Difference between revisions of "HTTPS Support via Let’s Encrypt"
From Biowikifarm Metawiki
(Created page with "* Installed client: [https://github.com/Neilpang/acme.sh acme.sh] (the installation of the default client [https://certbot.eff.org/#ubuntuother-nginx certbot] failed due to so...") |
|||
| Line 1: | Line 1: | ||
* Installed client: [https://github.com/Neilpang/acme.sh acme.sh] (the installation of the default client [https://certbot.eff.org/#ubuntuother-nginx certbot] failed due to some python incompatibilites) | * Installed client: [https://github.com/Neilpang/acme.sh acme.sh] (the installation of the default client [https://certbot.eff.org/#ubuntuother-nginx certbot] failed due to some python incompatibilites) | ||
| + | == How Let's Encrypt works == | ||
| + | Let's Encrypt is an initiative by the Mozilla Foundation and the Electronic Frontier Foundation that provides free SSL certificates for websites. The general idea is that if you control the content in the root directory of a domain, you are eligible to request the certificate for that domain. Not Paperwork or Authentication required. | ||
| + | The certificate creation is done automatically by running one of many supported clients on the target machine. It proves to the lets encrypt server that the server eligible, by placing a requested token at a requested path (that could look like <code>/.well-known/acme-challenge/iDdCv0Vs1ksYyuNRYfGaV79M0VmeQrzt6Ydgj8HP7EQ</code>). | ||
| + | |||
| + | The certificates are only valid for 90 days but can be automatically renewed via a cron job. Renewal is possible within 30 days of the certificate expiring. The cron job should run more often, as it will just ignore the renewal attempt is the certificate is too fresh. | ||
| + | |||
| + | For the biowikifarm the certificate has to include the 50 different domains currently supported by the server. Therefor the certificate issuing and renewal take quite a while. | ||
| + | |||
| + | Further Information: | ||
| + | * https://en.wikipedia.org/wiki/Let%27s_Encrypt | ||
| + | * https://letsencrypt.org/how-it-works/ | ||
== Updating the certificates for newly added wikis == | == Updating the certificates for newly added wikis == | ||
* add new domains to <code>/root/generate_certificates.sh</code> and specify the root directory the domain points to | * add new domains to <code>/root/generate_certificates.sh</code> and specify the root directory the domain points to | ||
sudo /root/.acme.sh/acme.sh --issue \ | sudo /root/.acme.sh/acme.sh --issue \ | ||
| − | |||
-d biowikifarm.net -w /var/www \ | -d biowikifarm.net -w /var/www \ | ||
| + | -d www.biowikifarm.net -w /var/www \ | ||
-d abcd.biowikifarm.net -w /var/www/v-abcd \ | -d abcd.biowikifarm.net -w /var/www/v-abcd \ | ||
... | ... | ||
| − | + | : ''important side note: the first domain should always be <code>biowikifarm.net</code>, as the first domain will determine the name of the certificate which is already referenced in the nginx config. After <code>www.biowikifarm.net</code>, all other domains and subdomains are sorted alphabetically. Please add an new domains at the correct position.'' | |
* run <code>sudo /root/generate_certificates.sh</code> (takes around 10 minutes) | * run <code>sudo /root/generate_certificates.sh</code> (takes around 10 minutes) | ||
| − | * the final keys and certificates are located at <code>/root/.acme.sh/ | + | * if you get a response like <code>Skip, Next renewal time is: ...</code>, is is because the add the option <code>--force</code> to the first line of <code>/root/generate_certificates.sh</code> and run it again |
| + | sudo /root/.acme.sh/acme.sh --issue --force \ | ||
| + | * the final keys and certificates are located at <code>/root/.acme.sh/biowikifarm.net/</code> and are already referenced in <code>/etc/nginx/nginx.conf</code> | ||
* (not sure if necessary, but just to be sure) run <code>sudo service nginx reload</code> | * (not sure if necessary, but just to be sure) run <code>sudo service nginx reload</code> | ||
| + | * '''remove the option <code>--force</code> if you have added it to <code>/root/generate_certificates.sh</code>''', otherwise the cron job will generate a new certificate every time, instead of just checking if it needs to be renewed. | ||
| + | |||
| + | == Trouble Shooting == | ||
| + | === Certificate Creation Fails === | ||
| + | When generating a new certificate, either because a new domain was added or because the old certificate needs renewal, and a message like this appears | ||
| + | Verify error:Could not connect to <nowiki>http://(sub.domain.tld)/.well-known/acme-challenge/iDdCv0Vs1ksYyuNRYfGaV79M0VmeQrzt6Ydgj8HP7EQ</nowiki> | ||
| + | check if you have specified the correct directory document root for the corresponding domain. | ||
| + | |||
| − | + | === Mixed Content Warning === | |
| − | + | ''TODO'' | |
| − | + | ||
| − | + | ||
| − | + | ||
Revision as of 17:40, 7 July 2016
- Installed client: acme.sh (the installation of the default client certbot failed due to some python incompatibilites)
Contents
How Let's Encrypt works
Let's Encrypt is an initiative by the Mozilla Foundation and the Electronic Frontier Foundation that provides free SSL certificates for websites. The general idea is that if you control the content in the root directory of a domain, you are eligible to request the certificate for that domain. Not Paperwork or Authentication required.
The certificate creation is done automatically by running one of many supported clients on the target machine. It proves to the lets encrypt server that the server eligible, by placing a requested token at a requested path (that could look like /.well-known/acme-challenge/iDdCv0Vs1ksYyuNRYfGaV79M0VmeQrzt6Ydgj8HP7EQ).
The certificates are only valid for 90 days but can be automatically renewed via a cron job. Renewal is possible within 30 days of the certificate expiring. The cron job should run more often, as it will just ignore the renewal attempt is the certificate is too fresh.
For the biowikifarm the certificate has to include the 50 different domains currently supported by the server. Therefor the certificate issuing and renewal take quite a while.
Further Information:
Updating the certificates for newly added wikis
- add new domains to
/root/generate_certificates.shand specify the root directory the domain points to
sudo /root/.acme.sh/acme.sh --issue \ -d biowikifarm.net -w /var/www \ -d www.biowikifarm.net -w /var/www \ -d abcd.biowikifarm.net -w /var/www/v-abcd \ ...
- important side note: the first domain should always be
biowikifarm.net, as the first domain will determine the name of the certificate which is already referenced in the nginx config. Afterwww.biowikifarm.net, all other domains and subdomains are sorted alphabetically. Please add an new domains at the correct position.
- run
sudo /root/generate_certificates.sh(takes around 10 minutes) - if you get a response like
Skip, Next renewal time is: ..., is is because the add the option--forceto the first line of/root/generate_certificates.shand run it again
sudo /root/.acme.sh/acme.sh --issue --force \
- the final keys and certificates are located at
/root/.acme.sh/biowikifarm.net/and are already referenced in/etc/nginx/nginx.conf - (not sure if necessary, but just to be sure) run
sudo service nginx reload - remove the option
--forceif you have added it to/root/generate_certificates.sh, otherwise the cron job will generate a new certificate every time, instead of just checking if it needs to be renewed.
Trouble Shooting
Certificate Creation Fails
When generating a new certificate, either because a new domain was added or because the old certificate needs renewal, and a message like this appears
Verify error:Could not connect to http://(sub.domain.tld)/.well-known/acme-challenge/iDdCv0Vs1ksYyuNRYfGaV79M0VmeQrzt6Ydgj8HP7EQ
check if you have specified the correct directory document root for the corresponding domain.
Mixed Content Warning
TODO
