.costaflores.com/
chmod 771 /var/www/html/wiki.costaflores.com/.well-known
chmod 771 /var/www/html/wiki.costaflores.com/.well-known/acme-challenge

To test sftp, connect from another machine

sftp sftpsens@charlie

On charlie, check for any errors in loggin in: 

tail -f /var/log/secure

The user sftpsens should be able to connect to charlie, and only able to read and write the contents of .well-known/acme_challenge

Create the new certificate

  • No labels