- En esta guía explicamos como vamos a crear un certificado
letsencrypt en un servidor proxy reverso con apache2 y se lo vamos a
pasar al servidor web1
Host: PROXY
- Ingresamos por ssh con el usuario «root»
ssh ugit@proxy.siua.ac.cr -p 44
- Creamos un hostvirtual para que maneje web1.siua.ac.cr y www.web1.siua.ac.cr
nano /etc/apache2/sites-available/web1.siua.ac.cr.conf
NameVirtualHost 181.193.87.6:80
<VirtualHost 181.193.87.6:80>
#************************************************************************
#***************** DATOS DEL SITIO WEB ********************************
#************************************************************************
ServerName web1.siua.ac.cr
ServerAlias www.web1.siua.ac.cr
ErrorLog /var/log/apache2/web1_80.siua.ac.cr-error.log
CustomLog /var/log/apache2/web1_80.siua.ac.cr-access.log common
#************************************************************************
#******************** DATOS DEL WEBMASTER *****************************
#************************************************************************
ServerAdmin interuniversitariadealajuela@gmail.com
Header add Author "Unidad de Gestion e Innovacion Tecnologica"
#************************************************************************
#************************ DATOS DEL REDIRECCIONAMIENTO ****************
#************************************************************************
</VirtualHost>
a2ensite web1.siua.ac.cr
systemctl reload apache2
- Mandamos a generar el certificado
certbot --installer apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: web1.siua.ac.cr
2: www.web1.siua.ac.cr
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):interuniversitariadealajuela@gmail.com
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for soporte.siua.ac.cr
http-01 challenge for www.soporte.siua.ac.cr
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/web1.siua.ac.cr-le-ssl.conf
Deploying Certificate for web1.siua.ac.cr to VirtualHost /etc/apache2/sites-available/web1.siua.ac.cr-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/web1.siua.ac.cr-le-ssl.conf
Deploying Certificate for www.web1.siua.ac.cr to VirtualHost /etc/apache2/sites-available/web1.siua.ac.cr-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
- Como le indicamos que queremos que todas las solicitudes :80 las dirija a :443 el me modifica el archivo y agrega:
NameVirtualHost 181.193.87.6:80
<VirtualHost 181.193.87.6:80>
#************************************************************************
#***************** DATOS DEL SITIO WEB ********************************
#************************************************************************
ServerName web1.siua.ac.cr
ServerAlias www.web1.siua.ac.cr
ErrorLog /var/log/apache2/web1_80.siua.ac.cr-error.log
CustomLog /var/log/apache2/web1_80.siua.ac.cr-access.log common
#************************************************************************
#******************** DATOS DEL WEBMASTER *****************************
#************************************************************************
ServerAdmin interuniversitariadealajuela@gmail.com
Header add Author "Unidad de Gestion e Innovacion Tecnologica"
#************************************************************************
#************************ DATOS DEL REDIRECCIONAMIENTO ****************
#************************************************************************
RewriteEngine on
RewriteCond %{SERVER_NAME} =web1.siua.ac.cr [OR]
RewriteCond %{SERVER_NAME} =www.web1.siua.ac.cr
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
- Y además me crear un hostvirtual de atender las solicitudes :443 y con los certificados
nano /etc/apache2/sites-available/web1.siua.ac.cr-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost 181.193.87.6:443>
#************************************************************************
#***************** DATOS DEL SITIO WEB ********************************
#************************************************************************
ServerName web1.siua.ac.cr
ServerAlias www.web1.siua.ac.cr
ErrorLog /var/log/apache2/web1_80.siua.ac.cr-error.log
CustomLog /var/log/apache2/web1_80.siua.ac.cr-access.log common
#************************************************************************
#******************** DATOS DEL WEBMASTER *****************************
#************************************************************************
ServerAdmin interuniversitariadealajuela@gmail.com
Header add Author "Unidad de Gestion e Innovacion Tecnologica"
#************************************************************************
#******************* DATOS DEL REDIRECCIONAMIENTO *********************
#************************************************************************
ProxyPreserveHost On
ProxyRequests off
SSLProxyEngine on
ProxyPass / https://10.20.200.15/
ProxyPassReverse / https://10.20.200.15/
#************************************************************************
#******************** DATOS DEL CERTIFICADO ***************************
#************************************************************************
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/web1.siua.ac.cr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/web1.siua.ac.cr/privkey.pem
</VirtualHost>
</IfModule>
- Ahora vamos hacer el cambio que las solicitudes 443 tengan su propio log file
- Abrimos
nano /etc/apache2/sites-available/web1.siua.ac.cr-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost 181.193.87.6:443>
#************************************************************************
#***************** DATOS DEL SITIO WEB ********************************
#************************************************************************
ServerName web1.siua.ac.cr
ServerAlias www.web1.siua.ac.cr
ErrorLog /var/log/apache2/web1_443.siua.ac.cr-error.log
CustomLog /var/log/apache2/web1_443.siua.ac.cr-access.log common
#************************************************************************
#******************** DATOS DEL WEBMASTER *****************************
#************************************************************************
ServerAdmin interuniversitariadealajuela@gmail.com
Header add Author "Unidad de Gestion e Innovacion Tecnologica"
#************************************************************************
#******************* DATOS DEL REDIRECCIONAMIENTO *********************
#************************************************************************
ProxyPreserveHost On
ProxyRequests off
SSLProxyEngine on
ProxyPass / https://10.20.200.15/
ProxyPassReverse / https://10.20.200.15/
#************************************************************************
#******************** DATOS DEL CERTIFICADO ***************************
#************************************************************************
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/web1.siua.ac.cr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/web1.siua.ac.cr/privkey.pem
</VirtualHost>
</IfModule>
systemctl reload apache2
Host: Web1
- Vamos a crear una carpeta para almacenar los certificados de todos los sitios
mkdir /etc/apache2/certificados/
- Y otra dentro de este que tenga los certificados de este dominio «web1.siua.ac.cr»
mkdir /etc/apache2/certificados/web1.siua.ac.cr/
- Ahora de damos permisos de escritura
chmod 777 -R /etc/apache2/certificados/web1.siua.ac.cr/
- Vamos hacer que el servidor PROXY se pueda conectar con WEB1 con una llave de confianza sin clave con el usuario root para esto
- Verificamos que el usuario root tenga una contraseña sino le creaos una
passwd root
- Vamos a verificar que esta habilitado el poder conectarse al servidor web1 por ssh con root
- Abrimos
nano /etc/ssh/sshd_config
- Y verificamos que tenemos esto
PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yes
service sshd restart
- Y comprobamos que podemos ingresar
ssh root@web1.siua.ac.cr -p 44
Host: PROXY
- Ahora vamos a crear las llaves de confianza en el servidor PROXY
- Ingresamos a la carpeta
cd /root/.ssh/
SI HAY QUE GENERAR LLAVES
- Creamos las llaves para el cliente CON CONTRASEÑA EN BLANCO
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
SHA256:Eao0rOXn89R8pg3FjvPKsYUwBlAXaBxHBMZrHt06u78 root@proxy
The key's randomart image is:
+---[RSA 2048]----+
| .+=*B. |
| . o=+ . |
| =.oo.. |
| = o+..... |
| . oo..S. o |
| o..o= = |
| o .oO = |
| +.. % |
| ooEoo |
+----[SHA256]-----+
- Ya podemos listar los archivos para ver las llaves
ls
id_rsa id_rsa.pub known_hosts
SI YA HAY LLAVES
- Ahora vamos a publicar nuestra llave «pública en el servidor remoto»
ssh-copy-id root@10.20.200.15 -p 44
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.20.200.11's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@10.20.200.11'"
and check to make sure that only the key(s) you wanted were added.
- Podemos probar que nos conectamos de ofrma directa de PROXY a WEB1
ssh root@10.20.200.15 -p 44
- Ahora vamos a copiar los certificados que se encuentra ne le servidor PROXY al servidro Web1
scp -P 44 -r /etc/letsencrypt/live/web1.siua.ac.cr/fullchain.pem root@10.20.200.15:/etc/apache2/certificados/web1.siua.ac.cr/fullchain.pem
scp -P 44 -r /etc/letsencrypt/live/web1.siua.ac.cr/privkey.pem root@10.20.200.15:/etc/apache2/certificados/web1.siua.ac.cr/privkey.pem
Host: web1
- Ahora vamos hacer que todas las solicitudes :80 se dirijan a :443
- Abrimos o creamos el archivo
nano /etc/apache2/sites-available/web1.siua.ac.cr.conf
<VirtualHost *:80>
#************************************************************************
#***************** DATOS DEL SITIO WEB ********************************
#************************************************************************
ServerName web1.siua.ac.cr
ServerAlias www.web1.siua.ac.cr
ErrorLog /var/log/apache2/web1_80.siua.ac.cr-error.log
CustomLog /var/log/apache2/web1_80.siua.ac.cr-access.log common
#************************************************************************
#******************** DATOS DEL WEBMASTER *****************************
#************************************************************************
ServerAdmin interuniversitariadealajuela@gmail.com
Header add Author "Unidad de Gestion e Innovacion Tecnologica"
#************************************************************************
#************** DATOS DEL REDIRECIONAMIENTO **********************
#************************************************************************
RedirectMatch permanent ^/(.*) https://web1.siua.ac.cr/$1
#************************************************************************
#************** DATOS DEL SITIO WEB **********************
#************************************************************************
DocumentRoot /var/www/html/Sitios/index_servidores
</VirtualHost>
nano /etc/apache2/sites-available/web1.siua.ac.cr-le-ssl.conf
<IfModule mod_ssl.c>
#************************************************************************
#********************* HTTPS://WWW.WEB1.SIUA.AC:CR **********************
#************************************************************************
<VirtualHost *:443>
ServerName www.web1.ac.cr
RedirectMatch permanent ^/(.*) https://web1.siua.ac.cr/$1
#************************************************************************
#*************************** DATOS DEL CERTIFICADO **********************
#************************************************************************
SSLEngine on
SSLCertificateFile /etc/apache2/certificados/web1.siua.ac.cr/fullchain.pem
SSLCertificateKeyFile /etc/apache2/certificados/web1.siua.ac.cr/privkey.pem
</VirtualHost>
#************************************************************************
#************* HTTPS://WEB1.SIUA.AC:CR ***********************
#************************************************************************
<VirtualHost *:443>
#************************************************************************
#***************** DATOS DEL SITIO WEB ********************************
#************************************************************************
ServerName web1.siua.ac.cr
ErrorLog /var/log/apache2/web1_443.siua.ac.cr-error.log
CustomLog /var/log/apache2/web1_443.siua.ac.cr-access.log common
#************************************************************************
#******************** DATOS DEL WEBMASTER *****************************
#************************************************************************
ServerAdmin interuniversitariadealajuela@gmail.com
Header add Author "Unidad de Gestion e Innovacion Tecnologica"
#************************************************************************
#************** DATOS DEL CERTIFICADO **********************
#************************************************************************
SSLEngine on
SSLCertificateFile /etc/apache2/certificados/web1.siua.ac.cr/fullchain.pem
SSLCertificateKeyFile /etc/apache2/certificados/web1.siua.ac.cr/privkey.pem
#************************************************************************
#************** DATOS DEL SITIO WEB **********************
#************************************************************************
DocumentRoot /var/www/html/Sitios/index_servidores
</VirtualHost>
</IfModule>
a2ensite web1.siua.ac.cr-le-ssl.conf
systemctl reload apache2
Host: PROXY
- Ahora vamos hacer que los certificados se renueven
- Abrimos el archivo
nano /root/ssh-renew.sh
scp -P 44 -r /etc/letsencrypt/live/web1.siua.ac.cr/fullchain.pem root@10.20.200.15:/etc/apache2/certificados/web1.siua.ac.cr/fullchain.pem
scp -P 44 -r /etc/letsencrypt/live/web1.siua.ac.cr/privkey.pem root@10.20.200.15:/etc/apache2/certificados/web1.siua.ac.cr/privkey.pem
