Setting Up Wildcard Subdomains with SSL on a Debian Application: Difference between revisions

Jump to navigation Jump to search

Setting Up Wildcard Subdomains with SSL on a Debian Application (view source)

Revision as of 03:25, 31 October 2024

1,944 bytes added ,  31 October 2024
m
→‎Configuring SSL and Wildcard Subdomains
Line 46: Line 46:
=== 1. Handling Environment Variables ===
=== 1. Handling Environment Variables ===


We’ll first add three environment variables to capture essential information: DNS_AUTHENTICATION, CERTBOT_EMAIL, and ELEARNING_FQDN. These variables will be defined using Debconf, which allows us to prompt for values during installation and configuration.
We’ll first add three environment variables to capture essential information: DNS_AUTHENTICATION, CERTBOT_EMAIL, and FQDN. These variables will be defined using Debconf, which allows us to prompt for values during installation and configuration.


'''DNS_AUTHENTICATION''': This string is required for Certbot’s DNS-based challenge verification. The format includes a keyname, algorithm, and secret for authentication, followed by the authoritative DNS hostname.
'''DNS_AUTHENTICATION''': This string is required for Certbot’s DNS-based challenge verification. The format includes a keyname, algorithm, and secret for authentication, followed by the authoritative DNS hostname.
Line 58: Line 58:
'''CERTBOT_EMAIL''': This email address is used when registering an account with Let’s Encrypt. Important notifications about certificate issues will be sent to this address.
'''CERTBOT_EMAIL''': This email address is used when registering an account with Let’s Encrypt. Important notifications about certificate issues will be sent to this address.


'''ELEARNING_FQDN''': This is the fully qualified domain name (FQDN) of the primary domain for which wildcard SSL certificates will be issued. <code>staging-elearning.nl</code> for this guide example.
'''FQDN''': This is the fully qualified domain name of the primary domain for which wildcard SSL certificates will be issued. <code>staging-elearning.nl</code> for this guide example.




Line 66: Line 66:
<pre lang="bash">
<pre lang="bash">
Template: kaboom-api/DNS_AUTHENTICATION
Template: <PKG_NAME>/DNS_AUTHENTICATION
Type: string
Type: string
Default:
Default:
Description: DNS authentication string in the following format: dns://<key_name>:<key_algorithm>~<key_secret_base64>@<authoritative_nameserver_domainname>
Description: DNS authentication string in the following format: dns://<key_name>:<key_algorithm>~<key_secret_base64>@<authoritative_nameserver_domainname>


Template: kaboom-api/CERTBOT_EMAIL
Template: <PKG_NAME>/CERTBOT_EMAIL
Type: string
Type: string
Default:
Default:
Description: Enter the email that certificate issues should be reported to. Entering this will result in accepting the Let's Encrypt terms and conditions.
Description: Enter the email that certificate issues should be reported to. Entering this will result in accepting the Let's Encrypt terms and conditions.


Template: kaboom-api/ELEARNING_FQDN
Template: <PKG_NAME>/FQDN
Type: string
Type: string
Default:
Default:
Description: Enter the fully qualified domain name used for e-learnings
Description: Enter the fully qualified domain name for ...
</pre>
</pre>
<code><PKG_NAME></code> is the name of your Debian package, <code>kaboom-api</code> in our case.


Add the following lines to your <code>debian/config</code> file to prompt for these variables during configuration:
Add the following lines to your <code>debian/config</code> file to prompt for these variables during configuration:
Line 88: Line 89:
<pre lang="bash">
<pre lang="bash">
db_input medium kaboom-api/CERTBOT_EMAIL || true
db_input medium <PKG_NAME>/CERTBOT_EMAIL || true
db_input medium kaboom-api/DNS_AUTHENTICATION || true
db_input medium <PKG_NAME>/DNS_AUTHENTICATION || true
db_input medium kaboom-api/ELEARNING_FQDN || true
db_input medium <PKG_NAME>/FQDN || true
</pre>
</pre>
Line 98: Line 99:
<pre lang="bash">
<pre lang="bash">
db_get kaboom-api/DNS_AUTHENTICATION
db_get <PKG_NAME>/DNS_AUTHENTICATION
DNS_AUTHENTICATION="$RET"
DNS_AUTHENTICATION="$RET"


db_get kaboom-api/CERTBOT_EMAIL
db_get <PKG_NAME>/CERTBOT_EMAIL
CERTBOT_EMAIL="$RET"
CERTBOT_EMAIL="$RET"


db_get kaboom-api/ELEARNING_FQDN
db_get <PKG_NAME>/FQDN
ELEARNING_FQDN="$RET"
FQDN="$RET"
</pre>
</pre>
Line 111: Line 112:


These values shall be set or updated once the whole config is over, by running the following command:
These values shall be set or updated once the whole config is over, by running the following command:
<code>sudo dpkg-reconfigure <pkg-name></code>
<code>sudo dpkg-reconfigure <PKG_NAME></code>


=== 2. Automating SSL and Wildcard Domain Setup in postinst ===
=== 2. Automating SSL and Wildcard Domain Setup in postinst ===
Line 131: Line 132:
dns_host_aaaa="$(dig +short AAAA "$dns_hostname" | head -n1)"
dns_host_aaaa="$(dig +short AAAA "$dns_hostname" | head -n1)"


[ -d <path-to-dns-conf-file> ] || mkdir -p <path-to-dns-conf-file>
[ -d etc/<dns-conf-dir> ] || mkdir -p etc/<dns-conf-dir>


umask 266
umask 266
cat > <path-to-dns-conf-file>/dns-auth.conf <<CONF
cat > etc/<dns-conf-dir>/dns-auth.conf <<CONF
# Managed by apt, please use dpkg-reconfigure <pkg-name> to modify
# Managed by apt, please use dpkg-reconfigure <PKG_NAME> to modify
dns_rfc2136_server = $dns_host_aaaa
dns_rfc2136_server = $dns_host_aaaa
dns_rfc2136_port = 53
dns_rfc2136_port = 53
Line 146: Line 147:


This configuration file will be used by Certbot to authenticate and verify domain ownership via DNS challenges.
This configuration file will be used by Certbot to authenticate and verify domain ownership via DNS challenges.
In the case of our guide with the kaboom-api example, <code><path-to-dns-conf-file></code> is <code>/etc/kaboom</code>, it's up to you to select the right naming for your case.
In the case of our guide with the kaboom-api example, <code><dns-conf-dir></code> is <code>kaboom</code>, it's up to you to select the right naming for your case.


Once the script has been executed The <code>dns-auth.conf</code> file should look something like this:
Once the script has been executed The <code>dns-auth.conf</code> file should look something like this:
Line 170: Line 171:
fi
fi


[ ! -f "/etc/letsencrypt/live/<cert-name>/fullchain.pem" ] || certbot certonly --non-interactive --cert-name <cert-name> --dns-rfc2136 --dns-rfc2136-credentials <path-to-dns-conf-file>/dns-auth.conf --domain "$ELEARNING_FQDN" --domain "*.$ELEARNING_FQDN" --deploy-hook /usr/share/<pkg-name>/bin/cert-deploy
[ ! -f "/etc/letsencrypt/live/<cert-name>/fullchain.pem" ] || certbot certonly --non-interactive --cert-name <cert-name> --dns-rfc2136 --dns-rfc2136-credentials etc/<dns-conf-dir>/dns-auth.conf --domain "$FQDN" --domain "*.$FQDN" --deploy-hook /usr/share/<PKG_NAME>/bin/cert-deploy
</pre>
</pre>


Line 176: Line 177:


In the case of our guide with the kaboom-api example, <code><cert-name></code> is <code>kaboom-elearning</code>, again it's up to you to select the right naming for your case.
In the case of our guide with the kaboom-api example, <code><cert-name></code> is <code>kaboom-elearning</code>, again it's up to you to select the right naming for your case.
==== c. Generating Diffie-Hellman Parameters for SSL ====
Diffie-Hellman parameters enhance SSL security. To ensure this file exists, add the following to <code>debian/postinst</code>:
<pre lang="bash">
[ -f "etc/<dns-conf-dir>/ssl-dhparams.pem" ] || openssl dhparam -out etc/<dns-conf-dir>/ssl-dhparams.pem 2048
</pre>
This code checks for an existing <code>ssl-dhparams.pem</code> file, generating one if it doesn’t exist, using 2048-bit encryption for security.
==== d. Configuring Nginx for Wildcard SSL ====
Finally, configure Nginx to handle requests for the wildcard domain and apply SSL settings. Here’s the code to create a new Nginx server block for the wildcard domain:
<pre lang="bash">
cat >/etc/nginx/sites-available/<cert-name> <<CONF
server {
root /usr/share/<PKG_NAME>/public;
server_name *.$FQDN;
location / {
    proxy_pass http://<PKG_NAME>/;
    proxy_set_header Host \$host;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto \$scheme;
    proxy_buffers 8 32k;
    proxy_buffer_size 64k;
    client_max_body_size 0;
    proxy_redirect off;
    proxy_buffering off;
}
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/<cert-name>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<cert-name>/privkey.pem;
ssl_dhparam etc/<dns-conf-dir>/ssl-dhparams.pem;
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
}
CONF
[ -L /etc/nginx/sites-enabled/<cert-name> ] || ln -s /etc/nginx/sites-available/<cert-name> /etc/nginx/sites-enabled
nginx -q -t && service nginx reload
</pre>
Alois
92

edits

Retrieved from "https://docs.delftsolutions.nl/wiki/Special:MobileDiff/474"

Navigation menu