92
edits
Setting Up Wildcard Subdomains with SSL on a Debian Application: Difference between revisions
Jump to navigation
Jump to search
Setting Up Wildcard Subdomains with SSL on a Debian Application (view source)
Revision as of 05:21, 31 October 2024
, 31 October 2024no edit summary
mNo edit summary |
No edit summary |
||
| Line 174: | Line 174: | ||
</pre> | </pre> | ||
This block registers Certbot, checks for an existing certificate, and if none exists, requests a new certificate using DNS authentication with the specified dns-auth.conf file. The --deploy-hook option calls the cert-deploy file after each certificate issuance or renewal. We will create the cert-deploy | This block registers Certbot, checks for an existing certificate, and if none exists, requests a new certificate using DNS authentication with the specified dns-auth.conf file. The --deploy-hook option calls the cert-deploy file after each certificate issuance or renewal. We will create the cert-deploy step '''f. Creating the cert-deploy Deploy Hook'''. | ||
In the case of our guide with the kaboom-api example, <code><CERT_NAME></code> is <code>kaboom-elearning</code>, again it's up to you to select the right naming for your case. | In the case of our guide with the kaboom-api example, <code><CERT_NAME></code> is <code>kaboom-elearning</code>, again it's up to you to select the right naming for your case. | ||
| Line 228: | Line 228: | ||
[ -L /etc/nginx/sites-enabled/<CERT_NAME> ] || ln -s /etc/nginx/sites-available/<CERT_NAME> /etc/nginx/sites-enabled | [ -L /etc/nginx/sites-enabled/<CERT_NAME> ] || ln -s /etc/nginx/sites-available/<CERT_NAME> /etc/nginx/sites-enabled | ||
nginx -q -t && service nginx reload | |||
</pre> | |||
==== e. Wrapping everything in an if statement ==== | |||
You do not want to run that part of the postinst script if you do not have the DNS_AUTHENTICATION, CERTBOT_EMAIL, and FQDN variables set. | |||
This is why we’ll wrap everything we just covered inside an if statement | |||
<pre lang="bash"> | |||
if [ -n "$DNS_AUTHENTICATION" ] && [ -n "$CERTBOT_EMAIL" ] && [ -n "$FQDN" ] ; then | |||
#Everything we just wrote | |||
else | |||
echo "one or more of DNS_AUTHENTICATION, CERTBOT_EMAIL, FQDN are missing, skipping wildcard subdomains SSL certificate setup." | |||
fi | |||
</pre> | |||
Here is what the finished code looks like in the kaboom-api example | |||
<pre lang="bash"> | |||
if [ -n "$DNS_AUTHENTICATION" ] && [ -n "$CERTBOT_EMAIL" ] && [ -n "$FQDN" ] ; then | |||
dns_hostname_path="$(cut -d'@' -f2- <<<"$DNS_AUTHENTICATION")" | |||
dns_schema_auth="$(cut -d'@' -f1 <<<"$DNS_AUTHENTICATION")" | |||
dns_hostname="$(cut -d'/' -f1 <<<"$dns_hostname_path")" | |||
dns_auth="$(cut -d'/' -f3- <<<"$dns_schema_auth")" | |||
dns_auth_keyname="$(cut -d':' -f1 <<<"$dns_auth")" | |||
dns_auth_algorithm="$(cut -d':' -f2- <<<"$dns_auth" | cut -d'~' -f1 | tr '[:lower:]' '[:upper:]')" | |||
dns_auth_secret="$(cut -d':' -f2- <<<"$dns_auth" | cut -d'~' -f2-)" | |||
dns_host_aaaa="$(dig +short AAAA "$dns_hostname" | head -n1)" | |||
[ -d /etc/kaboom ] || mkdir -p /etc/kaboom | |||
umask 266 | |||
cat >/etc/kaboom/dns-auth.conf <<CONF | |||
# Managed by apt, please use dpkg-reconfigure kaboom-api to modify | |||
dns_rfc2136_server = $dns_host_aaaa | |||
dns_rfc2136_port = 53 | |||
dns_rfc2136_name = $dns_auth_keyname | |||
dns_rfc2136_secret = $dns_auth_secret | |||
dns_rfc2136_algorithm = $dns_auth_algorithm | |||
CONF | |||
umask 022 | |||
certbot_account_count="$(find /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/ -maxdepth 1 -mindepth 1 | wc -l)" | |||
if [ "z$certbot_account_count" = "z0" ]; then | |||
certbot register --non-interactive --email "$CERTBOT_EMAIL" --no-eff-email --agree-tos | |||
fi | |||
echo "Checking if SSL certificate already exists" | |||
if [ ! -f "/etc/letsencrypt/live/kaboom-elearning/fullchain.pem" ]; then | |||
echo "Requesting new certificate for $FQDN and *.$FQDN" | |||
certbot certonly --non-interactive --cert-name kaboom-elearning --dns-rfc2136 --dns-rfc2136-credentials /etc/kaboom/dns-auth.conf --domain "$FQDN" --domain "*.$FQDN" --deploy-hook /usr/share/kaboom-api/bin/cert-deploy | |||
if [ $? -eq 0 ]; then | |||
echo "Certificate obtained successfully" | |||
else | |||
echo "Error obtaining certificate" | |||
fi | |||
else | |||
echo "Certificate already exists" | |||
fi | |||
echo "Checking if SSL DHParams file already exists" | |||
if [ ! -f "/etc/kaboom/ssl-dhparams.pem" ]; then | |||
openssl dhparam -out /etc/kaboom/ssl-dhparams.pem 2048 | |||
if [ $? -eq 0 ]; then | |||
echo "DHParams generated successfully" | |||
else | |||
echo "Error generating DHParams" | |||
fi | |||
else | |||
echo "DHParams file already exists" | |||
fi | |||
cat >/etc/nginx/sites-available/kaboom-elearning <<CONF | |||
server { | |||
root /usr/share/kaboom-api/public; | |||
server_name *.$FQDN; | |||
location / { | |||
proxy_pass http://kaboom_api/; | |||
proxy_set_header Host \$host; | |||
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; | |||
proxy_set_header X-Forwarded-Proto \$scheme; | |||
proxy_buffers 8 32k; | |||
proxy_buffer_size 64k; | |||
client_max_body_size 0; | |||
proxy_redirect off; | |||
proxy_buffering off; | |||
} | |||
listen [::]:443 ssl http2; | |||
listen 443 ssl http2; | |||
ssl_certificate /etc/letsencrypt/live/kaboom-elearning/fullchain.pem; | |||
ssl_certificate_key /etc/letsencrypt/live/kaboom-elearning/privkey.pem; | |||
ssl_dhparam /etc/kaboom/ssl-dhparams.pem; | |||
ssl_session_cache shared:le_nginx_SSL:10m; | |||
ssl_session_timeout 1440m; | |||
ssl_session_tickets off; | |||
ssl_protocols TLSv1.2 TLSv1.3; | |||
ssl_prefer_server_ciphers off; | |||
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; | |||
} | |||
CONF | |||
[ -L /etc/nginx/sites-enabled/kaboom-elearning ] || ln -s /etc/nginx/sites-available/kaboom-elearning /etc/nginx/sites-enabled | |||
nginx -q -t && service nginx reload | |||
else | |||
echo "one or more of DNS_AUTHENTICATION, CERTBOT_EMAIL, FQDN are missing, skipping wildcard subdomains SSL certificate setup." | |||
fi | |||
</pre> | |||
==== f. Creating the cert-deploy Deploy Hook ==== | |||
The certbot command calls in a <code>cert-deploy</code> file via the --deploy-hook flag. This <code>cert-deploy</code> script, should be created in <code>/usr/share/<PKG_NAME>/bin</code>, and runs after each certificate issuance or renewal. | |||
<pre lang="bash"> | |||
#!/bin/bash | |||
set -euo pipefail | |||
if [ "z$RENEWED_LINEAGE" != "z/etc/letsencrypt/live/<CERT_NAME>" ]; then | |||
echo "Unknown certificate renewed, ignoring" 1>&2 | |||
exit 1 | |||
fi | |||
nginx -q -t && service nginx reload | nginx -q -t && service nginx reload | ||
</pre> | </pre> | ||