Commit 9d92c20e authored by Chris Snijder's avatar Chris Snijder 🏅
Browse files

Fix issues with config in readme.rst

parent 09d2c1ed
......@@ -11,7 +11,7 @@ take additional steps during the installation.
- Debian Jessie (or higher) or Ubuntu Trusty (or higher).
- Python 2.7 (2.6 is supported by certbot and our goal is to be compatible but
it has not been tested yet).
- HAProxy 1.5+ (we will configure SNI, which is not strictly required)
- HAProxy 1.6+ (we will configure SNI, which is not strictly required)
- Certbot 0.8+
Installing: Getting started
......@@ -106,9 +106,10 @@ In order to let Certbot run as an unprivileged user, we will:
automatic renewal of certificates can be run by this user.
- Tell Certbot that the working directories are located in ``certbot``'s home
directory.
- Optionally: add your own user account to the Cerbot user's group so you can
- Optionally: add your own user account to the Certbot user's group so you can
run Certbot manually.
- Allow HAProxy to access the certificates that are generated by Certbot.
- Allow the certbot user to restart the HAProxy server.
Lastly, to do automatic renewal of certificates, we will create a systemd timer
and a service to start at every boot and every 12 hours, at a random time off
......@@ -130,7 +131,7 @@ web hosting environment - you can add those users to the ``certbot`` group.
usermod -a -G certbot [ADD YOUR USER HERE]
You will also need to tell your user what the working directory of your Cerbot
You will also need to tell your user what the working directory of your Certbot
setup is (/opt/certbot/). Certbot allows you to create a configuration file
with default settings in the users' home dir:
``opt/certbot/.config/letsencrypt/cli.ini``.
......@@ -148,6 +149,14 @@ Besides the working directory.
Next time you run Certbot, it will use our new working directory.
Now to allow the certbot user to restart HAProxy, put the following in the
sudoers file:
.. code:: bash
cat <<EOF >> /etc/sudoers
%certbot ALL=NOPASSWD: /bin/systemctl restart haproxy
EOF
Now we haven't done one very essential thing yet, install ``certbot-haproxy``.
Since our plugin is in an alpha stage, we did not package it yet. You will need
to get it from our Gitlab server.
......@@ -184,15 +193,14 @@ together a configuration that works for you.
# Default ciphers to use on SSL-enabled listening sockets.
# Cipher suites chosen by following logic:
# - Authenticated ciphers first
# - SHA384/256 first, then SHA for compatibility
# - Bits of security 128>256 (weighing performance vs added security)
# - Key exchange: EECDH>DHE (faster first)
# - Mode: GCM>CBC (streaming cipher over block cipher)
# - Ephemeral: All use ephemeral key exchanges
# - Explicitly disable weak ciphers and SSLv3
ssl-default-bind-ciphers AES128+AESGCM+EECDH+SHA256:AES128+EECDH:AES128+AESGCM+DHE:AES128+EDH:AES256+AESGCM+EECDH:AES256+EECDH:AES256+AESGCM+EDH:AES256+EDH:-SHA:AES128+AESGCM+EECDH+SHA256:AES128+EECDH:AES128+AESGCM+DHE:AES128+EDH:AES256+AESGCM+EECDH:AES256+EECDH:AES256+AESGCM+EDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!3DES:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
#ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-dh-param-file /opt/certbot/dhparams.pem
defaults
......@@ -214,49 +222,49 @@ together a configuration that works for you.
frontend http-in
# Listen on port 80
bind *:80
mode http
# Listen on port 443
# Uncomment after running certbot for the first time, a certificate
# needs to be installed *before* HAProxy will be able to start when this
# directive is not commented.
#
## bind *:443 ssl crt /opt/cerbot/haproxy_fullchains
bind *:443 ssl crt /opt/certbot/haproxy_fullchains/__fallback.pem crt /opt/certbot/haproxy_fullchains
# Forward Cerbot verification requests to the certbot-haproxy plugin
# Forward Certbot verification requests to the certbot-haproxy plugin
acl is_certbot path_beg -i /.well-known/acme-challenge
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload
rspadd X-Frame-Options:\ DENY
use_backend certbot if is_certbot
# The default backend is a cluster of 4 Apache servers that you need to
# host.
default_backend nodes
backend certbot
log global
mode http
server certbot 127.0.0.1:8000
# If redirection from port 80 to 443 is to be forced, uncomment the next
# line. Keep in mind that the bind *:443 line should be uncommented and a
# certificate should be present for all domains
# redirect scheme https if !{ ssl_fc }
backend certbot
log global
mode http
server certbot 127.0.0.1:8000
# You can also configure separate domains to force a redirect from port 80
# to 443 like this:
# redirect scheme https if !{ ssl_fc } and [PUT YOUR DOMAIN NAME HERE]
# The default backend is a cluster of 4 Apache servers that you need to
# host.
default_backend nodes
backend nodes
log global
balance roundrobin
option forwardfor
option http-server-close
option httpclose
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server node1 127.0.0.1:8080 check
server node2 127.0.0.1:8080 check
server node3 127.0.0.1:8080 check
server node4 127.0.0.1:8080 check
# If redirection from port 80 to 443 is to be forced, uncomment the next
# line. Keep in mind that the bind *:443 line should be uncommented and a
# certificate should be present for all domains
redirect scheme https if !{ ssl_fc }
backend nodes
log global
mode http
option tcplog
balance roundrobin
option forwardfor
option http-server-close
option httpclose
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server node2 hn222.greenhost.nl:80 check
server node1 hn227.greenhost.nl:80 check
EOF
systemctl restart haproxy
......@@ -295,6 +303,44 @@ After you run certbot successfully once, there will be 2 certificate files in
the certificate directory. This is a pre-requisite for HAProxy to start with
the ``bind *:443 [..]`` directive in the configuration.
You can auto renew certificates by using the systemd service and timer below.
They are set to run every 12 hours because certificates that *will not* expire
soon will not be replaced but certificates that *will* expire soon, will be
replaced in a timely manner. The timer also starts the renewal process 2
minutes after the server boots, this is done so renewal starts immediately
after the server has been offline for a long time.
.. code:: bash
cat <<EOF > /etc/systemd/system/letsencrypt.timer
[Unit]
Description=Run Let's Encrypt every 12 hours
[Timer]
# Time to wait after booting before we run first time
OnBootSec=2min
# Time between running each consecutive time
OnUnitActiveSec=12h
Unit=letsencrypt.service
[Install]
WantedBy=timers.target
EOF
cat <<EOF > /etc/systemd/system/letsencrypt.service
[Unit]
Description=Renew Let's Encrypt Certificates
[Service]
Type=simple
ExecStart=/usr/bin/certbot renew -q
EOF
# Enable the timer and start it, this is not necessary for the service,
# since the timer starts it.
systemctl enable letsencrypt.timer
systemctl start letsencrypt.timer
Development: Getting started
-----------------------------
......@@ -314,9 +360,9 @@ other path in your home directory.
.. code:: bash
mkdir ~/projects/cerbot-haproxy/working
mkdir ~/projects/cerbot-haproxy/working/config
mkdir ~/projects/cerbot-haproxy/working/logs
mkdir ~/projects/certbot-haproxy/working
mkdir ~/projects/certbot-haproxy/working/config
mkdir ~/projects/certbot-haproxy/working/logs
cat <<EOF >> ~/.config/letsencrypt/cli.ini
work-dir=~/projects/certbot-haproxy/working/
logs-dir=~/projects/certbot-haproxy/working/logs/
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment