SSL certificate for AllStarLink: Difference between revisions

From WLPS Wiki
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 55: Line 55:


<pre>
<pre>
<VirtualHost *:443>
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
    # The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
    # the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
    # redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
    # specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
    # match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
    # value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
    # However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
    #ServerName www.example.com
 
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html


ServerAdmin webmaster@localhost
    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
DocumentRoot /var/www/html
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn


# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    ErrorLog ${APACHE_LOG_DIR}/error.log
# error, crit, alert, emerg.
    CustomLog ${APACHE_LOG_DIR}/access.log combined
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn


ErrorLog ${APACHE_LOG_DIR}/error.log
    # For most configuration files from conf-available/, which are
CustomLog ${APACHE_LOG_DIR}/access.log combined
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
</VirtualHost>


  # For most configuration files from conf-available/, which are
<VirtualHost *:443>
# enabled or disabled at a global level, it is possible to
    # The ServerName directive sets the request scheme, hostname and port that
# include a line for only one particular virtual host. For example the
    # the server uses to identify itself. This is used when creating
# following line enables the CGI configuration for this host only
    # redirection URLs. In the context of virtual hosts, the ServerName
# after it has been globally disabled with "a2disconf".
    # specifies what hostname must appear in the request's Host: header to
#Include conf-available/serve-cgi-bin.conf
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    #ServerName www.example.com


#  SSL Engine Switch:
    ServerAdmin webmaster@localhost
#  Enable/Disable SSL for this virtual host.
    DocumentRoot /var/www/html
SSLEngine on


#   SSL Engine Options:
    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
#  Set various options for the SSL engine.
    # error, crit, alert, emerg.
#  o FakeBasicAuth:
    # It is also possible to configure the loglevel for particular
# Translate the client X.509 into a Basic Authorisation. This means that
    # modules, e.g.
# the standard Auth/DBMAuth methods can be used for access control.  The
    #LogLevel info ssl:warn
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
#  o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
#  o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
#   o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(?:cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>


SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    ErrorLog ${APACHE_LOG_DIR}/error.log
SSLCipherSuite   ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHAC>
    CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLHonorCipherOrder on
SSLCompression   off
SSLSessionTickets  off


Include /etc/letsencrypt/options-ssl-apache.conf
    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
</VirtualHost>
</VirtualHost>
</pre>
</pre>
Line 155: Line 142:


It will ask you to input your previously generated FQDN at frremyip.com and your email and to select a conf file which will be '''000-default.conf'''.
It will ask you to input your previously generated FQDN at frremyip.com and your email and to select a conf file which will be '''000-default.conf'''.
= Final Test =
You can use https://www.ssllabs.com/ssltest/analyze.html to get a test results report.


Thats it, now you can go to your node website using your https address.
Thats it, now you can go to your node website using your https address.


https://my_domain_name.freemyip.com/allmon3
https://my_domain_name.freemyip.com/allmon3

Latest revision as of 00:27, 7 August 2025

What is SSL

SSL (Secure Sockets Layer) is a security technology that establishes an encrypted connection between a web server (host) and a web browser (client). This encryption ensures that all data exchanged between the two remains private and secure, protecting against hackers, identity theft, and cyberattacks.

What you need

You will need a FQDN configured on your Raspberry Pi or your Router. I am using a Unify USG Ultra, and a free DDNS thru freemyip.com site.

FQDN setup

Go to [freemyip.com free my IP] website and register your domain name, which will be something like my_domain_name.freemyip.com

Save the generated token, there is no way te recover it if you loose it.

It will look like:

https://freemyip.com/update?token=your_unique_password&domain=my_domain_name.freemyip.com

USG Ultra DDNS setup

Go to Settings > Internet > Primary (WAN1) > Dynamic DNS > Create New Dynamic DNS and input the following data.

New Dynamic DNS
Interface WAN
Service freemyip
Host Name Any Name
User Name my_domain_name
Password your_unique_password
Server freemyip.com

Next, go to Settings > Application Firewall > Port Forwarding > Add Rule and forward port 443 Protocol TCP to your AllStarLink node Raspberry Pi IP address.

SSL certificate setup

First edit the file 000-default.conf 

sudo nano /etc/apache2/sites-enabled/000-default.conf

and add the following code at the end of it. 

<VirtualHost *:80>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    #ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

<VirtualHost *:443>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    #ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

In this case we will use Certbot which is free but requieres snapd and core. On your AllStarLink node type: 

sudo apt update
sudo apt install snapd
sudo reboot
sudo snap install core
sudo snap install hello-world

Test the core running the hello world program. 

hello-world

If succeeded, now install certbot. 

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

And now, lets get a certificate. 

sudo certbot --apache

It will ask you to input your previously generated FQDN at frremyip.com and your email and to select a conf file which will be 000-default.conf.

Final Test

You can use https://www.ssllabs.com/ssltest/analyze.html to get a test results report.

Thats it, now you can go to your node website using your https address.

https://my_domain_name.freemyip.com/allmon3

Retrieved from "https://wodielite.com/wiki/index.php?title=SSL_certificate_for_AllStarLink&oldid=6674"