From: Dobrica Pavlinusic Date: Mon, 29 Jul 2019 09:47:35 +0000 (+0200) Subject: use let's encrypt wild cartificate for *.bmj.com X-Git-Url: http://git.rot13.org/?p=via-proxy;a=commitdiff_plain;h=68fc2a98f330b61508241ef8ebf9c51f900ce82e use let's encrypt wild cartificate for *.bmj.com --- diff --git a/certbot-wildcard.txt b/certbot-wildcard.txt new file mode 100644 index 0000000..7b95148 --- /dev/null +++ b/certbot-wildcard.txt @@ -0,0 +1,54 @@ +Some providers like to have multiple prefix before it's domain. This is +problem for Let's Encrypt certificates because we can have just 100 names +in each certificate, so alternative solution is needed. + +This is guide how to configure Let's Encrypt wildcard certificate and +rewrite every host under it. + + +Install DNS plugin for certbot + +# part of stretch backports or buster + +dpavlin@mjesec:/srv/via-proxy$ sudo apt install python3-certbot-dns-rfc2136 + + +mjesec:/etc/bind# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST p2.vbz.ffzg.hr +Kp2.vbz.ffzg.hr.+165+16105 + +mjesec:/etc/bind# tail -5 named.conf.options + +key "p2.vbz.ffzg.hr" { + algorithm hmac-sha512; + secret "Wtr3f3kvFRNdGmVVd0JdPlvelbD/ccxin+AqzvEp/mtKJg7SoXjN6Y8n yVkJWpswoyntgJd7YXcsXKZgzKVbpw=="; +} + + +Allow creation of txt records: + +diff --git a/bind/named.conf.local b/bind/named.conf.local +index acc4997..fbc101b 100644 +--- a/bind/named.conf.local ++++ b/bind/named.conf.local +@@ -41,6 +41,9 @@ zone "knjiznica.ffzg.hr" { + zone "vbz.ffzg.hr" { + type master; + file "/etc/bind/vbz.ffzg.hr.db"; ++ update-policy { ++ grant p2.vbz.ffzg.hr zonesub txt; ++ }; + }; + + +Request certificate with dns auth: + +mjesec:/etc/letsencrypt# cat credentials.ini +dns_rfc2136_server = 127.0.0.1 +dns_rfc2136_name = p2.vbz.ffzg.hr +dns_rfc2136_secret = Wtr3f3kvFRNdGmVVd0JdPlvelbD/ccxin+AqzvEp/mtKJg7SoXjN6Y8nyVkJWpswoyntgJd7YXcsXKZgzKVbpw== +dns_rfc2136_algorithm = HMAC-SHA512 + + +dpavlin@mjesec:/srv/via-proxy$ sudo certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/credentials --server https://acme-v02.api.letsencrypt.org/directory --dns-rfc2136-propagation-seconds 5 -d 'p2.vbz.ffzg.hr' -d '*.p2.vbz.ffzg.hr' -d '*.bmj.com.p2.vbz.ffzg.hr' + + diff --git a/providers/www.bmj.com.conf b/providers/www.bmj.com.conf new file mode 100644 index 0000000..7d6b07a --- /dev/null +++ b/providers/www.bmj.com.conf @@ -0,0 +1,48 @@ +# see certbot-wildcard.txt to see how is this configured + + + Include /srv/via-proxy/ssl.conf + + SSLCertificateFile /etc/letsencrypt/live/p2.vbz.ffzg.hr/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/p2.vbz.ffzg.hr/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/p2.vbz.ffzg.hr/chain.pem + + ServerName www.bmj.com.p2.vbz.ffzg.hr + ServerAlias *.bmj.com.p2.vbz.ffzg.hr + + RewriteEngine on + # fix broken chunging + #RewriteRule /common/javascript/extjs/ext-all.js https://www.bmj.com/common/javascript/extjs/ext-all.js [R,L] + + SSLProxyEngine on + ProxyAddHeaders Off + + + Order Deny,Allow + Allow from all + + + RewriteCond %{HTTP_HOST} ^(.+bmj.com) + RewriteRule ^/(.*)$ https://%1/$1 [P] + +# ProxyPass / https://www.bmj.com/ +# ProxyPassReverse / https://www.bmj.com/ + + Header edit* Set-Cookie "(.*)(?i:; *domain=)([^;]+)(.*)" "$1 ; domain=$2.p2.vbz.ffzg.hr $3" + #Header edit* Set-Cookie "(.*)(?i:; *secure)" "$1" + Header edit* Location "https://([a-z]+).bmj.com" "https://$1.bmj.com.p2.vbz.ffzg.hr" + + RequestHeader unset Accept-Encoding + # we don't use https:// here because some urls are in javascript with escaped http:\/\/ + Substitute "s|(\w+)\.bmj\.com|$1.bmj.com.p2.vbz.ffzg.hr|i" + + FilterDeclare NEWPATHS + FilterProvider NEWPATHS SUBSTITUTE "%{Content_Type} =~ m|^text/html|" + FilterProvider NEWPATHS SUBSTITUTE "%{Content_Type} =~ m|^text/css|" + FilterProvider NEWPATHS SUBSTITUTE "%{Content_Type} =~ m|^text/javascript|" + FilterProvider NEWPATHS SUBSTITUTE "%{Content_Type} =~ m|^application/javascript|" + FilterChain NEWPATHS + + CustomLog /var/log/apache2/access-p2.vbz.ffzg.hr.log vhost_combined + +