Let's encrypt based SSL certificates with auto-renewal

cd3921d9 · root · ea00f493 · cd3921d9 · ea00f493 · cd3921d9
Commit cd3921d9 authored Nov 15, 2016 by root
Showing with 93 additions and 21 deletions
sails/src/config/local.js~
sails/src/config/ssl/csr.pem
sails/src/config/ssl/letsencrypt.md
--- a/sails/src/config/local.js~
+++ b/sails/src/config/local.js~
@@ -36,12 +36,16 @@ module.exports = {
   * responses over https:// and/or use websockets over the wss:// protocol
   * (recommended for HTTP, strongly encouraged for WebSockets)
   */
-  ssl: {
+/*  ssl: {
    // ca: fs.readFileSync(path.join(__dirname, 'ssl', 'bundle.crt')),
-    key: fs.readFileSync(path.join(__dirname, 'ssl', 'key.key')),
-    cert: fs.readFileSync(path.join(__dirname, 'ssl', 'cert.crt')),
+    key: fs.readFileSync(path.join(__dirname, 'ssl', 'yottacode.com.key')),
+    cert: fs.readFileSync(path.join(__dirname, 'ssl', 'yottacode.com.crt')),
  },
-
+*/
+   ssl: {
+       key: fs.readFileSync('/etc/letsencrypt/live/dev.yottacode.com/privkey.pem'),
+       cert: fs.readFileSync('/etc/letsencrypt/live/dev.yottacode.com/cert.pem')
+   }
  /**
   * The `port` setting determines which TCP port your app will be
   * deployed on.
@@ -52,7 +56,7 @@ module.exports = {
   * In env/production.js, you'll probably want to change this setting
   * to 80 (http://) or 443 (https://) if you have an SSL certificate
   */
-  port: process.env.PORT || 1337,
+  port: process.env.PORT || 443,

  /*
   * The runtime "environment" of your Sails app is either typically

--- a/sails/src/config/ssl/csr.pem
+++ b/sails/src/config/ssl/csr.pem
-----BEGIN CERTIFICATE REQUEST-----
-MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
-ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAPkWZj6TTJQon1rupP1SUY8dQiSv3+1xByQAGYaf
-J9vZWfe6ZAy0ndFH26m0lc2S76BkQRfhWBTvWcsFhACWefSlGxpIiwxWdQOcF6cf
-WyFi9VBPUXvTPyd64hCd+9+XML/0hzU4BpzJsEbPyhOv7VZA2VCZ+GAP86b/MGCS
-s2QgWi7ZW0bTX0tO1WDC8JdHeaUXspwfJaqsw25SiDsNfWQmAZOa5F9I0vl4GCku
-ivy16Cn/1XnpBw9M9DH18H1ENDFkOnUJYa8NU/t9lJJqNapDZ3zTLIlNd28nl3LP
-HfbPGhq7qMAYmtiYt6rxHRBazL1OEFf2xb9DIVVlIKQXf/cCAwEAAaAAMA0GCSqG
-SIb3DQEBCwUAA4IBAQArBhbVjPadSIWK9yGO7oca2TT+ZMp2kw4OY7+NHj+4NUFk
-CKe2ZOAdvKM9wqY5P4QHux1WnqzEtga78ykaJofHeB/EFFqMkun5ETFbd/wIGKMy
-WdB/vNNbsv5Hf2/ezGiw1HUsCGp2P/JTDO9+a5O3ioFhp4tvfJ7TBfdzD5eq7Xlq
-DAHXPimbtnqiGGBf6efefG/Rl4cvvLyH5k/mUj00/stx3rjVayvedzOL8W4oRoxJ
-SQEaqlp/MtPLXBuG0RkZsJloon+aZfcR3WE4iG2BVQe7Dqtdto+mRa9e1ba0ZUQK
-Fq1iIGvsp9YIHCS3NXeJBeIllYkFK2hI7o6hALPf
-----END CERTIFICATE REQUEST-----
--- a/sails/src/config/ssl/letsencrypt.md
+++ b/sails/src/config/ssl/letsencrypt.md
+Para tener el servidor funcionando con certificados gratuitos de Let's encrypt los pasos son los siguientes:
+
+```
+$ cd
+$ git clone https://github.com/letsencrypt/letsencrypt
+$ sudo mkdir /etc/letsencrypt
+$ sudo chown ubuntu:ubuntu /etc/letsencrypt
+$ vim /etc/letsencrypt/cli.ini
+```
+
+Con el contenido siguiente:
+
+```
+authenticator = webroot
+webroot-path = /home/ubuntu/pictogram/sails/src/assets/
+server = https://acme-v01.api.letsencrypt.org/directory
+renew-by-default
+agree-dev-preview
+agree-tos
+email = info@yottacode.com
+```
+
+Para permitir a letsencrypt verificar nuestro servidor, debemos facilitar la entrada por HTTP. Para ello instalamos nginx y lo configuramos para que redirija a HTTPS:
+
+```
+$ sudo apt-get install nginx
+$ sudo vim /etc/nginx/site-enabled/default
+```
+
+Con el siguiente contenido:
+
+```
+server {                         
+        listen 80 default_server;
+        listen [::]:80 default_server ipv6only=on;
+        server_name _;                       
+        return 301 https://$host$request_uri;
+}  
+```
+
+Ahora relanzamos nginx y solicitamos el certificado
+
+```
+$ sudo service nginx reload
+$ /home/ubuntu/letsencrypt/letsencrypt-auto --config /etc/letsencrypt/cli.ini -d dev.yottacode.com certonly
+```
+
+Ya tenemos nuestros certificados. Finalmente configuramos Sails para que apunte a ellos:
+
+```
+$ vim /home/ubuntu/pictogram/sails/src/config/local.js
+```
+
+Con el contenido para ssl:
+
+```
+   ssl: {
+       key: fs.readFileSync('/etc/letsencrypt/live/dev.yottacode.com/privkey.pem'),
+       cert: fs.readFileSync('/etc/letsencrypt/live/dev.yottacode.com/cert.pem')   
+   },    
+```
+
+Ya podemos relanzar sails
+
+```
+$ cd /home/ubuntu/pictograms/sails/src
+$ sudo forever stopall
+$ sudo forever start app.js --debug
+```
+
+Y ahora configurar cron para que el certificado se renueve solito cada mes
+
+```
+$ sudo crontab -e
+```
+
+Añadimos la línea:
+
+```
+@monthly /home/ubuntu/letsencrypt/letsencrypt-auto --config /etc/letsencrypt/cli.ini -d dev.yottacode.com certonly
+```
+
+y voila!
\ No newline at end of file