Skip to content

Latest commit

 

History

History
164 lines (118 loc) · 5.47 KB

FULL_INSTALL.rst

File metadata and controls

164 lines (118 loc) · 5.47 KB
Raw

Full server setup

This document describes how to set up a server running HAProxy with certbot and the certbot-haproxy plugin. The installation below assumes you are running Debian Jessie but it should be almost entirely the same process on Ubuntu.

First add the backports repo for Jessie to your apt sources.

Note

This will not work for Ubuntu, you will need to use another source, check which version comes with your version of Ubuntu, if it is a version below 0.8, you need to find a back port PPA or download certbot from source.

echo "deb http://ftp.debian.org/debian jessie-backports main" >> \
    /etc/apt/sources.list.d/jessie-backports.list

Now update, upgrade and install some requirements:

  • Some utilities: sudo tcpdump ufw git curl wget
  • OpenSSL and CA certificates: openssl ca-certificates
  • Build dependencies: build-essential libffi-dev libssl-dev python-dev
  • Python and related: python python-setuptools
  • HAProxy: haproxy
  • Python dependency managing: pip
apt-get update
apt-get upgrade -y
apt-get install -y \
    sudo tcpdump ufw git curl wget \
    openssl ca-certificates \
    build-essential libffi-dev libssl-dev python-dev \
    python python-setuptools \
    haproxy

easy_install pip
pip install --upgrade setuptools

We also installed a simple firewall above, but it is not yet configured, let's do that now:

ufw allow ssh
ufw allow http
ufw allow https
ufw default deny incoming
ufw --force enable

Warning

You probably want a little more protection for a production proxy than just this simple firewall, but it's out of the scope of this readme.

Now that we have all dependencies, it's time to start a process that may take quite some time to complete. HAProxy comes with a DH parameters file that is considered weak. We need to generate a new dhparams.pem file with a prime of at least 2048 bit length, you can also opt for 3072 or 4096. This can take hours on lower specification hardware, but will still take minutes on faster hardware, especially with 4096 bit primes. Run this is in a separate ssh session or use screen of tmux to allow this to run in the background.

openssl dhparam -out /opt/certbot/dhparams.pem 2048

Now set a hostname.

echo "[INSERT YOUR HOSTNAME HERE]" > /etc/hostname
hostname -F /etc/hostname

Run as unprivileged user

If you want to run Certbot in an unprivileged mode, keep reading, otherwise, skip to the installation of Certbot.

Certbot normally requires access to the /etc/ directory, which is owned by root and therefore, Certbot needs to run as root. However, we don't like it when processes run as root, most especially when they are opening ports on a public network interface..

In order to let Certbot run as an unprivileged user, we will:

  • Create a certbot user with a home directory on the system so the automatic renewal of certificates can be run by this user.
  • Tell Certbot that the working directories are located in certbot's home directory.
  • Optionally: add your own user account to the Certbot user's group so you can run Certbot manually.
  • Allow HAProxy to access the certificates that are generated by Certbot.
  • Allow the certbot user to restart the HAProxy server.

Lastly, to do automatic renewal of certificates, we will create a systemd timer and a service to start at every boot and every 12 hours, at a random time off the day, in order to not collectively DDOS Let's Encrypts service.

useradd -s /bin/bash -m -d /opt/certbot certbot
usermod -a -G certbot haproxy  # Allow HAProxy access to the certbot certs
mkdir -p /opt/certbot/logs
mkdir -p /opt/certbot/config
mkdir -p /opt/certbot/.config/letsencrypt

If you need to use Certbot from your user account, or if you have a daemon running on your proxy server, that configures domains on your proxy, e.g.: in a web hosting environment - you can add those users to the certbot group.

usermod -a -G certbot [ADD YOUR USER HERE]

You will also need to tell your user what the working directory of your Certbot setup is (/opt/certbot/). Certbot allows you to create a configuration file with default settings in the users' home dir: opt/certbot/.config/letsencrypt/cli.ini.

Besides the working directory.

mkdir -p /opt/certbot/.config/letsencrypt
cat <<EOF > /opt/certbot/.config/letsencrypt/cli.ini
work-dir=/opt/certbot/
logs-dir=/opt/certbot/logs/
config-dir=/opt/certbot/config
EOF

Next time you run Certbot, it will use our new working directory.

Now to allow the certbot user to restart HAProxy, put the following in the sudoers file:

cat <<EOF >> /etc/sudoers
%certbot ALL=NOPASSWD: /bin/systemctl restart haproxy
EOF

Installing certbot-haproxy

Now we haven't done one very essential thing yet, install certbot-haproxy. Since our plugin is in an alpha stage, we did not package it yet. You will need to get it from our Gitlab server.

git clone https://code.greenhost.net/open/certbot-haproxy.git
cd ./certbot-haproxy/
sudo pip install ./

Continue reading /README.rst after the quick installation instructions, at :ref:`haproxy_config`