Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
cloudappliance/applinstallv1906 [2019_11_05 00:14] – [Introduction] stevencloudappliance/applinstallv1906 [2019_11_08 00:37] – [Let's Encrypt SSL Certificates] steven
Line 64: Line 64:
 Then don’t forget to also create an A record in your DNS system for all 3 hostnames on this screen. Then don’t forget to also create an A record in your DNS system for all 3 hostnames on this screen.
  
-Follow the instructions on the webpages for IP Address, Domain name and SSL certificate. And when you are satisfied, follow the prompts to reboot the machine.+Follow the instructions on the webpages for IP Address, Domain name and SSL certificate. (You can also create an SSL certificate through Let's Encrypt following the instructions below.) When you are satisfied, follow the prompts to reboot the machine.
  
 You can rerun the smeconfigserver at any time to go back and modify, or correct any information in your setup. i.e. you can go back and place a new certificate here at any time. You can rerun the smeconfigserver at any time to go back and modify, or correct any information in your setup. i.e. you can go back and place a new certificate here at any time.
 +
 +
 +## Let's Encrypt SSL Certificates 
 +
 +This section creates and configures SSL certificates from Let's Encrypt. If you are using your own certificates (or a different service) you can use the smeconfigserver above to add certificates.
 +
 +Elevate to the root user by typing the following command and entering the root password when prompted.
 +
 +    su -
 +
 +Note: The appliance will be inaccessible during the request which may be up to a minute.
 +
 +Run the following command:
 +
 +    certbot --authenticator standalone --installer apache --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd" 
 +
 +This command will prompt for an email address.  It’s important to give this information so that an admin can be notified in the future if there are issues automatically renewing the certificate.
 +
 +Please also agree to the Terms of Service. It is not necessary to share the provided email with the Electronic Frontier Foundation.
 +
 +Certbot will automatically detect what FQDNs are setup for the Enterprise File Fabric and prompt for which should be included in the certificate.
 +
 +    Which names would you like to activate HTTPS for?
 +    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +    1: files.example.com
 +    2: files-s3.example.com
 +    3: files-webdav.example.com
 +    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +    Select the appropriate numbers separated by commas and/or spaces, or leave input 
 +    blank to select all options shown (Enter 'c' to cancel): 1,2,3
 +
 +Lastly, Certbot will prompt to disable all HTTP access.  Please select option 1 as the File Fabric already has HTTP to HTTPS redirection options configured.
 +
 +    Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
 +    -------------------------------------------------------------------------------
 +    1: No redirect - Make no further changes to the webserver configuration.
 +    2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
 +    new sites, or if you're confident your site works on HTTPS. You can undo this
 +    change by editing your web server's configuration.
 +    -------------------------------------------------------------------------------
 +    Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
 +
 +After successful completion, the Enterprise File Fabric will automatically start using the new certificates.  These certificates will last for 90 days, so the final step is to setup automated renewal.
 +
 +### Automatically renewing the certificate
 +
 +A Let’s Encrypt certificate is valid for 90 days, and can be automatically renewed within 30 days of expiration. A simple cron job will run daily and handle renewals.
 +
 +Please Note: The File Fabric will be inaccessible during the renewal. Please ensure that the renewal time is during off hours. Downtime will only occur every 60 days when a renewal is required and may last up to one minute.
 +
 +While still logged in as root run the following command to add a cron job.
 +
 +    crontab -e
 +
 +In the example below the renewal attempt will process at 2:30AM in the timezone of the Enterprise File Fabric. The Enterprise File Fabric ships by default with the timezone set to UTC time. Please adjust this timezone as necessary.
 +
 +    30 2 * * * /bin/certbot renew >> /var/log/letsencrypt/le-renew.log
 +
 +This will create a crontab entry for a cron job that will handle the renewals and write its output to a log file.
 +
 +Use https://www.ssllabs.com/ to test the installation.
  
 # Part II - Configure Appliance and create the first organization # Part II - Configure Appliance and create the first organization
© Copyright 2024 Nasuni.