welcome: please sign in

The following 398 words could not be found in the dictionary of 7 words (including 7 LocalSpellingWords) and are highlighted below:
3rdparty   above   access   accessible   acme   Acme   acmesh   add   Add   Additionally   admin   administrators   admins   afs   Alias   alias   all   allowed   also   an   and   And   apache2   appear   application   are   as   At   Authorization   automated   autotest   back   bash   bashrc   been   before   begin   below   bk   bkhl   build   but   By   by   ca   caldav   called   can   carddav   Case   cat   cd   cer   cert   Certificate   certificate   certificates   certs   challenge   Challenge   change   clear   client   Clnt   clone   cloud   com   command   complain   Cond   config   configuration   console   construction   Contents   context   continue   continuing   Copy   copy   correct   Create   create   crontab   css   date   Dav   dav   days   db   Default   default   describes   different   dir   directory   do   Document   document   doesn   Dom   dom   domain   Domain   domtool   Download   dtl   each   echo   edit   elektrubadur   email   enable   Encrtpy   Encrypt   end   ending   ensure   env   Env   environment   error   etc   example   Examples   examples   Existing   expects   expires   extension   false   few   fi   field   Fields   file   files   filled   fine   First   follow   following   font   For   for   from   fs   generate   Generate   gif   git   github   has   have   hcoop   heading   here   Here   home   host   how   html   http   https   icon   if   If   image   in   In   Index   index   indexes   indie   info   install   installation   installed   instead   instructions   into   is   iso   issue   it   its   javascript   jpeg   json   just   keep   key   keyfile   known   last   later   Let   Lets   letsencrypt   lib   like   lines   link   linked   ll   load   local   location   Log   log   ls   manual   may   me   members   meta   microsoft   more   Mostly   Multi   multi   must   name   need   net   new   next   No   not   note   notfound   Now   now   occ   Of   of   official   on   once   one   only   open   Open   operations   option   optional   options   or   out   page   paste   path   paths   pem   permanent   permission   permissions   php   pki   plain   png   portal   Precautions   precautions   print   printf   private   profile   protocol   providing   public   publicly   pure   put   qsappend   read   really   recommended   reconnect   redirect   redirects   reference   remain   remote   renew   renewals   replace   Request   request   requires   rewrite   Rewrite   root   Root   Rule   run   sa   say   se   section   Security   See   Send   server   service   session   Set   set   setup   setups   sh   simple   Since   single   skip   smichel   some   source   ssh   ssl   stand   steps   subdirectory   subdomain   Subdomain   submission   submit   svg   system   Table   take   temp   templates   test   tests   text   that   That   The   the   their   them   then   Then   These   these   third   this   This   through   time   to   Tool   touch   traffic   tweaks   Type   under   Under   unset   up   Update   use   user   username   uses   Using   using   val   validation   vhost   Views   vnd   want   warning   web   webdav   webfinger   website   weeks   weird   well   whenever   where   which   wiki   will   With   with   without   woff2   written   www   You   you   Your   your   Zero  

Clear message

MemberManual / ServingWebsites / SslCert / LetsEncrypt

Let's Encrypt! This page describes how to enable SSL using letsencrypt for example.com. Log in through ssh to ssh.hcoop.net, then follow the instructions below

1. First time setup

At the end of these steps, you'll have a certificate for www.example.com. If you want to use a different subdomain (example.com, git.example.com, etc.), you can follow this multi-domain configuration example.

1.1. Set up your new website with http

echo 'dom "example.com" with end;' > ~/.domtool/example.com

1.2. Set up your environment

These steps are recommended but optional. If you skip them, you'll need to run source ~/.acme.sh/acme.sh.env each time before you generate certs.

The hcoop environment doesn't use a .bashrc file by default, but acme.sh expects one. First create the file

touch ~/.bashrc

Then load it in each new session. Add the following lines to ~/.bash_profile

if [ -f ~/.bashrc ]; then
        . ~/.bashrc

1.3. Download and install `acme.sh`

Acme.sh is a client for the ACME protocol, written in pure bash. The third command may complain that you are not allowed to use crontab. This is fine.

git clone https://github.com/acmesh-official/acme.sh.git
cd acme.sh
./acme.sh --install

Security Precautions

Since afs is publicly accessible, you need to take a few precautions to ensure that your certificate and private key remain private. For all key operations, keep the files in a directory that only you and the admins can read.

Set the correct permissions:

fs sa ~/.acme.sh -clear YOUR_USERNAME all system:administrators all

You'll have to do this once, or you can log out and reconnect (if you set up your .bashrc):

source ~/.acme.sh/acme.sh.env

Additionally, acme.sh now uses ZeroSSL as their default CA service, which requires providing an email to the client, linked to a server. If you want to continue using LetsEncrypt, you may want to run the following to change the default CA back to LetsEncrtpy, before continuing:

acme.sh --set-default-ca --server letsencrypt

1.4. Generate the cert

If the example.com document root is ~/public_html/, run

acme.sh --issue -d example.com -w ~/public_html/

(If the document root is some weird subdirectory, like ~/public_html/weird, set the -w option to that instead.)

At the end, it will print Your cert is in and then a path to a file ending in .cer. Copy this path without the .cer extension. In the next section, replace $FILE with this path.

1.5. Request cert installation from hcoop admins

Send a SSL certificate permission request. Fields are filled out with:

Subdomain: www

Domain: example.com

OpenSSL certificate: $FILE.cer $FILE.key

See section above for context.

You must also request certificate installation whenever you renew the certificate.

1.6. Update domtool config to use SSL

Now that your cert has been installed, its path will appear on the certificate permission request page, under the heading "Your certificates." Let's say the cert path is /etc/apache2/ssl/user/www.example.com.pem. (That directory is really called user; it's not a username stand-in!) You need to add this path to your domtool configuration.

Here's a simple example config, which redirects all traffic to https in a single domain.

dom "example.com" where
  SSL = use_cert "/etc/apache2/ssl/user/www.example.com.pem"
  web "www" with
    rewriteRule "^(.*)$" "https://www.example.com$1" [redirectWith temp]

Here are more single-domain examples and a multi-domain example. For reference, here's the domtool manual.

2. Existing setups & tweaks

Under construction

This section is under construction.

2.1. Multi-domain configuration example


val acmeChallengeAlias = begin
    location "/.well-known/acme-challenge" with unset_options [indexes]; end;
    alias "/.well-known/acme-challenge" "/afs/hcoop.net/user/b/bk/bkhl/www/acme/.well-known/acme-challenge";


val elektrubadurCertificate = use_cert "/etc/apache2/ssl/user/elektrubadur.se.pem";

val elektrubadurRewrite = rewriteRule "^(.*)$" "https://elektrubadur.se$1" [redirectWith permanent];

val elektrubadurSubdomainAlias = \name -> begin
    web name with elektrubadurRewrite; end;
    web name where SSL = elektrubadurCertificate; with elektrubadurRewrite; end;

dom "elektrubadur.se" where
    DocumentRoot = home "www/elektrubadur.se";
    CreateWWW = false;

    vhostDefault where
        SSL = elektrubadurCertificate;
        errorDocument "404" "/404.html";

        expiresByType "text/plain" access 1 days;
        expiresByType "text/css" access 1 days;

        expiresByType "image/jpeg" access 1 weeks;
        expiresByType "image/png" access 1 weeks;
        expiresByType "image/gif" access 1 weeks;
        expiresByType "image/svg" access 1 weeks;
        expiresByType "image/vnd.microsoft.icon" access 1 weeks;


    vhostDefault with elektrubadurRewrite; end;

    elektrubadurSubdomainAlias "www";
    elektrubadurSubdomainAlias "bkhl";

    web "test" where
        DocumentRoot = home "www/test.elektrubadur.se";
        SSL = elektrubadurCertificate;

    web "test" with
        rewriteRule "^(.*)$" "https://test.elektrubadur.se$1" [redirectWith permanent];

    web "cloud" where
        DocumentRoot = home "www/cloud.elektrubadur.se";
        SSL = elektrubadurCertificate;
        location "/" with
            unset_options [indexes, multiViews];
            directoryIndex ["index.php", "index.html"];

        expiresByType "text/css" access 1 weeks;
        expiresByType "application/javascript" access 1 weeks;
        expiresByType "image/svg" access 1 weeks;
        expiresByType "image/gif" access 1 weeks;
        expiresByType "application/font-woff2" access 1 weeks;

        setEnvIfNoCase "^Authorization$" "(.+)" ["XAUTHORIZATION=$1"];

        rewriteCond "%{HTTP_USER_AGENT}" "DavClnt" [];
        rewriteRule "^$" "/remote.php/webdav/" [redirectWith temp, last];

        rewriteRule ".*" "-" [env "HTTP_AUTHORIZATION" "%{HTTP:Authorization}"];
        rewriteRule "^\.well-known/host-meta" "/public.php?service=host-meta" [qsappend, last];
        rewriteRule "^\.well-known/host-meta\.json" "/public.php?service=host-meta-json" [qsappend, last];
        rewriteRule "^\.well-known/webfinger" "/public.php?service=webfinger" [qsappend, last];
        rewriteRule "^\.well-known/carddav" "/remote.php/dav/" [redirectWith permanent, last];
        rewriteRule "^\.well-known/caldav" "/remote.php/dav/" [redirectWith permanent, last];
        rewriteRule "^remote/(.*)" "remote.php" [qsappend, last];
        rewriteRule "^(?:build|tests|config|lib|3rdparty|templates)/.*" "-" [redirectWith notfound, last];
        rewriteCond "%{REQUEST_URI}" "!^/\.well-known/(acme-challenge|pki-validation)/.*" [];
        rewriteRule "^(?:\.|autotest|occ|issue|indie|db_|console).*" "-" [redirectWith notfound, last];


    web "cloud" with
        rewriteRule "^(.*)$" "https://cloud.elektrubadur.se$1" [redirectWith permanent];

    emailAlias "admin" "bkhl";
    emailAlias "info" "bkhl";


~/.acme.sh/acme.sh --issue -d elektrubadur.se -d www.elektrubadur.se -d bkhl.elektrubadur.se -d cloud.elektrubadur.se -d test.elektrubadur.se -w $HOME/www/acme/

And later on just ~/.acme.sh/acme.sh --renew-all

2.2. Mostly-automated renewals

You can edit the paths in this command and then put it in your ~/.bashrc. Then you just need to run letsencrypt_renew, open the link, and copy-paste the path into the submission field.

letsencrypt_renew () 
    local cert_dir="$HOME/certificates/smichel.me";
    local keyfile="$cert_dir/$(date --iso-8601)-smichel.me.pem";
    "$HOME"/.acme.sh/acme.sh --renew-all && cat "$cert_dir"/{smichel.me.{cer,key},ca.cer} > "$keyfile" && printf 'Open %s and submit this file:\n' 'https://members.hcoop.net/portal/cert' 1>&2 && ls "$keyfile"

MemberManual/ServingWebsites/SslCert/LetsEncrypt (last edited 2022-05-12 00:00:34 by StephenMichel)