For detail see your own aws environment -2024
SSL not working?
visit https://joeyxff.blogspot.com/2020/01/apache2-ssl-does-not-work-on-server-or.html
********Redirect / https://mydomain.ca/
the slash behind mydomain.ca is important becasue without it http://mydomain.ca/test will go to https://mydomain.catest instead of https://mydomian.ca/test
1. Purchase a valid domain
2. Add DNS A record to map the domain to public IP of server
VIRTUAL HOST:
(mkdir -p means: create the directory and, if required, all parent directories.)
3. $sudo mkdir -p /var/www/mydomain/html
4. $sudo chown -R $USER:$USER /var/www/mydomain/
5. $sudo chmod -R 750 /var/www/mydomain/ (see following for details)
6. $sudo vim /var/www/mydomain/html/index.html
7. Index.html can have any contents for demo
8. $sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/mydomain.conf
9. $sudo vim /etc/apache2/sites-available/mydomain.conf
10.<VirtualHost *:80>
// Disable default conf
* a2dissite 000-default.conf
*
* a2dissite default-ssl.conf
11. $sudo a2ensite mydomain.conf
12. $ sudo systemctl reload apache2
LETS ENCRYPT
13.sudo add-apt-repository ppa:certbot/certbot (!! Deprecated use next line)
26. sudo systemctl restart apache2
27. Lets encrypt certs expires every 3 month, cant auto renew because created manual. To renew check:
sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/lab.citycentreupcc.ca/cert.pem
(https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks
https://community.letsencrypt.org/t/cant-renew-the-certification-with-error-an-authentication-script-must-be-provided-with-manual-auth-hook-when-using-the-manual-plugin-non-interactively/67216/2)
34. Sample dryrun for renewal (can also be used to get new certs)
sudo certbot certonly --manual --preferred-challenges=http --manual-auth-hook /absolute_path/authenticator.sh --manual-cleanup-hook /absolute_path/cleanup.sh -d <domain> --force-renewal --dry-run
**** make sure .sh are executable 770
(This can also be used to get certs directly)
sudo certbot certonly --manual --preferred-challenges=http --manual-auth-hook /absolute_path/authenticator.sh --manual-cleanup-hook /absolute_path/cleanup.sh -d <domain> --dry-run
31.add to cron
32. sudo vim /etc/crontab(open cron job list as root)
33. Certs can only be renewed 30 days prior to expiration, for force renewal, allowed 5 renewal in 7 days per domain. So we can schedule a cron job to renew every 1st, 7th, 21st, 28th of the month at 3:29 to renew . We also need to reload apache2 config afterwards
34. sudo vim /etc/crontab
!!!!!!!!!! domain has to be without www
29 3 1,7,21,28 * * root certbot certonly --manual --preferred-challenges=http --manual-auth-hook /absolute_path/authenticator.sh --manual-cleanup-hook /absolute_path/cleanup.sh -d <domain> --force-renewal && service apache2 reload
// check cron
https://dev-notes.eu/2018/05/set-up-an-automatic-letsencrypt-renewal-cronjob/
https://www.ostechnix.com/configure-apache-virtual-hosts-ubuntu-part-1/
https://www.linuxbabe.com/ubuntu/https-apache-letsencrypt-ubuntu16-04-17-10
https://community.letsencrypt.org/t/pluginerror-an-authentication-script-must-be-provided-with-manual-auth-hook-when-using-the-manual-plugin-non-interactively-skipping/69718
1. Purchase a valid domain
2. Add DNS A record to map the domain to public IP of server
VIRTUAL HOST:
(mkdir -p means: create the directory and, if required, all parent directories.)
3. $sudo mkdir -p /var/www/mydomain/html
4. $sudo chown -R $USER:$USER /var/www/mydomain/
5. $sudo chmod -R 750 /var/www/mydomain/ (see following for details)
- Apache2 has default user www-data, group www-data, double check by using $ less /etc/passwd, check groups by using $cat /etc/group
- The key information is to realize that the web server will access vue js files && laravel php files using the www-data user to serve the application based on browser request
- A clean, independent group needs to be created for the current logged in user (with root permission) && www-data
- create a webdev group by using $sudo addgroup webdev. Add user to group by using sudo adduser www-data webdev. Then also add the current user to the webdev group adduser jxiang webdev
- Save all work, reboot OS for the newly created group to take effect. $sudo reboot
- Check if apache2 has restarted after reboot $ service apache2 status
- Restart apache2 if needed $service apache2 restart
- Change ownership of my-ssl.ca (/var/www/mydomain/) to current_user:webdev group. $chown user:webdev my-ssl.ca.
- Give current user rwx permission, other user in the group rx permission, an no permission for public. $chmod 750 my-ssl.ca
- Set group id : chmod g+s my-ssl.ca. When this is set any new folders or files created inside my-ssl.ca will autmoatically inheirt group webdev. When this takes effect , s will appear in for example drwxrws--- folder
- The default permission for ubnutu for a new folder is 755, or 750 inside a user's home folder, for a file is 644 or 640 insider a user's home folder. We do not want that
- To change it, we need to add ACL, this requires group id. $id www-data, to see webdev groupid
- $sudo setfacl -Rdm g:group_id:rx my-ssl.ca
- R is recursive, which means everything under that directory will have the rule applied to it.
d is default, which means for all future items created under that directory, have these rules apply by default. m is needed to add/modify rules. This command is to give future items created or copied to my-ssl.ca only read and execute permission (Caution, moved file will not obey this rule) When this has effect drwxr-x---+ a + will appear showing ACL has effect - use $getfacl folder to check if it is working. There should be default:user rwx, default:webdev:rw-
- For existing items use $sudo setfacl -Rm g:group_id:rx my-ssl.ca
- Remember, read permission for folder is the permission to open any files/folder, execute permission is to cd into folder, and write permission is to create any files/folder
- Remeber, read permission for file is to open a specific file, execute is to run file as an executable, and write is to change the content of file
- inside my-ssl.ca create html folder
6. $sudo vim /var/www/mydomain/html/index.html
7. Index.html can have any contents for demo
8. $sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/mydomain.conf
9. $sudo vim /etc/apache2/sites-available/mydomain.conf
10.<VirtualHost *:80>
// Disable default conf
* a2dissite 000-default.conf
*
* a2dissite default-ssl.conf
11. $sudo a2ensite mydomain.conf
12. $ sudo systemctl reload apache2
LETS ENCRYPT
13.sudo add-apt-repository ppa:certbot/certbot (!! Deprecated use next line)
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-20-04
14. sudo apt install python-certbot-apache
#mydomain for next line sudois xxx.ca full domain
!!!!!!!!!!! domain has to be without wwww, xxx@mail.ca can be your server mail address
15. $sudo certbot certonly --manual --preferred-challenges http -m xxx@mail.ca -d mydomain --dry-run
// If dry run success (follow instruction create file thats chmod 755 which is publicly accessible)
16. $ll
17. certs are valid for 3 months, located in /etc/letsencrypt/domain/fullchain.pem etc
18. create ssl.conf file
19. $sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/mydomain-ssl.conf
20. $sudo vim /etc/apache2/sites-available/mydomain-ssl.conf
14. sudo apt install python-certbot-apache
#mydomain for next line sudois xxx.ca full domain
!!!!!!!!!!! domain has to be without wwww, xxx@mail.ca can be your server mail address
15. $sudo certbot certonly --manual --preferred-challenges http -m xxx@mail.ca -d mydomain --dry-run
// If dry run success (follow instruction create file thats chmod 755 which is publicly accessible)
16. $ll
17. certs are valid for 3 months, located in /etc/letsencrypt/domain/fullchain.pem etc
18. create ssl.conf file
19. $sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/mydomain-ssl.conf
20. $sudo vim /etc/apache2/sites-available/mydomain-ssl.conf
21. For custom cert location, it should be at /etc/ssl
21. <VirtualHost *:443>
22. $sudo a2ensite mydomain-ssl.conf
23. // Redirect http to https
24. $sudo vim /etc/apache2/sites-available/mydomain.conf
25..<VirtualHost *:80>
(redirect need trailing slashe)
or https://community.letsencrypt.org/t/renewal-wrong-fetch-url/43879 this will occur
!!!!!!!!!!!!!!!2021 @@ Apache need to enable mod-ssl
21. <VirtualHost *:443>
22. $sudo a2ensite mydomain-ssl.conf
23. // Redirect http to https
24. $sudo vim /etc/apache2/sites-available/mydomain.conf
25..<VirtualHost *:80>
(redirect need trailing slashe)
or https://community.letsencrypt.org/t/renewal-wrong-fetch-url/43879 this will occur
!!!!!!!!!!!!!!!2021 @@ Apache need to enable mod-ssl
a2enmod ssl
https://stackoverflow.com/questions/5257974/how-to-install-mod-ssl-for-apache-httpd
26. sudo systemctl restart apache2
27. Lets encrypt certs expires every 3 month, cant auto renew because created manual. To renew check:
sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/lab.citycentreupcc.ca/cert.pem
(certifcates date)
28. sudo certbot certificates
(list of certificates)
#######29. certbot certonly --manual --preferred-challenges=http --manual-auth-hook /path/to/http/authenticator.sh --manual-cleanup-hook /path/to/http/cleanup.sh -d secure.example.com --force-renewal
29.a) create a directory(domain_name) at home to run auto renew, set chmod 770 and set group inheritance and default acl to rwx to group,
29. b) create ssl_renew folder
29. c) create autehticator.sh and cleanup.sh
29.a) create a directory(domain_name) at home to run auto renew, set chmod 770 and set group inheritance and default acl to rwx to group,
29. b) create ssl_renew folder
29. c) create autehticator.sh and cleanup.sh
30. /path/to/http/authenticator.sh (/home/authenticator.sh)
!!!! /.well-known/acme-challenge/ folder must be created for it to work. certbot is run as root.
!!!! /.well-known/acme-challenge/ folder must be created for it to work. certbot is run as root.
!!!! .sh script must be executable by current user as current user runs certbot, check getfacl && chmod need to have execute and read
#!/bin/bash
echo $CERTBOT_VALIDATION > /var/www/htdocs/.well-known/acme-challenge/$CERTBOT_TOKEN
/path/to/http/cleanup.sh (/home/cleanup.sh)
#!/bin/bash
rm -f /var/www/htdocs/.well-known/acme-challenge/$CERTBOT_TOKEN
https://community.letsencrypt.org/t/cant-renew-the-certification-with-error-an-authentication-script-must-be-provided-with-manual-auth-hook-when-using-the-manual-plugin-non-interactively/67216/2)
34. Sample dryrun for renewal (can also be used to get new certs)
sudo certbot certonly --manual --preferred-challenges=http --manual-auth-hook /absolute_path/authenticator.sh --manual-cleanup-hook /absolute_path/cleanup.sh -d <domain> --force-renewal --dry-run
**** make sure .sh are executable 770
(This can also be used to get certs directly)
sudo certbot certonly --manual --preferred-challenges=http --manual-auth-hook /absolute_path/authenticator.sh --manual-cleanup-hook /absolute_path/cleanup.sh -d <domain> --dry-run
31.add to cron
32. sudo vim /etc/crontab(open cron job list as root)
33. Certs can only be renewed 30 days prior to expiration, for force renewal, allowed 5 renewal in 7 days per domain. So we can schedule a cron job to renew every 1st, 7th, 21st, 28th of the month at 3:29 to renew . We also need to reload apache2 config afterwards
34. sudo vim /etc/crontab
!!!!!!!!!! domain has to be without www
29 3 1,7,21,28 * * root certbot certonly --manual --preferred-challenges=http --manual-auth-hook /absolute_path/authenticator.sh --manual-cleanup-hook /absolute_path/cleanup.sh -d <domain> --force-renewal && service apache2 reload
// check cron
/ Schedule
vim /etc/crontab
// Check cron job status
tail -f /var/log/syslog
grep cron /var/log/syslog
https://askubuntu.com/questions/85558/verify-if-crontab-works
Stack Exchange Network. Stack Exchange network consists of 175 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.. Visit Stack Exchange
askubuntu.com
https://dev-notes.eu/2018/05/set-up-an-automatic-letsencrypt-renewal-cronjob/
https://www.ostechnix.com/configure-apache-virtual-hosts-ubuntu-part-1/
https://www.linuxbabe.com/ubuntu/https-apache-letsencrypt-ubuntu16-04-17-10
https://community.letsencrypt.org/t/pluginerror-an-authentication-script-must-be-provided-with-manual-auth-hook-when-using-the-manual-plugin-non-interactively-skipping/69718
No comments:
Post a Comment