User Tools

Site Tools


adm:ssl_configuration

Getting Certificates with Certbot

To install certbot, follow the instructions on https://certbot.eff.org/

Important!

Since writing these instructions Certbot have automated, making this task considerably easier!

Following the instructions it is possible to install and configure NGINX automatically, without following the instructions below.

Full Instructions (Superceded by above )

The command to get certificates from certbot: You need to include all the subdomains used in the stack.

sudo certbot certonly --webroot -w /var/www/html -d www.smart-factory.net,smart-factory.net,dev.smart-factory.net

To renew certificates (one time test)

certbot certonly --webroot -w /var/www/html --cert-name zibawa.com -d zibawa.com,www.zibawa.com,app.zibawa.com,dashboard.zibawa.com,ldap.zibawa.com,rmq.zibawa.com,docs.zibawa.com

SSL configuration

It is essential that all applications that need access to ssl certificates have the appropriate permissions to read.

The below assumes that your certificates are being created by letsencrypt ( group letsencrypt) However the same concept would apply if you are self certifying. In case of self certification, the user group is probably ssl-cert.

Certificates are stored here

ssl_certificate full chain /etc/letsencrypt/live/zibawa.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/zibawa.com/privkey.pem; ssl_certificate_certificate /etc/letsencrypt/live/zibawa.com/cert.pem;

/etc/letsencrypt/live/zibawa.com/cert.pem Your domain's certificate
/etc/letsencrypt/live/zibawa.com/chain.pem: The Let's Encrypt chain certificate
/etc/letsencrypt/live/zibawa.com/fullchain.pem cert.pem and chain.pem combined
/etc/letsencrypt/live/zibawa.com/privkey.pem Your certificate's private key

Create group letsencrypt

sudo addgroup letsencrypt

Change ownership of all files to 750 Attention! Some applications (such as postgres) require that their private key be 640 or less, so below wont work if you have such an application, and will need to change individual certificates to 640.

sudo chmod 750 /etc/letsencrypt
sudo chmod 750 /etc/letsencrypt/live
sudo chmod 750 /etc/letsencrypt/keys
sudo chmod 750 /etc/letsencrypt/csr
sudo chmod 750 /etc/letsencrypt/archive

Change ownership of files to root:letsencrypt

sudo chown -R root:letsencrypt /etc/letsencrypt

Add the following users to group letsencrypt

sudo usermod -a -G letsencrypt grafana
sudo usermod -a -G letsencrypt rabbitmq
sudo usermod -a -G letsencrypt openldap
sudo usermod -a -G letsencrypt zibawa
sudo usermod -a -G letsencrypt influxdb
sudo usermod -a -G letsencrypt postgres

Now you are ready to configure SSL

adm/ssl_configuration.txt · Last modified: 2017/11/17 16:33 by matt