Commit cd3921d9 by root

Let's encrypt based SSL certificates with auto-renewal

parent ea00f493
......@@ -36,12 +36,16 @@ module.exports = {
* responses over https:// and/or use websockets over the wss:// protocol
* (recommended for HTTP, strongly encouraged for WebSockets)
*/
ssl: {
/* ssl: {
// ca: fs.readFileSync(path.join(__dirname, 'ssl', 'bundle.crt')),
key: fs.readFileSync(path.join(__dirname, 'ssl', 'key.key')),
cert: fs.readFileSync(path.join(__dirname, 'ssl', 'cert.crt')),
key: fs.readFileSync(path.join(__dirname, 'ssl', 'yottacode.com.key')),
cert: fs.readFileSync(path.join(__dirname, 'ssl', 'yottacode.com.crt')),
},
*/
ssl: {
key: fs.readFileSync('/etc/letsencrypt/live/dev.yottacode.com/privkey.pem'),
cert: fs.readFileSync('/etc/letsencrypt/live/dev.yottacode.com/cert.pem')
}
/**
* The `port` setting determines which TCP port your app will be
* deployed on.
......@@ -52,7 +56,7 @@ module.exports = {
* In env/production.js, you'll probably want to change this setting
* to 80 (http://) or 443 (https://) if you have an SSL certificate
*/
port: process.env.PORT || 1337,
port: process.env.PORT || 443,
/*
* The runtime "environment" of your Sails app is either typically
......
-----BEGIN CERTIFICATE REQUEST-----
MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAPkWZj6TTJQon1rupP1SUY8dQiSv3+1xByQAGYaf
J9vZWfe6ZAy0ndFH26m0lc2S76BkQRfhWBTvWcsFhACWefSlGxpIiwxWdQOcF6cf
WyFi9VBPUXvTPyd64hCd+9+XML/0hzU4BpzJsEbPyhOv7VZA2VCZ+GAP86b/MGCS
s2QgWi7ZW0bTX0tO1WDC8JdHeaUXspwfJaqsw25SiDsNfWQmAZOa5F9I0vl4GCku
ivy16Cn/1XnpBw9M9DH18H1ENDFkOnUJYa8NU/t9lJJqNapDZ3zTLIlNd28nl3LP
HfbPGhq7qMAYmtiYt6rxHRBazL1OEFf2xb9DIVVlIKQXf/cCAwEAAaAAMA0GCSqG
SIb3DQEBCwUAA4IBAQArBhbVjPadSIWK9yGO7oca2TT+ZMp2kw4OY7+NHj+4NUFk
CKe2ZOAdvKM9wqY5P4QHux1WnqzEtga78ykaJofHeB/EFFqMkun5ETFbd/wIGKMy
WdB/vNNbsv5Hf2/ezGiw1HUsCGp2P/JTDO9+a5O3ioFhp4tvfJ7TBfdzD5eq7Xlq
DAHXPimbtnqiGGBf6efefG/Rl4cvvLyH5k/mUj00/stx3rjVayvedzOL8W4oRoxJ
SQEaqlp/MtPLXBuG0RkZsJloon+aZfcR3WE4iG2BVQe7Dqtdto+mRa9e1ba0ZUQK
Fq1iIGvsp9YIHCS3NXeJBeIllYkFK2hI7o6hALPf
-----END CERTIFICATE REQUEST-----
Para tener el servidor funcionando con certificados gratuitos de Let's encrypt los pasos son los siguientes:
```
$ cd
$ git clone https://github.com/letsencrypt/letsencrypt
$ sudo mkdir /etc/letsencrypt
$ sudo chown ubuntu:ubuntu /etc/letsencrypt
$ vim /etc/letsencrypt/cli.ini
```
Con el contenido siguiente:
```
authenticator = webroot
webroot-path = /home/ubuntu/pictogram/sails/src/assets/
server = https://acme-v01.api.letsencrypt.org/directory
renew-by-default
agree-dev-preview
agree-tos
email = info@yottacode.com
```
Para permitir a letsencrypt verificar nuestro servidor, debemos facilitar la entrada por HTTP. Para ello instalamos nginx y lo configuramos para que redirija a HTTPS:
```
$ sudo apt-get install nginx
$ sudo vim /etc/nginx/site-enabled/default
```
Con el siguiente contenido:
```
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name _;
return 301 https://$host$request_uri;
}
```
Ahora relanzamos nginx y solicitamos el certificado
```
$ sudo service nginx reload
$ /home/ubuntu/letsencrypt/letsencrypt-auto --config /etc/letsencrypt/cli.ini -d dev.yottacode.com certonly
```
Ya tenemos nuestros certificados. Finalmente configuramos Sails para que apunte a ellos:
```
$ vim /home/ubuntu/pictogram/sails/src/config/local.js
```
Con el contenido para ssl:
```
ssl: {
key: fs.readFileSync('/etc/letsencrypt/live/dev.yottacode.com/privkey.pem'),
cert: fs.readFileSync('/etc/letsencrypt/live/dev.yottacode.com/cert.pem')
},
```
Ya podemos relanzar sails
```
$ cd /home/ubuntu/pictograms/sails/src
$ sudo forever stopall
$ sudo forever start app.js --debug
```
Y ahora configurar cron para que el certificado se renueve solito cada mes
```
$ sudo crontab -e
```
Añadimos la línea:
```
@monthly /home/ubuntu/letsencrypt/letsencrypt-auto --config /etc/letsencrypt/cli.ini -d dev.yottacode.com certonly
```
y voila!
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment