Commit 054e0566 authored by Aral Balkan's avatar Aral Balkan
Browse files

Now configuring TLS using Let’s Encrypt (untested).

parent 01df942f
......@@ -16,6 +16,9 @@
#
# Usage:
#
# git clone git@source.ind.ie:blockdown/site-server-setup.git
# cd site-server-setup
#
# ./install
#
################################################################################
......@@ -144,6 +147,90 @@ sudo -u git chmod 600 /home/git/.ssh/id_rsa
#  * Generate actual cert for data.better.fyi and try again.
sudo -u git git clone --bare "${generatedSiteDataCloneURL}" /home/git/data.git
#
# Add the post-receive hook to the data repository so that it can clone
# the working copy and thus update the static content that is being served by nginx.
#
# Clear out the git hooks folder to remove noise.
sudo -u git rm /home/git/data.git/hooks/*
# And copy our hook over.
sudo -u git cp ./git/post-receive /home/git/data.git/hooks/
# Check out the working copy to be served by nginx.
sudo git clone /home/git/data.git /home/ubuntu/site
sudo -u git git clone /home/git/data.git /home/git/site
#
# Set up nginx
#
echo -e "Setting up nginx…"
# Install nginx
sudo apt-get update
sudo apt-get -y install nginx
echo -e " Creating the http & https site settings…"
# Copy over the setting templates.
sudo cp ./nginx/http.conf.template /etc/nginx/sites-available/http.conf
sudo cp ./nginx/https.conf.template /etc/nginx/sites-available/https.conf
# Carry out template substitutions.
sudo sed -i "s/{SERVER_NAMES}/${serverNames}/g" /etc/nginx/sites-available/http.conf
sudo sed -i "s/{SERVER_NAMES}/${serverNames}/g" /etc/nginx/sites-available/https.conf
#
# Configure TLS using Let’s Encrypt
#
# Based on instructions at:
# http://blog.thesparktree.com/post/138452017979/automating-ssl-certificates-using-nginx
#
echo -e "Configuring TLS using Let’s Encrypt"
echo " * Installing letsencrypt.sh dependencies (if necessary)…"
sudo apt-get install -y openssl curl sed grep mktemp git
echo " * Installing letsencrypt.sh…"
sudo git clone https://github.com/lukas2511/letsencrypt.sh.git /etc/letsencrypt
sudo chmod +x /etc/letsencrypt/letsencrypt.sh
echo " * Creating ACME challenges folder and symlinking it for nginx’s use…"
sudo mkdir -p /etc/letsencrypt/.acme-challenges
sudo mkdir -p /var/www/
sudo ln -s /etc/letsencrypt/.acme-challenges /var/www/letsencrypt
echo " * Writing out the server domains for the letsencrypt script…"
sudo bash -c "echo \"${serverNames}\" > /etc/letsencrypt/domains.txt"
echo " * Copying the letsencrypt.sh configuration file template…"
sudo cp ./config.sh.template /etc/letsencrypt/config.sh
sudo chmod +x /etc/letsencrypt/config.sh
echo " * Carrying out template substituions in letsencrypt.sh configuration file…"
sudo sed -i "s/{URL}/${letsEncryptServerURL}/g" /etc/letsencrypt/config.sh
sudo sed -i "s/{EMAIL}/${gitAccountEmail}/g" /etc/letsencrypt/config.sh
echo " * Stopping nginx service…"
sudo service nginx stop
echo " * Enabling the HTTP endpoint…"
sudo ln -s /etc/nginx/sites-available/http.conf /etc/nginx/sites-enabled/http.conf
echo " * Starting nginx service…"
sudo service nginx start
echo " * Generating the Let’s Encrypt certificates…"
sudo /etc/letsencrypt/letsencrypt.sh --cron
echo " * Enabling the HTTPS endpoint…"
sudo ln -s /etc/nginx/sites-available/https.conf /etc/nginx/sites-enabled/https.conf
echo " * Reloading the nginx service…"
sudo service nginx reload
echo " * Setting up automatic Let‘s Encrypt certificate renewals with weekly expiration checks…"
sudo cp ./letsencrypt/letsencrypt-auto-renew-certificate.sh /etc/cron.weekly/
#!/bin/bash
######################################
# letsencrypt.sh configuration file. #
######################################
#
# Live or Staging URL
# (Injected at runtime.)
#
# Live: https://acme-v01.api.letsencrypt.org/directory
# Staging: https://acme-staging.api.letsencrypt.org/directory
#
CA={URL}
#
# The contact email to use during registration.
# (Injected at runtime.)
#
CONTACT_EMAIL={EMAIL}
#!/bin/bash
# Attempt to renew the certificate and reload nginx
sudo /etc/letsencrypt/letsencrypt.sh --cron && service nginx reload
......@@ -5,11 +5,11 @@ server {
listen 443;
server_name {SERVER_NAMES};
ssl on;
ssl_certificate /srv/letsencrypt/certs/better.fyi/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/certs/better.fyi/privkey.pem;
ssl_certificate /etc/letsencrypt/certs/better.fyi/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/certs/better.fyi/privkey.pem;
# Serve the site from the git repository.
root /home/ubuntu/site/;
root /home/git/site/;
index index.html index.htm;
# Make site accessible from http://localhost/
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment