Antsle Forum

Welcome to our Antsle community! This forum is to connect all Antsle users to post experiences, make user-generated content available for the entire community and more. 

Please note: This forum is about discussing one specific issue at a time. No generalizations. No judgments. Please check the Forum Rules before posting. If you have specific questions about your Antsle and expect a response from our team directly, please continue to use the appropriate channels (email: [email protected]) so every inquiry is tracked. 

Please or Register to create posts and topics.

Configure Web Server for https in NGINX

[UPDATED]

These are the instructions I used to set up HTTPS running on my Antsle to encrypt and a web server through NGINX to my Antlet.

There are 2 Methods that are both performed on the Antsle
1) Use letsencrypt.com with certbot (automated)
2) Manually add SSL cert provided by a provider (ie. sslforfree.com)

=====================================================================
1) USING LETSENCRYPT WITH CERTBOT (automated)
=====================================================================

1. On the Antsle, run certbot (already installed):

# certbot --nginx

Note: When running for the first time, answer the basic questions:
Email address: [your email address]
Agree to the terms: y
Signup for email lists: n

2. certbot will scan your /etc/nginx/virtualhosts for a list of your domains and ask which to activate for HTTPS:

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: YOURDOMAIN.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): [??]

3. Select if you want HTTP to be redirected to HTTPs

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

4. The following will be displayed

- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/YOURDOMAIN/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/YOURDOMAIN/privkey.pem
Your cert will expire on 20XX-XX-XX. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"

4. Go to website: https://[YOURDOMAIN]

5. Fully Test with https://www.ssllabs.com/ssltest/analyze.html

 

RENEWING A LETSENCRYPT CERT

1. To renew or check if any certs are expired at anytime:

# certbot renew

Note: If any certs are not expired, the expiration date will be displayed.

2. Add the command to crontab to check every night at midnight, and renew any certs that are expired:

Cron entry:
0 0 * * * /usr/bin/certbot renew

That's it!

=====================================================================
2) MANUALLY ADDING CERT PROVIDED BY A PROVIDER (sslforfree.com)
=====================================================================

1. Start with a regular unencrypted website configured in /etc/nginx/virtualhosts. I did this so I could validate mydomain with sslforfree.com (SEE STEP 3)

2. On the antsle (not the antlet), generate a CSR

# mkdir -p /etc/ssl/certs/mycerts
# cd /etc/ssl/certs/mycerts

# openssl req -new -newkey rsa:2048 -nodes -keyout mydomain_tld.key -out mydomain_tld.csr

Generating a RSA private key
.....................................+++++
..+++++
writing new private key to 'mydomain_tld.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Nevada
Locality Name (eg, city) []: Reno
Organization Name (eg, company) [Internet Widgits Pty Ltd]: mydomain
Organizational Unit Name (eg, section) []: IT
Common Name (e.g. server FQDN or YOUR name) []: mydomain.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

(I read to leave the challenge password and company blank, its no longer used)

# ls -l
total 8
-rw-r--r-- 1 root 1086 Dec 22 15:54 mydomain_tld.csr
-rw-r--r-- 1 root 1708 Dec 22 15:54 mydomain_tld.key

3. Register the CSR with a Certificate authority. I used a 90 free certificate from https://sslforfree.com

I provided all the information requested.
The validation method I used was "HTTP File upload". You download a pki-validation file, put it on the antlet running the unencrypted web server so sslforfree.com can see it and validate the domain/site. Just follow the instructions.

They ask you to do the following.....

To verify your domain using HTTP File Upload, please follow the steps below:

Download your Auth File using the following link: Download Auth File
Upload the Auth File to your HTTP server under: /.well-known/pki-validation/
Make sure your file is available under the following link: http://mydomain.com/.well-known/pki-validation/13212CAF6DED8318530A950DD6A30000.txt
Make sure your file is also available under the following link: http://www.mydomain.com/.well-known/pki-validation/13212CAF6DED8318530A950DD6A30000.txt

It will looks something like this

# cat 13212CAF6DED8318530A950DD6A30000.txt
95AC0C723105150D3E9708637FD417B156789054454D9C9ED2B62EE834BF482D
comodoca.com

4. Make sure you are validated!

5. Click Download their Certificate for NGINX to the antsle. NOT APACHE since it is going in NGINX and not your antlet.

6. IMPORTANT: When you unzip the downloaded file, NGINX requires ALL certificate (.crt) files be in one file. I read this on ZeroSSL website.

# unzip mydomain.com.zip
Archive: mydomain.com.zip
extracting: certificate.crt
extracting: ca_bundle.crt

# cat certificate.crt ca_bundle.crt > mydomain.com.crt

7. Create a SSL virtualhost file per the Antsle Documentation

# vi /etc/nginx/virtualhosts/ssl.mydomain.com.conf

# SSL to antlet

# If you want to use your domain example.com in HTTPS mode (with SSL),
# rename this file to ssl.example.com.conf (from ssl.example.com.conf.HTTPS)
# Replace example.com with your domain name.
# Make sure you have your SSL certificate installed properly.
# The certificate files are not required to be in the directories presented here, but
# the path must be the correct path to your certificate files.

# The webserver on your antlet will listen on port 80 (http).
# Nginx on edgeLinux handles SSL (https).

###
### ONE OF THESE NEXT 2 SERVER ENTRIES HAS TO BE COMMENTED OUT OR NGINX ERRORS
###

# Redirect http://www.example.com to https://example.com
# If your domain name does include 'www' then remove this server block and use the full
# domain name in the last server block.
#server {
# listen 80;
# server_name http://www.mydomain.com;
# rewrite ^ https://mydomain.com$request_uri redirect;
#}

# Redirect http://... to https://...
server {
listen 80;
server_name mydomain.com;
rewrite ^ https://mydomain.com$request_uri redirect;
}

# Redirect https://www... to https://example.com
# If your domain name does include 'www' then remove this server block and use the full
# domain name in the last server block.
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/mycerts/mydomain_certificate.crt;
ssl_certificate_key /etc/ssl/certs/mycerts/mydomain_tld.key;
server_name http://www.mydomain.com;
rewrite ^ $scheme://mydomain.com$request_uri redirect;
}

# Think of the word 'example' in 'upstream example' as a variable name which is
# used in other server blocks. This name must be unique among all your .conf
# files. It is used in the two 'proxy_pass' lines in the next server block.
# If you change the upstream variable name then be sure to update the proxy_pass
# lines also.
#
# **** I USED ANTLET BECAUSE IT JUST NEEDS TO BE UNIQUE ****
upstream antlet {
# Enter the IP address and port number of your antlet handling this domain
server 10.1.1.XX:80;
}

server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/mycerts/mydomain_certificate.crt;
ssl_certificate_key /etc/ssl/certs/mycerts/mydomain_tld.key;
server_name mydomain.com;
root /var/www;

location / {
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_buffers 4 256k;
proxy_buffer_size 128k;
proxy_busy_buffers_size 256k;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Ssl off;
proxy_set_header X-Url-Scheme $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;

proxy_pass http://antlet;
}

location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf|woff|woff2)(\?.*)?$ {
expires 365d;
add_header Cache-Control "public, max-age=315360000";
access_log off;

proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_buffers 8 24k;
proxy_buffer_size 2k;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Ssl off;
proxy_set_header X-Url-Scheme $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;

proxy_cache STATIC;
proxy_cache_valid 200 1d;
proxy_cache_use_stale error timeout invalid_header updating
http_500 http_502 http_503 http_504;

proxy_pass http://antlet;

}
}

8. Move your unencrypted virtualhost files out of the way:

# mv mydomain.com.conf ~/
# mv http://www.mydomain.com.conf ~/

9. Restart NGINX

In one window, watch for any errors:
# tail -f /var/log/nginx/error_log

In another window restart nginx
# service nginx restart

10. DON'T FORGET to set the PORT FORWARDING RULE for 443 on the router to point to your Antsle.

That should be it!

I don't know yet:

  1. Within 90 days when the cert expires, figure out how to automate renewing a cert from sslforfree.com, or find another source for free certs?
  2. Can I configure a webserver on another Antlet with a different domain as well by just creating another ssl virtualhost with the same certs or do I have to generate new certs from sslforfree.com?
daniel.luck has reacted to this post.
daniel.luck

Hi @akak01000101

Thanks so much for the detailed and comprehensive guide for configuring HTTPS with NGINX.

This will be very helpful to those in our community.

As far as another source for free certs with auto-renew, I recommend letsencrypt

spollock and daniel.luck have reacted to this post.
spollockdaniel.luck

@lancem

Thanks for the suggestion of letsencrypt.

@lancem

If you use letsencrypt, where do you run the certbot from, the antsle (nginx) or on the antlet (apache).

It almost sounds like you run it on the antlet, then would have to remotely copy it to /etc/ssl/nginx on the antsle and restart nginx.

I have letsencrypt and the certs on the antsle.  For most of my antlets, I have a conf file in the /etc/nginx/conf.d directory that references the certificate files and does the proxy to my antlet using http (not https).

For the few antlets that need ssl in their web servers (I have a nextcloud antlet that needs it, for example), I've shared my /etc/letsencrypt directory via nfs* on the antsle and the antlet mounts it read-only into its /etc/letsencrypt directory (so they both have access to the same certificate files).  I had to do this for my mail-in-a-box e-mail antlet, also.

The renewal script for the certs runs on the antsle.

I can upload some example conf scripts tomorrow when I'm at home.

 

* Actually, in a bit of overkill, I've created a zfs file system "antlets/letsencrypt" with mount point /etc/letsencrypt where all the certs are (including the built-in antsle stuff).  I also use zfs-auto-snapshot so I can generate snapshots to rollback to if I mess something up.

First I tarred the letsencrypt directory:

cd /etc

tar -cf letsencrypt.tar letsencrypt (This preserves ownerships and permissions.)

mv letsencrypt letsencrypt-old

zfs create -o mountpoint=/etc/letsencrypt antlets/letsencrypt

tar -xf letsencrypt.tar

Now you should have your letsencrypt directory on a zfs filesystem.

Then you can use the sharenfs property to share it (read-only) to all your antlets.

I'll include that stuff tomorrow, too.

 

daniel.luck has reacted to this post.
daniel.luck

No examples needed. Thanks! I just used letsencrypt on a couple domains. It's way better than registering with a ssl provider like sslforfree.com and configuring everything manually. I get what you are doing with the webservers that need the ssl on the antlet, makes sense.

I'll update the original post with letsencrypt as an option as well.

Thanks again

-akak

PS> I didn't know about mail-in-a-box. going to play with that next!

lancem and daniel.luck have reacted to this post.
lancemdaniel.luck

taht good service

daniel.luck has reacted to this post.
daniel.luck