notes 2021-01-13:
the firewall forwards ALL port 80 to a0 apache
apache only accepts and allows to
commands:
/home/phomlish/certbot/venv3/bin/certbot renew –dry-run
/home/phomlish/certbot/venv3/bin/certbot certonly –webroot -w /usr3/web/http -d homlish.net –dry-run
/home/phomlish/certbot/venv3/bin/certbot certonly –webroot -w /usr3/web/http -d matomo.homlish.net –dry-run
/home/phomlish/certbot/venv3/bin/certbot certonly –webroot -w /usr3/web/http -d matomo.homlish.net –dry-run
root@a0:/usr/local/apache2/conf# ls -1 /etc/letsencrypt/live/
homlish.net
images.homlish.net
joesfigtrees.com
madbuffaloproductions.com
matomo.homlish.net
mydelawaretv.com
mydetv.com
README
secure.homlish.net
root@a0:/usr/local/apache2/conf# cat /etc/letsencrypt/renewal/homlish.net.conf
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/homlish.net
cert = /etc/letsencrypt/live/homlish.net/cert.pem
privkey = /etc/letsencrypt/live/homlish.net/privkey.pem
chain = /etc/letsencrypt/live/homlish.net/chain.pem
fullchain = /etc/letsencrypt/live/homlish.net/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 143fcb98d222c080f3639f5de51ee07a
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = webroot
rsa_key_size = 4096
[[webroot_map]]
homlish.net = /usr3/web/http
mail.homlish.net = /usr3/web/http
www.homlish.net = /usr3/web/http
www.joesfigtrees.com = /usr3/web/http
blog.homlish.net = /usr3/web/http
mail.joesfigtrees.com = /usr3/web/http
joesfigtrees.com = /usr3/web/http
recipes.homlish.net = /usr3/web/http
pjhiii.homlish.net = /usr3/web/http
and this is all I needed:
root@a0:/usr/local/apache2/conf# cat httpd.conf.80
Listen 10.11.1.200:80
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}/$1
CustomLog “logs/homlish.net” combinedvhost
matomo is failing
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/matomo.homlish.net
cert = /etc/letsencrypt/live/matomo.homlish.net/cert.pem
privkey = /etc/letsencrypt/live/matomo.homlish.net/privkey.pem
chain = /etc/letsencrypt/live/matomo.homlish.net/chain.pem
fullchain = /etc/letsencrypt/live/matomo.homlish.net/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 143fcb98d222c080f3639f5de51ee07a
rsa_key_size = 4096
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = webroot
[[webroot_map]]
matomo.homlish.net = /usr3/web/http
/home/phomlish/certbot/venv3/bin/certbot certonly –webroot -w /usr3/web/http -d matomo.homlish.net –dry-run
This works! 2021-01-13
fw:
iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) –dport 80 -j DNAT –to 10.11.1.200:80
iptables -I FORWARD -p tcp -d 10.11.1.200 –dport 80 -j ACCEPT
a0 http.conf
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}/$1
CustomLog “logs/homlish.net” combinedvhost
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}/$1
CustomLog “logs/homlish.net” combinedvhost
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}/$1
CustomLog “logs/homlish.net” combinedvhost
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}/$1
CustomLog “logs/homlish.net” combinedvhost
root@a0:~# more /etc/letsencrypt/renewal/joesfigtrees.com.conf
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/joesfigtrees.com
cert = /etc/letsencrypt/live/joesfigtrees.com/cert.pem
privkey = /etc/letsencrypt/live/joesfigtrees.com/privkey.pem
chain = /etc/letsencrypt/live/joesfigtrees.com/chain.pem
fullchain = /etc/letsencrypt/live/joesfigtrees.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 143fcb98d222c080f3639f5de51ee07a
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = webroot
rsa_key_size = 4096
[[webroot_map]]
www.joesfigtrees.com = /usr3/web/http
joesfigtrees.com = /usr3/web/http
mail.joesfigtrees.com = /usr3/web/http
And again, google fails me with a bunch of idiotic 1/2 baked ideas.
* supporting lets encrypt we need to exclude one http directory for them
Tried this with no joy
RewriteEngine On
#RewriteRule ^content/ – [L]
RewriteCond %{REQUEST_URI} !^.well-known/acme-challenge
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^ https://%{SERVER_NAME}$1 [L,R=301]
This worked
RewriteEngine On
RewriteRule ^.well-known/ – [L]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}/$1 [R=301,L]
CustomLog “logs/homlish.net” combinedvhost
But now what are those flags (damn idiots from google search just say ‘trust me’)
found a post that said no, we don’t need those flags
https://stackoverflow.com/questions/11621053/redirect-http-to-https-on-default-virtual-host-without-servername
These rules are intended to be used in .htaccess files, as a RewriteRule in a *:80 VirtualHost entry needs no Conditions.
RewriteEngine On
RewriteRule ^.well-known/ – [L]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}/$1
CustomLog “logs/homlish.net” combinedvhost
But then looking harder at the let’s encrypt part
https://community.letsencrypt.org/t/alias-for-well-known-acme-challenge/44818/5
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}/$1
CustomLog “logs/homlish.net” combinedvhost
let’s encrypt still scares me with the rate limits, so I didn’t test that this works. If it does not I’ll update this post next month. If this post is over a month old, take it as gospel.
Bonus points: testing oscp stapling
echo QUIT | openssl s_client -connect www.homlish.net:443 -status 2> /dev/null | grep -A 17 ‘OCSP response:’ | grep -B 17 ‘Next Update’
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
Produced At: Jan 17 07:17:00 2018 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 04BD3E937EA4B277E13EA3FE4CFF3096BDD3
Cert Status: good
This Update: Jan 17 07:00:00 2018 GMT
Next Update: Jan 24 07:00:00 2018 GMT
We have turned on ssl stapling for all our websites
SSLUseStapling on
and we’ll hope for the best (like let’s encrypt never again shuts down ALL their servers for maintenance at the same time.