tags: - TLS certificates - letsencrypt categories: - informational comments: true

date: 2022-07-24 00:00:00

DESCRIPTION

Example domain: example.com

Example sub-domain: git.example.com

Web server IP: 192.168.1.100

Both domain and sub-domain will redirect to backend services Removing the redirect stanza will server files from the root

for the domain

mkdir -p /var/www/html/example

and (sub-domain)

mkdir -p /var/www/html/git_example

nginx that supports php backend

To enable user1 to write to root

chown -R user1:user1 /var/www/html /var/www/letsencrypt

Using git to create and push pages to nginx root

sudo -i -u user1
mkdir example

ERRORS

VERIFICATION

curl -vI https://example.com curl -vI https://git.example.com

COMMANDS

mkdir -p /var/www/letsencrypt
cat >/etc/nginx/conf/sites-available/example_com<<EOF
server {
    root /var/www/html/example;
    index index.html index.htm index.php;
    server_name example.com;

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.3-fpm.sock;
    }

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/certs/lets-encrypt-x3-cross-signed.pem;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    ssl_session_cache shared:SSL:40m;
    ssl_session_tickets on;

    listen 192.168.1.100:443 ssl;
    include /etc/letsencrypt/options-ssl-nginx.conf;

#    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    access_log /var/log/nginx/hexo-access.log;
    error_log /var/log/nginx/hexo-error.log;

    location / {
        proxy_pass https://192.168.1.120:8888;
    }
}

server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    }

    listen 192.168.1.100:80;
    server_name example.com;
    return 404;
}
EOF
cat >/etc/nginx/conf/sites-available/git_example_com<<EOF
server {
    root /var/www/html/git_example;
    index index.html index.htm index.php;
    server_name git.example.com;

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.3-fpm.sock;
    }

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/certs/lets-encrypt-x3-cross-signed.pem;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    ssl_session_cache shared:SSL:40m;
    ssl_session_tickets on;

    listen 192.168.1.100:443 ssl;
    include /etc/letsencrypt/options-ssl-nginx.conf;

#    ssl_certificate /etc/letsencrypt/live/git.example.com/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/git.example.com/privkey.pem;
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://192.168.1.110:3000;
    }

    access_log /var/log/nginx/softserve-access.log;
    error_log /var/log/nginx/softserve-error.log;
}

server {
    listen 192.168.1.100:80;
    server_name git.example.com;
    location ~ /\.well-known/acme-challenge/ {
        allow all;
        root /var/www/letsencrypt;
        try_files $uri =404;
        break;
    }
}
EOF
nginx -t
systemctl reload nginx

Creating the certs

letsencrypt certonly -a webroot --webroot-path=/var/www/letsencrypt -d git.example.com
letsencrypt certonly -a webroot --webroot-path=/var/www/letsencrypt -d example.com

From

#ssl_certificate /etc/letsencrypt/live/git.example.com/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/git.example.com/privkey.pem;
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

To

ssl_certificate /etc/letsencrypt/live/git.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.example.com/privkey.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

Then, check syntax and reload the configurations

nginx -t
systemctl reload nginx

Renew

cat >/etc/cron.d/letsencrypt<<EOF
1 1 * * * /usr/bin/letsencrypt renew --renew-hook "/etc/init.d/nginx reload"
EOF

Appendix A: Install nginx, letsencrypt

apt update
apt install --no-install-recommends nginx letsencrypt certbot php-fpm php-mysql
cat >/etc/nginx/nginx.conf<<EOF

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
        worker_connections 2048;
}

http {
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;

        client_max_body_size 50M;

        server_names_hash_bucket_size 64;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        gzip on;
        gzip_disable "msie6";

        gzip_proxied any;
        gzip_types text/plain text/xml text/css application/x-javascript;
        gzip_vary on;
        gzip_disable “MSIE [1-6]\.(?!.*SV")

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}
EOF
cat >/etc/letsencrypt/options-ssl-nginx.conf<<EOF
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256";
EOF

php setting

cat >/etc/php/7.3/fpm/php.ini<<EOF
allow_url_fopen = On
allow_url_include = Off
[Assertion]
auto_append_file =
auto_globals_jit = On
auto_prepend_file =
[bcmath]
bcmath.scale = 0
[browscap]
cgi.fix_pathinfo=0
[CLI Server]
cli_server.color = On
[COM]
[curl]
[Date]
date.timezone = "America/Toronto"
[dba]
default_charset = "UTF-8"
default_mimetype = "text/html"
default_socket_timeout = 60
disable_classes =
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
display_errors = Off
display_startup_errors = Off
doc_root =
enable_dl = Off
engine = On
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
[exif]
expose_php = Off
file_uploads = On
[filter]
[gd]
html_errors = On
ibase.allow_persistent = 1
ibase.dateformat = "%Y-%m-%d"
ibase.max_links = -1
ibase.max_persistent = -1
ibase.timeformat = "%H:%M:%S"
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
[iconv]
ignore_repeated_errors = Off
ignore_repeated_source = Off
[imap]
implicit_flush = Off
[Interbase]
[intl]
[ldap]
ldap.max_links = -1
log_errors_max_len = 1024
log_errors = On
mail.add_x_header = Off
[mail function]
max_execution_time = 120
max_file_uploads = 20
max_input_time = 60
[mbstring]
memory_limit = 128M
[MySQLi]
mysqli.allow_persistent = On
mysqli.default_host =
mysqli.default_port = 3306
mysqli.default_pw =
mysqli.default_socket =
mysqli.default_user =
mysqli.max_links = -1
mysqli.max_persistent = -1
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_memory_statistics = Off
mysqlnd.collect_statistics = On
[OCI8]
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.defaultbinmode = 1
odbc.defaultlrl = 4096
odbc.max_links = -1
odbc.max_persistent = -1
[opcache]
[openssl]
output_buffering = 4096
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.default_socket=
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.ignore_notice = 0
pgsql.log_notice = 0
pgsql.max_links = -1
pgsql.max_persistent = -1
[Phar]
[PHP]
[PostgreSQL]
post_max_size = 32M
precision = 14
register_argc_argv = Off
report_memleaks = On
request_order = "GP"
serialize_precision = -1
[Session]
session.auto_start = 0
session.cache_expire = 180
session.cache_limiter = nocache
session.cookie_domain =
session.cookie_httponly =
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_samesite =
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.gc_probability = 0
session.name = PHPSESSID
session.referer_check =
session.save_handler = files
session.serialize_handler = php
session.sid_bits_per_character = 5
session.sid_length = 26
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.use_cookies = 1
session.use_only_cookies = 1
session.use_strict_mode = 0
session.use_trans_sid = 0
short_open_tag = Off
SMTP = localhost
smtp_port = 25
[soap]
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_enabled=1
soap.wsdl_cache_limit = 5
soap.wsdl_cache_ttl=86400
[sqlite3]
[sysvshm]
[Tidy]
tidy.clean_output = Off
unserialize_callback_func =
upload_max_filesize = 32M
user_dir =
variables_order = "GPCS"
zend.assertions = -1
zend.enable_gc = On
zlib.output_compression = Off
EOF

References

https://www.letscloud.io/community/how-to-set-up-an-nginx-with-certbot-on-ubuntu https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-in-ubuntu-16-04 https://scaron.info/blog/improve-your-nginx-ssl-configuration.html