letsencrypt usage after installation
-
Hello Dear All,
Can someone explain how to install certificat with letsencrypt?
I have use standard let’s encrypt installation for apache under ubuntu server.
So, I have :ls -al /etc/letsencrypt/live/xxx.xxx.xxx.fr/
lrwxrwxrwx 1 root root 45 janv. 16 17:17 cert.pem -> …/…/archive/xxx.xxx.xxx.fr/cert1.pem
lrwxrwxrwx 1 root root 46 janv. 16 17:17 chain.pem -> …/…/archive/xxx.xxx.xxx.fr/chain1.pem
lrwxrwxrwx 1 root root 50 janv. 16 17:17 fullchain.pem -> …/…/archive/xxx.xxx.xxx.fr/fullchain1.pem
lrwxrwxrwx 1 root root 48 janv. 16 17:17 privkey.pem -> …/…/archive/xxx.xxx.xxx.fr/privkey1.pemOn the fog side:
/var/www/html/fog/management/other/ssl/srvpublic.crt
/var/www/html/fog/management/other/ca.cert.pem/etc/apache2/sites-enabled/001-fog.conf:
<VirtualHost :80>
<FilesMatch “.php$”>
SetHandler “proxy:fcgi://127.0.0.1:9000/”
</FilesMatch>
ServerName 130.79.125.236
ServerAlias xxx.xxx.xxx.fr
DocumentRoot /var/www/
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule . - [F]
RewriteRule /management/other/ca.cert.der$ - [L]
RewriteCond %{HTTPS} off
RewriteRule (.) https://%{HTTP_HOST}/$1 [R,L]
</VirtualHost>
<VirtualHost :443>
KeepAlive Off
<FilesMatch “.php$”>
SetHandler “proxy:fcgi://127.0.0.1:9000/”
</FilesMatch>
ServerName yyy.yyy.yyy.yyy
ServerAlias xxx.xxx.xxx.fr
DocumentRoot /var/www/
SSLEngine On
SSLProtocol all -SSLv3 -SSLv2
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS>
SSLHonorCipherOrder On
SSLCACertificateFile /var/www/fog//management/other/ca.cert.pem
<Directory /var/www/fog/>
DirectoryIndex index.php index.html index.htm
</Directory>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule . - [F]
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d
RewriteRule ^/fog/(.)$ /fog/api/index.php [QSA,L]
SSLCertificateFile /etc/letsencrypt/live/xxx.xxx.xxx.fr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xxx.xxx.xxx.fr/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>What must be copy/move/updated between they files?
Many thanks in advance.
-
@OlivierSchmitt The certificate is not only used by the web UI but also when PXE booting and by the fog-client. So copying/moving certificate and key files on the FOG server is not enough! You need to re-compile the iPXE binaries and eventually the fog-client as well or use letsencrypt and self-signed certs in parallel to not break the fog-client communication.
Unfortunately there is no proper documentation we can point you to for this. I started a writeup in the wiki some time ago but never got to finish it. This is mainly due to the fact that few people use custom certs (be it letsencrypt or their own internal CA) und so this is very low on the priority list.
As well I want to point out some security concerns. And I really need to stress this point: FOG was not build with the amount of security in mind that it would need to allow for an installation to be accessable from the internet. Sure you can technically do it but it’s all on your own risk.
So I am wondering if you want to re-think hosting you FOG server to be accessable from the internet? Why don’t you setup VPN tunnels for people to access the FOG web UI from different locations?
-
@Sebastian-Roth Thanks for your reply.
It was not for use on internet.
I use let’s encrypt only for facility on a proof of concept.
But if we decide to use FOG, we have to implement some ssl to in production with real certificate authority. -
@OlivierSchmitt said in letsencrypt usage after installation:
It was not for use on internet.
How do you get a letsencrypt certificate if the FOG server is not facing the internet? By copying the files from another system?