HTTPS via Let's Encrypt - HVboom/HowTo-DigitalOcean GitHub Wiki
Setup Let's Encrypt
In the meantime DigitalOcean supports the usage of wildcard certificates from Let's Encrypt.
-
To use this feature you have to install an additional security package
sudo apt install python3-certbot-dns-digitalocean
-
Create a DigitalOcean Applications & API Token
- Store the generated token in
/home/biz/.ssh/cerbot.tokenwith contentdns_digitalocean_token = <token>
- Store the generated token in
-
Enter AAAA DNS records for your domain - Networking - Domains
hvboom.biz*.hvboom.biz*.demo.hvboom.biz-
*.<user>.hvboom.bizfor each development user
-
Retrieve wildcard certificates for your domain
do not forget to remove the
--dry-runoption 😉sudo certbot certonly --dry-run --dns-digitalocean --dns-digitalocean-credentials /home/biz/.ssh/certbot.token -d hvboom. biz -d '*.hvboom.biz' -d '*.demo.hvboom.biz' -d '*.mario.hvboom.biz'
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Account registered. Requesting a certificate for hvboom.biz and 3 more domains Waiting 10 seconds for DNS changes to propagate Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/hvboom.biz/fullchain.pem Key is saved at: /etc/letsencrypt/live/hvboom.biz/privkey.pem This certificate expires on 2024-10-21. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The certbot package installed a timer to automatically renew certificates, which will expire soon. If the script is running as expected can be checked with sudo systemctl status certbot.timer
In the meantime DigitalOcean supports the usage of wildcard certificates from Let's Encrypt.
-
To use this feature you have to install an additional security package
sudo pkg install py39-certbot-dns-digitalocean-2.6.0
- To schedule an automatic renewal of your certificates add
weekly_certbot_enable="YES"to/etc/periodic.conf - More config details can be found in the certbot periodic script:
/usr/local/etc/periodic/weekly/500.certbot-3.9
- To schedule an automatic renewal of your certificates add
-
Create a DigitalOcean Applications & API Token
- Store the generated token in
~/.ssh/cerbot.tokenwith contentdns_digitalocean_token = <token>
- Store the generated token in
-
Revoke your current certificates (use delete option) and retrieve wildcard certificates for your domain
do not forget to remove the
--dry-runoption 😉sudo certbot revoke --dry-run --cert-path /usr/local/etc/letsencrypt/live/hvboom.org/cert.pem --reason superseded sudo certbot certonly --dry-run --dns-digitalocean --dns-digitalocean-credentials ~/.ssh/certbot.token -d hvboom.org -d '*.hvboom.org' -d '*.demo.hvboom.org' -d '*.<user>.hvboom.org'
If you like to have a certificate for each application, then please follow the instructions below
-
Install the Certbot client by running
sudo certbot certonly- installed files are stored in
/usr/local/etc/letsencrypt - log file can be found in
/var/log/letsencrypt/letsencrypt.log
- installed files are stored in
-
Obtain all certificates
sudo certbot certonly --dry-run --webroot \ -w /home/jekyll/Live/Homepage -d hvboom.org -d www.hvboom.org \ -w /home/hvdigitalsafe/RubyOnRails/HVDigitalSafe/public -d hvdigitalsafe.hvboom.org \ -w /home/hvkeyguard/RubyOnRails/HVKeyGuard/public -d hvkeyguard.hvboom.org \ -w /home/demo/RubyOnRails/HVDigitalSafe/public -d hvdigitalsafe.demo.hvboom.org \ -w /home/demo/RubyOnRails/HVKeyGuard/public -d hvkeyguard.demo.hvboom.org \ -w /home/mario/RubyOnRails/HVDigitalSafe/public -d hvdigitalsafe.mario.hvboom.org \ -w /home/mario/RubyOnRails/HVKeyGuard/public -d hvkeyguard.mario.hvboom.org \ -w /home/demo/RubyOnRails/HVPlayground/public -d hvplayground.demo.hvboom.org \ -w /home/mario/RubyOnRails/HVPlayground/public -d hvplayground.mario.hvboom.org \ -w /home/mario/RubyOnRails/HVLookBook/public -d hvlookbook.mario.hvboom.org \ -w /home/mario/RubyOnRails/HVControlTower/public -d hvcontroltower.mario.hvboom.org \ -w /home/mario/RubyOnRails/HVMembership/public -d hvmembership.mario.hvboom.org \ -w /home/mario/RubyOnRails/HVEntitlement/public -d hventitlement.mario.hvboom.org \ -w /home/mario/RubyOnRails/HVLogger/public -d hvlogger.mario.hvboom.org \ -w /home/mario/RubyOnRails/HVTurtleGraphics/public -d hvturtlegraphics.mario.hvboom.org \ -w /home/jekyll/Projects -d jekyll.hvboom.org \ -w /home/jekyll/Preview -d preview.hvboom.org \ -w /home/jekyll/Live -d docs.hvboom.org # Demo -w /home/demo/RubyOnRails/HVLookBook/public -d hvlookbook.demo.hvboom.org \ -w /home/demo/RubyOnRails/HVControlTower/public -d hvcontroltower.demo.hvboom.org \ -w /home/demo/RubyOnRails/HVMembership/public -d hvmembership.demo.hvboom.org \ -w /home/demo/RubyOnRails/HVEntitlement/public -d hventitlement.demo.hvboom.org \ -w /home/demo/RubyOnRails/HVLogger/public -d hvlogger.demo.hvboom.org \ -w /home/demo/RubyOnRails/HVTurtleGraphics/public -d hvturtlegraphics.demo.hvboom.org \ # Production -w /home/hvlookbook/RubyOnRails/HVLookBook/public -d hvlookbook.hvboom.org \ -w /home/hvcontroltower/RubyOnRails/HVControlTower/public -d hvcontroltower.hvboom.org \ -w /home/hvmembership/RubyOnRails/HVMembership/public -d hvmembership.hvboom.org \ -w /home/hventitlement/RubyOnRails/HVEntitlement/public -d hventitlement.hvboom.org \ -w /home/hvlogger/RubyOnRails/HVLogger/public -d hvlogger.hvboom.org \ -w /home/hvturtlegraphics/RubyOnRails/HVTurtleGraphics/public -d hvturtlegraphics.hvboom.org \
-
Setup Rails application to serve HTTPS only (hints from SSL with Rails 5)
- add followings lines to
config/environments/development.rbandconfig/environments/production.rb# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. config.force_ssl = true config.ssl_options = { hsts: { preload: true } }
- add followings lines to
- Because some sites are only reachable via HTTPS it is necessary to relax that setting for the update
- Change following Apache configuration files and restart the server
cd /usr/local/etc/apache24/Includes sudo mv 000_vhost_080_default.conf 000_vhost_080_default.conf_ sudo mv 000_vhost_080_certbot.conf_ 000_vhost_080_certbot.conf sudo service apache24 restart
- Change following Apache configuration files and restart the server
- Always run a dry-run first:
sudo certbot renew --dry-run - Update the certificates and adjust the file permissions
sudo certbot renew cd /usr/local/etc/letsencrypt/ sudo chgrp -RL www . sudo chmod -R g+rX . sudo chmod -R o-rwx .
- Reinforce the HTTPS settings by reverting the above changes and do not forget to restart the Apache server afterwards
cd /usr/local/etc/apache24/Includes sudo mv 000_vhost_080_default.conf_ 000_vhost_080_default.conf sudo mv 000_vhost_080_certbot.conf 000_vhost_080_certbot.conf_ sudo service apache24 restart