Browse Source

add letsencrypt setup instructions

pull/39/head
Aaron Parecki 4 years ago
parent
commit
d8d11bef73
No known key found for this signature in database GPG Key ID: 276C2817346D6056
9 changed files with 120 additions and 0 deletions
  1. +119
    -0
      HTTPS-SETUP.md
  2. +1
    -0
      certbot/.gitignore
  3. BIN
      setup/appengine-add-new-certificate.png
  4. BIN
      setup/appengine-enable-cert.png
  5. BIN
      setup/appengine-project-settings.png
  6. BIN
      setup/challenge-form.png
  7. BIN
      setup/challenge-saved.png
  8. BIN
      setup/indieauth.com.png
  9. BIN
      setup/login.png

+ 119
- 0
HTTPS-SETUP.md View File

@ -0,0 +1,119 @@
# Configuring HTTPS for XRay
If you run XRay on AppEngine, you'll need to generate an SSL certificate and upload it to AppEngine.
XRay has a built-in tool for assisting in generating a Let's Encrypt certificate.
## Set the Allowed Users
You'll first need to configure which users are allowed to use the SSL configuration utility. In `config.production.php`, add a list of URLs for who should be allowed to sign in. XRay will use indieauth.com to sign users in.
```
public static $admins = [
'https://aaronparecki.com/'
];
```
## Deploy to App Engine and Sign In
Deploy the project to App Engine, then visit http://xray.p3k.io/cert (using your own domain you installed it on) to begin setup.
![login](setup/login.png)
Sign in using your domain name.
![indieauth.com](setup/indieauth.com.png)
XRay will verify that the user who signed in matches the allowed users in the config file. If you get an error, double check that you've entered your domain in the config file properly, including the proper https scheme and a trailing slash for root domains. e.g. `https://aaronparecki.com/`
Once you're signed in, you will see a form where you can enter the Certbot challenge.
![challenge](setup/challenge-form.png)
## Request a Certificate using Certbot
On your local computer, or some other server, install the Let's Encrypt Certbot utility.
Request a certificate using the manual mode. Run this command from the XRay project root so that your certificates will end up in the `certbot` folder in this project.
```
certbot -a manual certonly --config-dir certbot --work-dir certbot --logs-dir certbot -d xray.p3k.io
```
This will begin the request, and the client will pause and wait for you to enter the challenge on the website.
```
$ certbot -a manual certonly --config-dir certbot --work-dir certbot --logs-dir certbot -d xray.p3k.io
Saving debug log to /Users/aaronpk/Code/XRay/certbot/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xray.p3k.io
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
-------------------------------------------------------------------------------
Make sure your web server displays the following content at
http://xray.p3k.io/.well-known/acme-challenge/{token} before continuing:
{challenge text here}
```
Copy the token and challenge from the console into the form on XRay, and click Save.
![challenge](setup/challenge-form.png)
![challenge-saved](setup/challenge-saved.png)
Now XRay has cached the token and challenge and will serve it from the `.well-known` URL for 10 minutes. You can verify this by clicking the "view challenge" link shown.
Back at the console, you can now press enter to continue.
```
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /Users/aaronpk/Code/XRay/certbot/keys/0001_key-certbot.pem
Creating CSR: /Users/aaronpk/Code/XRay/certbot/csr/0001_csr-certbot.pem
Non-standard path(s), might not work with crontab installed by your operating system package manager
```
Let's Encrypt will check the challenge URL and issue the certificate! The certificate will be saved to your computer at the path shown.
## Install the Certificate in App Engine
In App Engine, navigate to your project's settings, and click "SSL Certificates".
![appengine-settings](setup/appengine-project-settings.png)
Click "Upload a new certificate".
Let's Encrypt does not create an RSA private key, so you'll have to convert the private key it made into an RSA key.
```
$ openssl rsa -in certbot/live/xray.p3k.io/privkey.pem > certbot/live/xray.p3k.io/privkey-rsa.pem
```
Copy and paste the `privkey-rsa.pem` and `fullchain.pem` files into App Engine.
![appengine](setup/appengine-add-new-certificate.png)
Edit the certificate and enable it on the domain name.
![appengine-enable](setup/appengine-enable-cert.png)
## All Done!
You're all done! Now just don't forget what you did, because you'll need to do this all again in 3 months when the certificate expires!
Unfortunately App Engine does not yet have an API for programmatically uploading certificates. However there is [an outstanding bug](https://issuetracker.google.com/issues/35900034) to request this feature, so it will likely be supported soon. Once there is an API, then the whole certificate request process can be completely automated in code.
It will take a few minutes for App Engine to start serving the new certificate, so wait a little while if you get an SSL error.

+ 1
- 0
certbot/.gitignore View File

@ -0,0 +1 @@
*

BIN
setup/appengine-add-new-certificate.png View File

Before After
Width: 465  |  Height: 451  |  Size: 69 KiB

BIN
setup/appengine-enable-cert.png View File

Before After
Width: 436  |  Height: 363  |  Size: 31 KiB

BIN
setup/appengine-project-settings.png View File

Before After
Width: 823  |  Height: 197  |  Size: 24 KiB

BIN
setup/challenge-form.png View File

Before After
Width: 501  |  Height: 357  |  Size: 27 KiB

BIN
setup/challenge-saved.png View File

Before After
Width: 505  |  Height: 272  |  Size: 26 KiB

BIN
setup/indieauth.com.png View File

Before After
Width: 530  |  Height: 526  |  Size: 225 KiB

BIN
setup/login.png View File

Before After
Width: 509  |  Height: 257  |  Size: 17 KiB

Loading…
Cancel
Save