Let's encrypt on Arch Linux

First we need apache and let's encrypt client:
pacman -S certbot

 As Apache is running on port 80, and we do not want any interruption to the service, we will use "webroot" plugin. Assuming our domain is www.bogus.com, the request will look like this:

certbot certonly --email p******t@gmail.com --webroot -w /srv/http/ -d www.secure.com


 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

Note: you do not need to enter e-mail address again.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/flex.prkp.eu/fullchain.pem. Your cert will
   expire on 2016-12-13. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"

For SSL, enable:
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Include conf/extra/httpd-ssl.conf

And create self signed certificate to satisfy the "default" SSL virtual host. By using exactly the command below, you will ensure that you do not need to modify httpd-ssl.conf at all:
# cd /etc/httpd/conf
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 1095
# chmod 400 server.key

Now define minimalistic Virtual host for your domain:
<VirtualHost www.secure.com:443>
    DocumentRoot "/srv/http"
    ServerName www.secure.com:443

    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/www.secure.com/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/www.secure.com/privkey.pem"
</VirtualHost>

And last, but not least. If you using multiple SSL vhosts ensure that the above lines from httpd.conf goes to the end (or after SSL configuration is loaded). In such case, the default SSL virtual host would be the one defined in SSL config rather the first one in vhost config:
# Virtual hosts
Include conf/extra/httpd-vhosts.conf

Comments

Post a Comment

Popular posts from this blog

Hardening OpenWRT - adding non-root user account

I have at home an OpenWRT on TP-Link 1043ND. As I'm most of the time out of my home, I use this for two functions:  - as reliable WiFi Access Point  - as last resort remote access device  - as a box used to wake up other Ethernet enabled devices @ home. As this box is exposed to Internet via IPv6 address, I decided to harden it a little. 1. Adding extra non privileged user account: root@OpenWrt:~# opkg update root@OpenWrt:~# opkg install shadow-useradd root@OpenWrt:~# mkdir /home root@OpenWrt:~# useradd -D GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL= SKEL=/etc/skel CREATE_MAIL_SPOOL=no root@OpenWrt:~# useradd -m -s /bin/ash bart root@OpenWrt:~# cat /etc/passwd root:x:0:0:root:/root:/bin/ash daemon:*:1:1:daemon:/var:/bin/false ftp:*:55:55:ftp:/home/ftp:/bin/false network:*:101:101:network:/var:/bin/false nobody:*:65534:65534:nobody:/var:/bin/false bart:x:1000:1000::/home/bart:/bin/ash root@OpenWrt:~# passwd bart Changing password for bart New passw
Read more

Dropbear SSH keys and autossh on OpenWRT

Image
I have a box on Amazon EC2. And I want to have my OpenWRT that is behind IPv4 CGN and have public IPv6 to be reachable from IPv4 Internet. The best idea is to use ssh reverse tunnel connected with autossh to keep connection going. The very first think is to test if I can connect to my Amazon instance from my OpenWRT: root@OpenWrt:~# ssh 54.111.111.111 Host '54.111.111.111' is not in the trusted hosts file. (ssh-rsa fingerprint md5 0f:51:11:11:11:11:11:11:11:11:11:11:11:11:11:11) Do you want to continue connecting? (y/n) y root@54.111.111.111's password: At this point the public key of remote host will be added to .ssh/known_hosts. It is important as we can't have autossh to interact with console in future. root@OpenWrt:~# cat .ssh/known_hosts 2001:1111:1111:1111::1111:1111 ssh-rsa AAAAB3N....... 54.111.111.111 ssh-rsa AAAAB3N.......... Now we need to generate public/private key pair we will be using to connect to our Amazon instance. Invoke fol
Read more

SSH Tunel with OpenWRT

You need to install OpenSSH client: root@OpenWrt:~# opkg update root@OpenWrt:~# opkg install openssh-client Now OpenSSH client replaced DropBear client: root@OpenWrt:~# ls -l /usr/bin/ssh -rwxr-xr-x    1 root     root        590667 May 24 14:54 /usr/bin/ssh root@OpenWrt:~# ls -l /rom/usr/bin/ssh lrwxrwxrwx    1 root     root            16 Aug 19  2016 /rom/usr/bin/ssh -> ../sbin/dropbear root@OpenWrt:~# ls -l /overlay/upper/usr/bin/ssh -rwxr-xr-x    1 root     root        590667 May 24 14:54 /overlay/upper/usr/bin/ssh Can you spot a difference: root@OpenWrt:~# ssh usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]            [-D [bind_address:]port] [-E log_file] [-e escape_char]            [-F configfile] [-I pkcs11] [-i identity_file]            [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]            [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]            [-S ctl_path] [-W ho
Read more