From 9d92c20e8095c8a2dd5812184cbe4c08851e7c14 Mon Sep 17 00:00:00 2001 From: Chris Snijder Date: Mon, 22 Aug 2016 16:50:24 +0200 Subject: [PATCH] Fix issues with config in readme.rst --- README.rst | 120 ++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 83 insertions(+), 37 deletions(-) diff --git a/README.rst b/README.rst index ab9cf4a..0ba03bc 100644 --- a/README.rst +++ b/README.rst @@ -11,7 +11,7 @@ take additional steps during the installation. - Debian Jessie (or higher) or Ubuntu Trusty (or higher). - Python 2.7 (2.6 is supported by certbot and our goal is to be compatible but it has not been tested yet). -- HAProxy 1.5+ (we will configure SNI, which is not strictly required) +- HAProxy 1.6+ (we will configure SNI, which is not strictly required) - Certbot 0.8+ Installing: Getting started @@ -106,9 +106,10 @@ In order to let Certbot run as an unprivileged user, we will: automatic renewal of certificates can be run by this user. - Tell Certbot that the working directories are located in ``certbot``'s home directory. -- Optionally: add your own user account to the Cerbot user's group so you can +- Optionally: add your own user account to the Certbot user's group so you can run Certbot manually. - Allow HAProxy to access the certificates that are generated by Certbot. +- Allow the certbot user to restart the HAProxy server. Lastly, to do automatic renewal of certificates, we will create a systemd timer and a service to start at every boot and every 12 hours, at a random time off @@ -130,7 +131,7 @@ web hosting environment - you can add those users to the ``certbot`` group. usermod -a -G certbot [ADD YOUR USER HERE] -You will also need to tell your user what the working directory of your Cerbot +You will also need to tell your user what the working directory of your Certbot setup is (/opt/certbot/). Certbot allows you to create a configuration file with default settings in the users' home dir: ``opt/certbot/.config/letsencrypt/cli.ini``. @@ -148,6 +149,14 @@ Besides the working directory. Next time you run Certbot, it will use our new working directory. +Now to allow the certbot user to restart HAProxy, put the following in the +sudoers file: + +.. code:: bash + cat <> /etc/sudoers + %certbot ALL=NOPASSWD: /bin/systemctl restart haproxy + EOF + Now we haven't done one very essential thing yet, install ``certbot-haproxy``. Since our plugin is in an alpha stage, we did not package it yet. You will need to get it from our Gitlab server. @@ -184,15 +193,14 @@ together a configuration that works for you. # Default ciphers to use on SSL-enabled listening sockets. # Cipher suites chosen by following logic: - # - Authenticated ciphers first - # - SHA384/256 first, then SHA for compatibility # - Bits of security 128>256 (weighing performance vs added security) # - Key exchange: EECDH>DHE (faster first) # - Mode: GCM>CBC (streaming cipher over block cipher) # - Ephemeral: All use ephemeral key exchanges # - Explicitly disable weak ciphers and SSLv3 ssl-default-bind-ciphers AES128+AESGCM+EECDH+SHA256:AES128+EECDH:AES128+AESGCM+DHE:AES128+EDH:AES256+AESGCM+EECDH:AES256+EECDH:AES256+AESGCM+EDH:AES256+EDH:-SHA:AES128+AESGCM+EECDH+SHA256:AES128+EECDH:AES128+AESGCM+DHE:AES128+EDH:AES256+AESGCM+EECDH:AES256+EECDH:AES256+AESGCM+EDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!3DES:!DSS - ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12 + #ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12 + ssl-default-bind-options no-sslv3 no-tls-tickets ssl-dh-param-file /opt/certbot/dhparams.pem defaults @@ -214,49 +222,49 @@ together a configuration that works for you. frontend http-in # Listen on port 80 bind *:80 - mode http # Listen on port 443 # Uncomment after running certbot for the first time, a certificate # needs to be installed *before* HAProxy will be able to start when this # directive is not commented. # - ## bind *:443 ssl crt /opt/cerbot/haproxy_fullchains + bind *:443 ssl crt /opt/certbot/haproxy_fullchains/__fallback.pem crt /opt/certbot/haproxy_fullchains - # Forward Cerbot verification requests to the certbot-haproxy plugin + # Forward Certbot verification requests to the certbot-haproxy plugin acl is_certbot path_beg -i /.well-known/acme-challenge + rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload + rspadd X-Frame-Options:\ DENY use_backend certbot if is_certbot + # The default backend is a cluster of 4 Apache servers that you need to + # host. + default_backend nodes - backend certbot - log global - mode http - server certbot 127.0.0.1:8000 - - # If redirection from port 80 to 443 is to be forced, uncomment the next - # line. Keep in mind that the bind *:443 line should be uncommented and a - # certificate should be present for all domains - # redirect scheme https if !{ ssl_fc } + backend certbot + log global + mode http + server certbot 127.0.0.1:8000 # You can also configure separate domains to force a redirect from port 80 # to 443 like this: # redirect scheme https if !{ ssl_fc } and [PUT YOUR DOMAIN NAME HERE] - # The default backend is a cluster of 4 Apache servers that you need to - # host. - default_backend nodes + backend nodes + log global + balance roundrobin + option forwardfor + option http-server-close + option httpclose + http-request set-header X-Forwarded-Port %[dst_port] + http-request add-header X-Forwarded-Proto https if { ssl_fc } + option httpchk HEAD / HTTP/1.1\r\nHost:localhost + server node1 127.0.0.1:8080 check + server node2 127.0.0.1:8080 check + server node3 127.0.0.1:8080 check + server node4 127.0.0.1:8080 check + # If redirection from port 80 to 443 is to be forced, uncomment the next + # line. Keep in mind that the bind *:443 line should be uncommented and a + # certificate should be present for all domains + redirect scheme https if !{ ssl_fc } - backend nodes - log global - mode http - option tcplog - balance roundrobin - option forwardfor - option http-server-close - option httpclose - http-request set-header X-Forwarded-Port %[dst_port] - http-request add-header X-Forwarded-Proto https if { ssl_fc } - option httpchk HEAD / HTTP/1.1\r\nHost:localhost - server node2 hn222.greenhost.nl:80 check - server node1 hn227.greenhost.nl:80 check EOF systemctl restart haproxy @@ -295,6 +303,44 @@ After you run certbot successfully once, there will be 2 certificate files in the certificate directory. This is a pre-requisite for HAProxy to start with the ``bind *:443 [..]`` directive in the configuration. +You can auto renew certificates by using the systemd service and timer below. +They are set to run every 12 hours because certificates that *will not* expire +soon will not be replaced but certificates that *will* expire soon, will be +replaced in a timely manner. The timer also starts the renewal process 2 +minutes after the server boots, this is done so renewal starts immediately +after the server has been offline for a long time. + +.. code:: bash + cat < /etc/systemd/system/letsencrypt.timer + [Unit] + Description=Run Let's Encrypt every 12 hours + + [Timer] + # Time to wait after booting before we run first time + OnBootSec=2min + # Time between running each consecutive time + OnUnitActiveSec=12h + Unit=letsencrypt.service + + [Install] + WantedBy=timers.target + EOF + + cat < /etc/systemd/system/letsencrypt.service + [Unit] + Description=Renew Let's Encrypt Certificates + + [Service] + Type=simple + ExecStart=/usr/bin/certbot renew -q + EOF + + # Enable the timer and start it, this is not necessary for the service, + # since the timer starts it. + systemctl enable letsencrypt.timer + systemctl start letsencrypt.timer + + Development: Getting started ----------------------------- @@ -314,9 +360,9 @@ other path in your home directory. .. code:: bash - mkdir ~/projects/cerbot-haproxy/working - mkdir ~/projects/cerbot-haproxy/working/config - mkdir ~/projects/cerbot-haproxy/working/logs + mkdir ~/projects/certbot-haproxy/working + mkdir ~/projects/certbot-haproxy/working/config + mkdir ~/projects/certbot-haproxy/working/logs cat <> ~/.config/letsencrypt/cli.ini work-dir=~/projects/certbot-haproxy/working/ logs-dir=~/projects/certbot-haproxy/working/logs/