Https

From campisano.org
Jump to navigation Jump to search

Configure HTTP server

  • You need access to a well known directory structures using http and https protocols, so you need to open this structure in your webserver

Apache

  • NOTE: we will use example.com an www.example.com as .. domain examples for this wiki
  • If you have a redirect rule from any example.com to www.example.com, you may need to skip this rule for the well known structure
<VirtualHost *:80>
    Define DOMAIN example.com
    Define SITE www.${DOMAIN}
    Define ROOT /srv/domain/${DOMAIN}
    Define DOCROOT ${ROOT}/www
    
    ServerName ${SITE}
    DocumentRoot ${DOCROOT}

    <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteCond %{HTTP_HOST} ^${SITE}
        RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
        RewriteRule ^/(.*)$ http://www.${SITE}/$1 [L,R=301]
    </IfModule>

    <Directory ${DOCROOT}/.well-known/acme-challenge>
        Options +Indexes
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    Define DOMAIN example.com
    Define SITE ${DOMAIN}
    Define ROOT /srv/domain/${DOMAIN}
    Define DOCROOT ${ROOT}/www
    
    ServerName ${SITE}
    DocumentRoot ${DOCROOT}

    [...] # specific www.example.com configs
    
</VirtualHost>

Prepare Apache configuration

  • Enable SSL and configure 443 virtualhost
a2enmod ssl
nano /etc/apache2/ports.conf
# check that something like that exists:
# <IfModule mod_ssl.c>
#     Listen 443
# </IfModule>
  • Restart apache BEFORE the follow changes
/etc/init.d/apache2 restart
  • Now prepare the config for the future certificate (they still not exists)
nano /etc/apache2/sites-available/example.com
# add like that:
#
# to redirect all requests to HTTPS 
# <VirtualHost *:80>
#     Redirect permanent "/" "https://${SITE}/"
# </VirtualHost>
# 
# <VirtualHost *:443>
#     <IfModule ssl_module>
#         SSLEngine On
#         SSLCertificateFile /etc/ssl/certs/example.com.crt
#         SSLCertificateKeyFile /etc/ssl/private/example.com.key
#         SSLCertificateChainFile /etc/ssl/certs/example.com.bundle
#     </IfModule>
# </VirtualHost>

Obtain the free certificate

mkdir -p /srv/domain/example.com/www/.well-known/acme-challenge
curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl
mkdir -p ~/tmp/example.com
cat > ~/tmp/example.com/getssl.cfg << EOF
CA="https://acme-v01.api.letsencrypt.org"
SANS="www.example.com"
ACL=('/srv/domain/example.com/www/.well-known/acme-challenge')
USE_SINGLE_ACL="true"
DOMAIN_CERT_LOCATION="/etc/ssl/certs/example.com.crt"
DOMAIN_KEY_LOCATION="/etc/ssl/private/example.com.key"
CA_CERT_LOCATION="/etc/ssl/certs/example.com.bundle"
RELOAD_CMD="service apache2 reload"
EOF
./getssl -w ~/tmp example.com
rm -rf ~/tmp/example.com ./getssl

TODO automate update of certificate validity

use getssl to update certificate validity

References