Difference between revisions of "Let's Encrypt ESXi VPS"

From Comprofix
Jump to: navigation, search
(Issue a Certitificate)
 
Line 175: Line 175:
  
 
== Issue a Certitificate ==
 
== Issue a Certitificate ==
 +
 +
Issue a wildcard certificate for your domain
  
 
<pre>
 
<pre>
~/.acme.sh/acme.sh --issue --dns dns_gd -d example.com -d www.example.com -cert-file /etc/nginx/ssl/server.crt --key-file /etc/nginx/ssl/server.key
+
~/.acme.sh/acme.sh --issue --dns dns_gd -d mydomain.com -d "*.mydomain.com" --cert-file /etc/nginx/ssl/server.crt --key-file /etc/nginx/ssl/server.key --reloadcmd "systemctl restart nginx"
 
</pre>
 
</pre>

Latest revision as of 14:54, 25 May 2018

Manually Update Certificates

Generating the Certificate

Generate-openssl.png

  • Open a Command Prompt
  • Change to your OpenSSL Folder
cd \OpenSSL\bin
  • Copy and paste your generated command from above

Generate-csr.png

  • Open Your Key File in Notepad
  • Visit https://zerossl.com/free-ssl/#crt
  • Copy and paste the contents of your Key file you have open in Notepad into the CSR section
  • Accept ZeroSSL TOS and Accept Let’s Encrypt SA and click Next
Zerossl-csr-rsa.png
  • This will generate a RSA for LetsEncrypt
  • Download a copy of your Generated RSA Key. We don’t need this at this time, but we need to download it to continue.
  • Select DNS verification and Click Next
  • Update your DNS TXT records with the information provided.
  • Once DNS has been updated Click Next
  • The certificate will be generated. Download the certificate – domain-crt.txt

Upload your Certificate to ESXi

  • Now you should have two files required for ESXi. esxi_comprofix_com.key file (name depends on what you used in the CSR command) and a domain-crt.txt which is the certificate.
  • Rename your key file to rui.key
  • Rename domain-crt.txt to rui.crt
  • Connect to your ESXi Machine and shutdown any running VMs
  • Put the ESXi Machine into “Maintenance Mode”
  • Enable SSH on your ESXi VPS
  • Download and Install WinSCP – https://winscp.net/eng/download.php
  • Open WinSCP and connect to your ESXi Machine
  • Navigate to the Folder /etc/vmware/ssl
  • Rename the file /etc/vmware/ssl/rui.key to /etc/vmware/ssl/rui.key.bak
  • Rename the file /etc/vmware/ssl/rui.crt to /etc/vmware/ssl/rui.key.crt
  • Upload your rui.key and rui.crt file to /etc/vmware/ssl
  • Download the Putty SSH Client – http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
  • Connect to your ESXi machine using Putty
  • Run the command – services.sh restart

Putty-esxi.png

  • This will restart the ESXi Services
  • Take you ESXi Machine out of “Maintenance Mode”
  • Open a Web Browser and visit your ESXi VPS Domain Name that you created.

Esxi-certificate-info.png

Congratulations you should now have a Secured SSL Certificate on your ESXi VPS

Automatically update Certificates

This is a work in progress. Currently this is just notes. Use at your own risk

Enable SSH and Update Firewall Rules

  • From your ESXi VPS. Edit Security Rules to allow SSH Access from one of your failover IP's ONLY.
  • Enable the SSH Shell from Services. And set to start and stop with the machine.

Install Debian Server

  • Install Debian Server
  • Set the IP to the above Failover IP used in the Firewall Rule.
  • Install Extra Packages
sudo apt-get install git curl zsh vim
  • Test SSH from server to ESXi Server
  • Generate SSH Keys between server and esxi host
  • Upload SSH Keys to ESXi
  • Test SSH Login to ESXi, it should not ask you for a password.

Install Web Server

  • Create a DNS A record to point to your VPS. eg: vps.mydomain.com
  • Install nginx
  • Update /etc/nginx.conf
user  www-data;
worker_processes  2;   # Set to number of CPU cores

error_log  /var/log/nginx/error.log;

pid  /run/nginx.pid;

events {
    worker_connections  1024;
}

http {
  include  /etc/nginx/mime.types;
  default_type  application/octet-stream;

  log_format  main '$remote_addr - $remote_user [$time_local] "$request" '
              '$status $body_bytes_sent "$http_referer" '
              '"$http_user_agent" "$http_x_forwarded_for"';

  access_log  /var/log/nginx/access.log  main;

  sendfile  on;

  keepalive_timeout  65;

  include /etc/nginx/conf.d/*.conf;

  index  index.html index.htm;
}
  • Create /etc/nginx/conf.g/reverseproxy.conf
ssl_certificate  ssl/server.crt;
ssl_certificate_key  ssl/server.key;
ssl_session_timeout  5m;
ssl_prefer_server_ciphers  on;
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers  AES256+EECDH:AES256+EDH:!aNULL;

server  {

      listen  80;   # Redirect any port http/80 requests, to https/443 -- generally only matters for internal requests
      server_name  vps.mydomain.com;
      return 301 https://$host$request_uri;
}

server  {
      listen  443 ssl;   # Return 404 page if requesting the root url; can set this to whatever you want, but I just leave this at a 404
      server_name vps.mydomain.com;
      ssl  on;
      root /var/www/html;
      location  / {
          try_files $uri $uri/ =404;
      }
}
  • Create folders for SSL Certs
mkdir -p /etc/nginx/ssl
  • Generate Self Signed Certs to test SSL Forwarding and loading
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.crt
  • Restart Nginx
systemctl restart nginx

Setup DNS API Keys

We will be using acme.sh and a GoDaddy DNS API to automatically update our DNS. Please consult the README to confirm your DNS Provider is available.

First you need to login to your GoDaddy account to get your API Key and Secret.

https://developer.godaddy.com/keys/

Please create a Production key, instead of a Test key.

export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export GD_Secret="asdfsdafdsfdsfdsfdsfdsafd"

Clone and Install acme.sh

git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install

Issue a Certitificate

Issue a wildcard certificate for your domain

~/.acme.sh/acme.sh --issue --dns dns_gd -d mydomain.com -d "*.mydomain.com" --cert-file /etc/nginx/ssl/server.crt --key-file /etc/nginx/ssl/server.key --reloadcmd "systemctl restart nginx"