Und man soll ja auch was mitnehmen....
Screenshot_20230809_194620.png
Das ist Semaphore, installiert in einer VM auf meinem Proxmox.
Dieses Beispiel bezieht sich auf einen Debian-Server auf dem NodeBB einwandfrei läuft. Der Hostname ist erreichbar und alles läuft. Ich nutze eine Redis-DB und Nginx als Proxy.
Installation Let'sEncrypt
Nach dieser Anleitung -> https://willy-tech.de/ssl-zertifikat-mit-lets-encrypt-erstellen/
Zertifikat erzeugen
Nginx stoppen
root@one /opt/letsencrypt # /etc/init.d/nginx stop
[ ok ] Stopping nginx (via systemctl): nginx.service.
Zertifikate erzeugen
root@one /opt/letsencrypt # ./letsencrypt-auto certonly --standalone -d frank-mankel.org -d www.frank-mankel.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for frank-mankel.org
http-01 challenge for www.frank-mankel.org
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/frank-mankel.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/frank-mankel.org/privkey.pem
Your cert will expire on 2018-07-13. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Das hat schon mal geklappt!!
Hier liegen jetzt die Zertifikate:
/etc/letsencrypt/live/frank-mankel.org
Dort liegen jetzt folgende Files:
root@one /etc/letsencrypt/live/frank-mankel.org # ls -l
total 4
lrwxrwxrwx 1 root root 40 Apr 14 15:15 cert.pem -> ../../archive/frank-mankel.org/cert1.pem
lrwxrwxrwx 1 root root 41 Apr 14 15:15 chain.pem -> ../../archive/frank-mankel.org/chain1.pem
lrwxrwxrwx 1 root root 45 Apr 14 15:15 fullchain.pem -> ../../archive/frank-mankel.org/fullchain1.pem
lrwxrwxrwx 1 root root 43 Apr 14 15:15 privkey.pem -> ../../archive/frank-mankel.org/privkey1.pem
-rw-r--r-- 1 root root 543 Apr 14 15:15 README
Die bauen wir jetzt in Nginx ein!
Nginx konfigurieren
Nginx stoppen:
/etc/init.d/nginx stop
Meine alte Nginx Datei OHNE https:
server {
if ($host != 'frank-mankel.org' ) {
rewrite ^/(.*)$ http://frank-mankel.org/$1 permanent;
}
listen 80;
server_name frank-mankel.org;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:4567;
proxy_redirect off;
# Socket.IO Support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Neue Datei mit https!!
### redirects http requests to https
server {
server_name www.frank-mankel.org;
rewrite ^(.*) http://frank-mankel.org$1 permanent;
}
server {
listen 80;
server_name frank-mankel.org;
return 302 https://$server_name$request_uri;
}
### the https server
server {
# listen on ssl, deliver with speedy if possible
listen 443 ssl spdy;
server_name frank-mankel.org;
# change these paths!
ssl_certificate /etc/letsencrypt/live/frank-mankel.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/frank-mankel.org/privkey.pem;
# enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# disables all weak ciphers
ssl_ciphers 'AES128+EECDH:AES128+EDH';
ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:4567; # no trailing slash
proxy_redirect off;
# Socket.IO Support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Der Ganze http Verkehr wird nach https umgeleitet.
Als allererstes strippen wir www aus dem Namen.
if ($host != 'frank-mankel.org' ) {
rewrite ^/(.*)$ http://frank-mankel.org/$1 permanent;
}
Der Rest entspricht der Nginx Doku!
Jetzt bauen wir das Zertifikat ein. Pfade anpassen.
# change these paths!
ssl_certificate /etc/letsencrypt/live/frank-mankel.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/frank-mankel.org/privkey.pem;
Danach speichern und Nginx wieder starten
/etc/init.d/nginx start
Alles Testen und schauen ob alles funktioniert. Das Let'sEncrypt Zertifikat läuft nur 90 Tage, danach muss es erneuert werden! Also legen wir uns einen crontab an
Crontab einrichten (Zur Zeit habe ich keine Ahnung ob das funktioniert)
crontab -e
Wir fügen folgende Zeile hinzu.
* 3 1 * * certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"
Speichern das Ganze und hoffen, das es funktioniert
Bei einem Test kam folgendes:
root@one /opt/letsencrypt # certbot renew --dry-run --pre-hook "service nginx stop" --post-hook "service nginx start"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/frank-mankel.org.conf
-------------------------------------------------------------------------------
Attempting to parse the version 0.23.0 renewal configuration file found at /etc/letsencrypt/renewal/frank-mankel.org.conf with version 0.10.2 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Running pre-hook command: service nginx stop
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for frank-mankel.org
http-01 challenge for www.frank-mankel.org
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/frank-mankel.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
Running post-hook command: service nginx start
Das --dry-run macht nur einen Testlauf ohne was zu ändern!!
Wer was zu der Zeile "Attempting to parse the version 0.23.0 renewal ....." sagen kann, immer her damit. Die Zeile ist rot eingefärbt!