-
Notifications
You must be signed in to change notification settings - Fork 6
HTTPS
##Magic commands for Let's Encrypt
###To generate a certificate for builds.clementine-player.org
:
sudo ./letsencrypt-auto --agree-dev-preview \
--server https://acme-v01.api.letsencrypt.org/directory \
-d builds.clementine-player.org \
-a webroot \
--webroot-path /var/www/clementine-player.org/builds auth
This will put all the .pem
files in /etc/letsencrypt/live/builds.clementine-player.org
. Make sure they are symlinked in /etc/apache2/ssl/builds.clementine-player.org
.
The certs are configured in the apache config with:
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/builds.clementine-player.org/cert.pem"
SSLCertificateChainFile "/etc/apache2/ssl/builds.clementine-player.org/chain.pem"
SSLCertificateKeyFile "/etc/apache2/ssl/builds.clementine-player.org/privkey.pem"
This is the same for all of {builds,buildbot,spotify}.clementine-player.org
###data.clementine-player.org
data.clementine-player.org
is hosted on appengine so the letsencrypt cert process won't work directly. The magic url (/.well-known/acme-challenge/
) is redirected to https://builds.clementine-player.org
so that the same process as above can be used with the command:
sudo ./letsencrypt-auto --agree-dev-preview \
--server https://acme-v01.api.letsencrypt.org/directory \
-d data.clementine-player.org \
-a webroot \
--webroot-path /var/www/clementine-player.org/builds auth
You then need to upload the generated certs to AppEngine. AppEngine expects the private key in a slightly different format though so you first need to generate that:
sudo openssl rsa -in privkey.pem -check | sudo tee rsa-privkey.pem
Then you should upload (you can just cat
the files and paste the contents) fullchain.pem
and rsa-privkey.pem
on the developers console
###SSL Configuration The Apache SSL settings for better security (disabling RC4 & compression, etc.) are:
SSLCompression off
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH