Difference between revisions of "Let's Encrypt ESXi VPS"

From Comprofix
Jump to: navigation, search
Line 20: Line 20:
 
* Copy and paste the contents of your Key file you have open in Notepad into the CSR section
 
* Copy and paste the contents of your Key file you have open in Notepad into the CSR section
 
* Accept ZeroSSL TOS and Accept Let’s Encrypt SA and click Next
 
* Accept ZeroSSL TOS and Accept Let’s Encrypt SA and click Next
[[File:Zerossl-csr-rsa.png]]
+
<div>[[File:Zerossl-csr-rsa.png]]</div>
 
* This will generate a RSA for LetsEncrypt
 
* This will generate a RSA for LetsEncrypt
 
* Download a copy of your Generated RSA Key. We don’t need this at this time, but we need to download it to continue.
 
* Download a copy of your Generated RSA Key. We don’t need this at this time, but we need to download it to continue.

Revision as of 13:50, 25 May 2018

Manually Update Certificates

Generating the Certificate

Generate-openssl.png

  • Open a Command Prompt
  • Change to your OpenSSL Folder
cd \OpenSSL\bin
  • Copy and paste your generated command from above

Generate-csr.png

  • Open Your Key File in Notepad
  • Visit https://zerossl.com/free-ssl/#crt
  • Copy and paste the contents of your Key file you have open in Notepad into the CSR section
  • Accept ZeroSSL TOS and Accept Let’s Encrypt SA and click Next
Zerossl-csr-rsa.png
  • This will generate a RSA for LetsEncrypt
  • Download a copy of your Generated RSA Key. We don’t need this at this time, but we need to download it to continue.
  • Select DNS verification and Click Next
  • Update your DNS TXT records with the information provided.
  • Once DNS has been updated Click Next
  • The certificate will be generated. Download the certificate – domain-crt.txt

Upload your Certificate to ESXi

  • Now you should have two files required for ESXi. esxi_comprofix_com.key file (name depends on what you used in the CSR command) and a domain-crt.txt which is the certificate.
  • Rename your key file to rui.key
  • Rename domain-crt.txt to rui.crt
  • Connect to your ESXi Machine and shutdown any running VMs
  • Put the ESXi Machine into “Maintenance Mode”
  • Enable SSH on your ESXi VPS
  • Download and Install WinSCP – https://winscp.net/eng/download.php
  • Open WinSCP and connect to your ESXi Machine
  • Navigate to the Folder /etc/vmware/ssl
  • Rename the file /etc/vmware/ssl/rui.key to /etc/vmware/ssl/rui.key.bak
  • Rename the file /etc/vmware/ssl/rui.crt to /etc/vmware/ssl/rui.key.crt
  • Upload your rui.key and rui.crt file to /etc/vmware/ssl
  • Download the Putty SSH Client – http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
  • Connect to your ESXi machine using Putty
  • Run the command – services.sh restart

Putty-esxi.png

  • This will restart the ESXi Services
  • Take you ESXi Machine out of “Maintenance Mode”
  • Open a Web Browser and visit your ESXi VPS Domain Name that you created.

Esxi-certificate-info.png

Congratulations you should now have a Secured SSL Certificate on your ESXi VPS

Automatically update Certificates

This is a work in progress. Currently this is just notes. Use at your own risk

Enable SSH and Update Firewall Rules

  • From your ESXi VPS. Edit Security Rules to allow SSH Access from one of your failover IP's ONLY.
  • Enable the SSH Shell from Services. And set to start and stop with the machine.

Install Debian Server

  • Install Debian Server
  • Set the IP to the above Failover IP used in the Firewall Rule.
  • Install Extra Packages - git curl zsh vim
  • Test SSH from server to ESXi Server
  • Generate SSH Keys between server and esxi host
  • Upload SSH Keys to ESXi
  • Test SSH Login to ESXi, it should not ask you for a password.

Install Web Server

  • Create a DNS A record to point to your VPS. eg: vps.mydomain.com
  • Install nginx
  • Update /etc/nginx.conf
user  www-data;
worker_processes  2;   # Set to number of CPU cores

error_log  /var/log/nginx/error.log;

pid  /run/nginx.pid;

events {
    worker_connections  1024;
}

http {
  include  /etc/nginx/mime.types;
  default_type  application/octet-stream;

  log_format  main '$remote_addr - $remote_user [$time_local] "$request" '
              '$status $body_bytes_sent "$http_referer" '
              '"$http_user_agent" "$http_x_forwarded_for"';

  access_log  /var/log/nginx/access.log  main;

  sendfile  on;

  keepalive_timeout  65;

  include /etc/nginx/conf.d/*.conf;

  index  index.html index.htm;
}
  • Create /etc/nginx/conf.g/reverseproxy.conf
ssl_certificate  ssl/server.crt;
ssl_certificate_key  ssl/server.key;
ssl_session_timeout  5m;
ssl_prefer_server_ciphers  on;
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers  AES256+EECDH:AES256+EDH:!aNULL;

server  {

      listen  80;   # Redirect any port http/80 requests, to https/443 -- generally only matters for internal requests
      server_name  firewall.comprofix.com;
      return 301 https://$host$request_uri;
}

server  {
      listen  443 ssl;   # Return 404 page if requesting the root url; can set this to whatever you want, but I just leave this at a 404
      server_name firewall.comprofix.com;
      ssl  on;
      root /var/www/html;
      location  / {
          try_files $uri $uri/ =404;
      }
}
  • Create folders for SSL Certs
mkdir -p /etc/nginx/ssl
  • Generate Self Signed Certs to test SSL Forwarding and loading
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.crt
  • Restart Nginx
systemctl restart nginx

Setup Let's Encrypt

We will be using acme.sh and a DNS API to automatically update our DNS. Please consult the README to confirm your DNS Provider is available.

I will be using GoDaddy as that is who I use for DNS.


  • Clone and Install acme.sh
git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install