- En esta guía explicamos como vamos a crear un certificado
letsencrypt en un servidor proxy reverso con apache2 y se lo vamos a
pasar al servidor web1
Host: PROXY
nano /etc/apache2/sites-available/XXXX.siua.ac.cr.conf
NameVirtualHost 181.193.87.6:80
<VirtualHost 181.193.87.6:80>
#************************************************************************
#***************** DATOS DEL SITIO WEB ********************************
#************************************************************************
ServerName XXX.siua.ac.cr
ServerAlias www.XXX.siua.ac.cr
ErrorLog /var/log/apache2/XXX_80.siua.ac.cr-error.log
CustomLog /var/log/apache2/XXX_80.siua.ac.cr-access.log common
#************************************************************************
#******************** DATOS DEL WEBMASTER *****************************
#************************************************************************
ServerAdmin interuniversitariadealajuela@gmail.com
Header add Author "Unidad de Gestion e Innovacion Tecnologica"
#************************************************************************
#************************ DATOS DEL REDIRECCIONAMIENTO ****************
#************************************************************************
</VirtualHost>
a2ensite XXX.siua.ac.cr
systemctl reload apache2
Host: DNS1 y Pfsense
- Creamos los dominios XXX.siua.ac.cr y www.XXX.siua.ac.cr a que apunten a 181.193.87.6 y 10.20.200.XXX
Host:PROXY
- Mandamos a generar el certificado
certbot --installer apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: web1.siua.ac.cr
2: www.web1.siua.ac.cr
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2
Created an SSL vhost at /etc/apache2/sites-available/web1.siua.ac.cr-le-ssl.conf
Deploying Certificate for web1.siua.ac.cr to VirtualHost /etc/apache2/sites-available/web1.siua.ac.cr-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/web1.siua.ac.cr-le-ssl.conf
Deploying Certificate for www.web1.siua.ac.cr to VirtualHost /etc/apache2/sites-available/web1.siua.ac.cr-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
- Ahora vamos hacer el cambio que las solicitudes 443 tengan su propio log file
- Abrimos
nano /etc/apache2/sites-available/XXX.siua.ac.cr-le-ssl.conf
- Modificamos el archivo para que las solicitudes :443 tengan su propio log y agregamos la redirección al servidor interno: archivo
<IfModule mod_ssl.c>
<VirtualHost 181.193.87.6:443>
#************************************************************************
#***************** DATOS DEL SITIO WEB ********************************
#************************************************************************
ServerName XXX.siua.ac.cr
ServerAlias www.XXX.siua.ac.cr
ErrorLog /var/log/apache2/XXX_443.siua.ac.cr-error.log
CustomLog /var/log/apache2/XXX_443.siua.ac.cr-acAquícess.log common
#************************************************************************
#******************** DATOS DEL WEBMASTER *****************************
#************************************************************************
ServerAdmin interuniversitariadealajuela@gmail.com
Header add Author "Unidad de Gestion e Innovacion Tecnologica"
#************************************************************************
#******************* DATOS DEL REDIRECCIONAMIENTO *********************
#************************************************************************
ProxyPreserveHost On
ProxyRequests off
SSLProxyEngine on
ProxyPass / https://10.20.200.15/
ProxyPassReverse / https://10.20.200.15/
#************************************************************************
#******************** DATOS DEL CERTIFICADO ***************************
#************************************************************************
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/XXX.siua.ac.cr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/XXX.siua.ac.cr/privkey.pem
</VirtualHost>
</IfModule>
systemctl reload apache2
Host: Web1
- Creamos una carpeta dentro de /etc/apache2/certificados con el nombre del dominio «XXX.siua.ac.cr»
mkdir /etc/apache2/certificados/XXX.siua.ac.cr/
- Ahora de damos permisos de escritura
chmod 777 -R /etc/apache2/certificados/XXX.siua.ac.cr/
Host: PROXY
- Ahora vamos a copiar los certificados que se encuentra ne le servidor PROXY al servidor XXX
scp -P 44 -r /etc/letsencrypt/live/XXX.siua.ac.cr/fullchain.pem root@10.20.200.15:/etc/apache2/certificados/XXX.siua.ac.cr/fullchain.pem
scp -P 44 -r /etc/letsencrypt/live/XXX.siua.ac.cr/privkey.pem root@10.20.200.15:/etc/apache2/certificados/XXX.siua.ac.cr/privkey.pem
Host: web1
- Ahora vamos hacer que todas las solicitudes :80 se dirijan a :443
- Creamos el archivo
nano /etc/apache2/sites-available/XXX.siua.ac.cr.conf
<VirtualHost *:80>
#************************************************************************
#***************** DATOS DEL SITIO WEB ********************************
#************************************************************************
ServerName XXX.siua.ac.cr
ServerAlias www.XXX.siua.ac.cr
ErrorLog /var/log/apache2/XXX_80.siua.ac.cr-error.log
CustomLog /var/log/apache2/XXX_80.siua.ac.cr-access.log common
#************************************************************************
#******************** DATOS DEL WEBMASTER *****************************
#************************************************************************
ServerAdmin interuniversitariadealajuela@gmail.com
Header add Author "Unidad de Gestion e Innovacion Tecnologica"
#************************************************************************
#************** DATOS DEL REDIRECIONAMIENTO **********************
#************************************************************************
RedirectMatch permanent ^/(.*) https://XXX.siua.ac.cr/$1
#************************************************************************
#************** DATOS DEL SITIO WEB **********************
#************************************************************************
DocumentRoot /var/www/html/Sitios/index_servidores
</VirtualHost>
a2ensite XXX.siua.ac.cr.conf
nano /etc/apache2/sites-available/XXX.siua.ac.cr-le-ssl.conf
<IfModule mod_ssl.c>
#************************************************************************
#********************* HTTPS://WWW.WEB1.SIUA.AC:CR **********************
#************************************************************************
<VirtualHost *:443>
ServerName www.web1.ac.cr
RedirectMatch permanent ^/(.*) https://web1.siua.ac.cr/$1
#************************************************************************
#*************************** DATOS DEL CERTIFICADO **********************
#************************************************************************
SSLEngine on
SSLCertificateFile /etc/apache2/certificados/web1.siua.ac.cr/fullchain.pem
SSLCertificateKeyFile /etc/apache2/certificados/web1.siua.ac.cr/privkey.pem
</VirtualHost>
#************************************************************************
#************* HTTPS://WEB1.SIUA.AC:CR ***********************
#************************************************************************
<VirtualHost *:443>
#************************************************************************
#***************** DATOS DEL SITIO WEB ********************************
#************************************************************************
ServerName web1.siua.ac.cr
ErrorLog /var/log/apache2/web1_443.siua.ac.cr-error.log
CustomLog /var/log/apache2/web1_443.siua.ac.cr-access.log common
#************************************************************************
#******************** DATOS DEL WEBMASTER *****************************
#************************************************************************
ServerAdmin interuniversitariadealajuela@gmail.com
Header add Author "Unidad de Gestion e Innovacion Tecnologica"
#************************************************************************
#************** DATOS DEL CERTIFICADO **********************
#************************************************************************
SSLEngine on
SSLCertificateFile /etc/apache2/certificados/web1.siua.ac.cr/fullchain.pem
SSLCertificateKeyFile /etc/apache2/certificados/web1.siua.ac.cr/privkey.pem
#************************************************************************
#************** DATOS DEL SITIO WEB **********************
#************************************************************************
DocumentRoot /var/www/html/Sitios/index_servidores
</VirtualHost>
</IfModule>
a2ensite web1.siua.ac.cr-le-ssl.conf
systemctl reload apache2
Host: PROXY
- Ahora vamos hacer que los certificados se renueven
- Abrimos el archivo
nano /root/ssh-renew.sh
scp -P 44 -r /etc/letsencrypt/live/web1.siua.ac.cr/fullchain.pem root@10.20.200.15:/etc/apache2/certificados/web1.siua.ac.cr/fullchain.pem
scp -P 44 -r /etc/letsencrypt/live/web1.siua.ac.cr/privkey.pem root@10.20.200.15:/etc/apache2/certificados/web1.siua.ac.cr/privkey.pem
COMANDOS
apt-cache policy certbot | grep -i Installed
