Jump to content

SSL made easy


MikeB111

Recommended Posts

pctravel

I was under the impression that my current setup makes it very difficult for me to add SSL for Emby because I already have a domain pointing to my Nextcloud server on SSL and port 443 forwarded to that jail (Freenas 11.3 server).  Reading these directions provided that I have a separate domain to point to emby and follow these instructions there will be no conflict with the port forwarding for 443 already in place? I only need to forward 8920?  

 

I've been reasearching VPN's and other ways to point to one WAN address but they all seem a bit over my head. These instructions though I can follow,  do I have to be concerned with my Nextcloud?  I don't want to crash my cloud, It's working perfectly along with auto renewal of the certs.

 

Appreciate the feedback.

Link to comment
Share on other sites

BAlGaInTl

I was under the impression that my current setup makes it very difficult for me to add SSL for Emby because I already have a domain pointing to my Nextcloud server on SSL and port 443 forwarded to that jail (Freenas 11.3 server).  Reading these directions provided that I have a separate domain to point to emby and follow these instructions there will be no conflict with the port forwarding for 443 already in place? I only need to forward 8920?  

 

I've been reasearching VPN's and other ways to point to one WAN address but they all seem a bit over my head. These instructions though I can follow,  do I have to be concerned with my Nextcloud?  I don't want to crash my cloud, It's working perfectly along with auto renewal of the certs.

 

Appreciate the feedback.

 

The best option for doing this is to use the secure standard port 443 for everything, but then use a reverse proxy on your server to direct traffic as needed.

 

I do this using a docker container that makes things pretty easy.  It has a web GUI that I configure everything in.

 

I have about 4 applications on different domains pointing to my server.  The proxy then directs the traffic to the correct instance on my home network.

  • Like 1
Link to comment
Share on other sites

pctravel

The best option for doing this is to use the secure standard port 443 for everything, but then use a reverse proxy on your server to direct traffic as needed.

 

I do this using a docker container that makes things pretty easy.  It has a web GUI that I configure everything in.

 

I have about 4 applications on different domains pointing to my server.  The proxy then directs the traffic to the correct instance on my home network.

Well that sounds like a quarantine project. Great, but it sounds like I would no longer forward port 443 to my nextcloud jail IP but forward it to this Reverse proxy. Is this setup as another jail in Freenas?  I can follow guides but I am not a network engineer.  I didn't see any existing plugin included in Freenas 11.3 currently. I did find the below article, I'm unfamiliar with what a Docker container is but if that does make it easy I probably need that route. Sorry to hit you back with what may be very basic questions. 

 

HOW TO SET UP AN NGINX REVERSE PROXY WITH SSL TERMINATION IN FREENAS

Edited by pctravel
Link to comment
Share on other sites

BAlGaInTl

Well that sounds like a quarantine project. Great, but it sounds like I would no longer forward port 443 to my nextcloud jail IP but forward it to this Reverse proxy. Is this setup as another jail in Freenas?  I can follow guides but I am not a network engineer.  I didn't see any existing plugin included in Freenas 11.3 currently. I did find the below article, I'm unfamiliar with what a Docker container is but if that does make it easy I probably need that route. Sorry to hit you back with what may be very basic questions. 

 

HOW TO SET UP AN NGINX REVERSE PROXY WITH SSL TERMINATION IN FREENAS

 

I'm using Nginx Proxy Manager.  It's a fairly simple docker container that allows you to use a web GUI to set everything up.  

 

Basically, my setup looks like this:

 

domains (muliple) -> Cloudflare -> WAN (home) IP -> Router ports 80/443 -> Nginx Proxy Manger -> Servers (containers) on my home network

 

Nginx Proxy Manager can handle SSL through LetsEncrypt or can use certificates that you supply.  I use my certs from Cloudflare for various reasons.

 

I'm using Unraid with Docker.

 

I'm not sure if there is a FreeNAS jail for the Nginx Proxy Manager, but the same should be possible even without it.  It may just require a bit more work to set up the reverse proxy.

  • Like 1
Link to comment
Share on other sites

pctravel

I will follow the instructions to setup Nginx on Freenas and see how that goes. Thanks for the input.

Link to comment
Share on other sites

BAlGaInTl

I will follow the instructions to setup Nginx on Freenas and see how that goes. Thanks for the input.

 

This is one of the reasons that I chose Unraid over FreeNAS.  

 

Nothing against FreeNAS, but there are a lot more "easy" options available to a standard Linux/Docker config like Unraid or OMV/Docker.

 

I did a quick search, and couldn't find any GUI option for Nginx reverse proxy on FreeNAS.  It can still be done, it will just involve the command line and manual configuration.

 

I'm quite proud of the fact that I can create/manage my entire system without ever touching the command line.  :)

Edited by BAlGaInTl
  • Like 1
Link to comment
Share on other sites

pctravel

will the reverse proxy create issues with my SSL renewal in Nextcloud?  or that should function normally?  OK, seems that if I let the individual server level manage the certs my nextcloud server should work the same.

Edited by pctravel
Link to comment
Share on other sites

BAlGaInTl

will the reverse proxy create issues with my SSL renewal in Nextcloud?  or that should function normally?  OK, seems that if I let the individual server level manage the certs my nextcloud server should work the same.

 

I'm pretty sure there are multiple ways to have that function.  It can be handled by Nextcloud like it is now, or it can be centralized to manage multiple domains.

 

That's one big positive of Cloudflare.  They give you a multi-year cert that doesn't have to be renewed every 90 days.  

Link to comment
Share on other sites

pwhodges

will the reverse proxy create issues with my SSL renewal in Nextcloud?  or that should function normally?  OK, seems that if I let the individual server level manage the certs my nextcloud server should work the same.

 

I prefer to let the proxy (Caddy in my case) handle all the certificates.  Using Caddy and Let's Encrypt this is entirely automatic, and the renewal period of the certs is of no interest.  The proxy then talks to each server using http, so they don't need to have https configured any more.

 

Paul

Link to comment
Share on other sites

BAlGaInTl

I prefer to let the proxy (Caddy in my case) handle all the certificates.  Using Caddy and Let's Encrypt this is entirely automatic, and the renewal period of the certs is of no interest.  The proxy then talks to each server using http, so they don't need to have https configured any more.

 

Paul

 

This is my preferred setup as well.

 

Regardless of what proxy/cert you use to get the job done.

 

ETA:

 

Why not Cloudflare rather than Let's Encrypt?

 

I use some of the basic (free) protections of cloudflare as well.

Edited by BAlGaInTl
Link to comment
Share on other sites

BAlGaInTl

I prefer to let the proxy (Caddy in my case) handle all the certificates.  Using Caddy and Let's Encrypt this is entirely automatic, and the renewal period of the certs is of no interest.  The proxy then talks to each server using http, so they don't need to have https configured any more.

 

Paul

 

Also... to stay on topic...

 

Is there a premade jail for Caddy on FreeNAS?

 

I looked for Nginx, Caddy, and HA proxy and didn't find any of them pre-configured.  I don't know what else is out there.  

Link to comment
Share on other sites

  • 1 month later...
jachin99

I'm thinking about purchasing a cert that will be good for at least a year.  I'm looking at a comodo cert right now but I want to make sure I can essentially follow the same instructions to verify the domain.  Will zeroSSL client work with a purchased cert?  Can I use the same script to generate my pfx file?  Thanks. 

Link to comment
Share on other sites

tekfranz

So I accidentally let my Comodo Certificate expire.
Wow it is quite the acrobatics to get the files the Certificate Issuer sends you into the correct format of .PFX.

I think I spent three hours looking for a .key file that all the tutorials said I should have to convert to PFX . I thought the .key would download with the certificate. Then i found out you generate the Key when you generate the CSR.I didn't realize it was important to make a .key since I generated my CSR on the web and it was all text based copy and paste for the CSR.. Fortunately I found the Text of the Key that had saved as .rtf and created my own Plain Text file (Rich Text did not work obviously) and saved it with the suffix of .key. 

It would have been so nice if somewhere the SSL Cert issuer would have said hang on to your Private key when you generate the CSR and rename it to .key.

So many tools, file types and so many options, most of them rather complex to do something that seems rather simple i.e. verify and encrypt a connection.

I am wondering about trying ZeroSSL next year since they seem to have made the process the simplest.

I do realize leaving the key creation and cert creation with the user conveys a level of privacy, but it really seems like both good and bad actors could make an SSL Cert if they wanted, so some simplification of the Process would be nice by the certificate issuers.

It would be nice if the cert generation and renewal was a part of EMBY. 

Edited by tekfranz
Link to comment
Share on other sites

jachin99
On 6/24/2020 at 11:31 AM, tekfranz said:

So I accidentally let my Comodo Certificate expire.
Wow it is quite the acrobatics to get the files the Certificate Issuer sends you into the correct format of .PFX.

I think I spent three hours looking for a .key file that all the tutorials said I should have to convert to PFX . I thought the .key would download with the certificate. Then i found out you generate the Key when you generate the CSR.I didn't realize it was important to make a .key since I generated my CSR on the web and it was all text based copy and paste for the CSR.. Fortunately I found the Text of the Key that had saved as .rtf and created my own Plain Text file (Rich Text did not work obviously) and saved it with the suffix of .key. 

It would have been so nice if somewhere the SSL Cert issuer would have said hang on to your Private key when you generate the CSR and rename it to .key.

So many tools, file types and so many options, most of them rather complex to do something that seems rather simple i.e. verify and encrypt a connection.

I am wondering about trying ZeroSSL next year since they seem to have made the process the simplest.

I do realize leaving the key creation and cert creation with the user conveys a level of privacy, but it really seems like both good and bad actors could make an SSL Cert if they wanted, so some simplification of the Process would be nice by the certificate issuers.

It would be nice if the cert generation and renewal was a part of EMBY. 

Where did you get your comodo cert from and about how much was it.  I think I'm about to do the same but I want try using zero SSL so If your willing to provide a little help then I might be able to figure some of this out for you.  

Link to comment
Share on other sites

tekfranz
11 minutes ago, jachin99 said:

Where did you get your comodo cert from and about how much was it.  I think I'm about to do the same but I want try using zero SSL so If your willing to provide a little help then I might be able to figure some of this out for you.  

I got the Commodo certificate from NameCheap. They have theM from $4.99 to $7.99 a year. I think the actual certificate authority is Sectigo but they seem legitimate.

Since Zero SSL is free I could run through the process if it is any help to you and we can compare notes. One down-side to these free ones is that they need to renew every 90 days.

 

Link to comment
Share on other sites

jachin99

What I'm really not sure about is whether or not I can apply the same process in this thread to a cert that didn't come from letsencrypt.  I know I don't want to renew every 90 days which is why I decided to purchase a cert.  At this point I'm not sure which parts of the script in post one I'll need to validate my purchased cert and generate my key files, my pfx cert, etc.

Link to comment
Share on other sites

jachin99

I grabbed a cert, and after peeking through the namecheap help pages I'm wondering if I can sign it with my existing keys that were generated when I first created my free LE cert using this command? 

@[member="Echo"] off
le64 --key account.key --csr domain.csr --csr-key domain.key --crt certificate.csr --domains "yourdomain.net" --generate-missing --handle-as dns --export-pfx “yourpasswordhere” --live
pause

If not, what could I use to generate a new key pair, and sign the cert?  As I said above I'm trying to stick with zerssl because I have used it once before but I'm open to another client.  From the help page the namecheap help secion links to here: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117So It looks like I can use any ACME client. 

Link to comment
Share on other sites

tekfranz
1 hour ago, jachin99 said:

I grabbed a cert, and after peeking through the namecheap help pages I'm wondering if I can sign it with my existing keys that were generated when I first created my free LE cert using this command? 


@[member="Echo"] off
le64 --key account.key --csr domain.csr --csr-key domain.key --crt certificate.csr --domains "yourdomain.net" --generate-missing --handle-as dns --export-pfx “yourpasswordhere” --live
pause

If not, what could I use to generate a new key pair, and sign the cert?  As I said above I'm trying to stick with zerssl because I have used it once before but I'm open to another client.  From the help page the namecheap help secion links to here: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117So It looks like I can use any ACME client. 

I would expect that if you generated CSR at same time as you generated key they should match each other. I am thinking the CSR and the key have to match each other somehow. 
 

Here is the tool I used to generate both my CSR and Key file.
https://decoder.link/csr_generator

You have to paste the text generated into a plain text file and rename it with an extension of .key 

But I really think the CSR and key need to match each other so I expect they have to both be generated the same way at the same time using the same tool.

....except ZeroSSL allows you to enter a previously generated CSR. It seems like if you want to re-use the original CSR you also need to have the original key on hand.

Also found this https://info.ssl.com/faq-what-is-a-private-key/. I think I am getting this now...you keep the private key and bundle it with the certificate and place that on your Emby Server. The Certificate with only the Public Key is also distributed throughout the web and when a user connects to your Emby Server It does some math with your Private Key on the Server and the Public Key on the internet and authorizes the connection.

 

 

 

Edited by tekfranz
Link to comment
Share on other sites

jachin99

Alright, I'm pretty sure I validated my cert.  I think the last step would be to somehow convert my .crt file to pfx file for emby.  How did you go about doing that.  I have five files from namecheap so far.  Certificate.key file, a csr.key file, a PrivateKey.key file (I used the plain text entries generated from that generator link above to create these), and finally a us.ca-bundle file, and a us.crt file.  Can I generate a pfx file from any of the above?  Thanks.

Link to comment
Share on other sites

tekfranz
17 minutes ago, jachin99 said:

Alright, I'm pretty sure I validated my cert.  I think the last step would be to somehow convert my .crt file to pfx file for emby.  How did you go about doing that.  I have five files from namecheap so far.  Certificate.key file, a csr.key file, a PrivateKey.key file (I used the plain text entries generated from that generator link above to create these), and finally a us.ca-bundle file, and a us.crt file.  Can I generate a pfx file from any of the above?  Thanks.

This appears to have worked for me. I used the Namecheap tool. https://decoder.link/converter . You can see which file I put in each location in the tool for reference. I used the PEM to PKCS #12 format. It also appears like a password is required for the PFX with this tool.

 

Screen Shot 2020-06-29 at 7.56.44 PM.png

Edited by tekfranz
Link to comment
Share on other sites

jachin99

I created a pfx fie, and pointed Emby at it but its still not working.  I remember putting a text record in the dns entry or something similar for my hosting provider, google domains.  Is there something I need to update on my domain record?

Link to comment
Share on other sites

tekfranz
1 hour ago, jachin99 said:

I created a pfx fie, and pointed Emby at it but its still not working.  I remember putting a text record in the dns entry or something similar for my hosting provider, google domains.  Is there something I need to update on my domain record?

The text record is to verify your DNS Ownership. You that after you submit your CSR and they ask you to verify your domain,

This PFX I was not working either....I might need to convert it from a different format. But paid Namecheap one does.

Oh wait I just tried clearing my remote browsers cache and it works (as well as restarting EMBY Server and enabling and disabling secure connections required. Also a a complete computer restart as well.)

Just to confirm, adding a new certificate seems to require aa restart of the EBMY Server, a disabling /re-enabling of Secure Connections under Secure Connection Mode and also a reboot of the machine and the clearing of the Remote Browser Cache.

Edited by tekfranz
Link to comment
Share on other sites

Riggs
On 1/11/2020 at 12:53 AM, MikeB111 said:

Certificate Renewal

 

Now, I mentioned before that the Lets Encrypt certificates are only good for 90 days.  So every 90 days you have to renew the certificate.  Take that "get_cert.bat" file you made earlier and make a copy of it called renew_cert.bat.  At the end of the second line, just add the text "--renew 20" (without the double quotes).  When you are within 20 days of your expiration date run this file, it'll renew your certificate.  I believe it'll ask you to place a new TXT record in your domain, so certificate renewal cannot be made fully automatic.  You'll have to run it manually and add this TXT record into your google domain just like when you created the certificate in the first place.  But it takes just a few minutes and then your certificate is renewed.  You'll have to restart your Emby server for it to take.  The file locations all stay the same, so you don't have to update anything in the Emby setup, just restart Emby.  That's it!

 

Thanks for share this.

However Acme and Cerboot do the job by you, at least in non Windows environments.

--------------------------------------------------------------------------------------

Step 1 — Installing Certbot

The first step to using Let’s Encrypt to obtain an SSL certificate is to install the Certbot software on your server.

Certbot is in very active development, so the Certbot packages provided by Ubuntu tend to be outdated. However, the Certbot developers maintain a Ubuntu software repository with up-to-date versions, so we’ll use that repository instead.

First, add the repository:

  • sudo add-apt-repository ppa:certbot/certbot

    You’ll need to press ENTER to accept.

Install Certbot’s Apache package with apt:

  • sudo apt install python-certbot-apache

     

Certbot is now ready to use, but in order for it to configure SSL for Apache, we need to verify some of Apache’s configuration.

Step 2 — Set Up the SSL Certificate

Certbot needs to be able to find the correct virtual host in your Apache configuration for it to automatically configure SSL. Specifically, it does this by looking for a ServerName directive that matches the domain you request a certificate for.

If you followed the virtual host set up step in the Apache installation tutorial, you should have a VirtualHost block for your domain at /etc/apache2/sites-available/your_domain.com.conf with the ServerName directive already set appropriately.

To check, open the virtual host file for your domain using nano or your favorite text editor: 

  • sudo nano /etc/apache2/sites-available/your_domain.conf

     

Find the existing ServerName line. It should look like this:

/etc/apache2/sites-available/your_domain.conf
...
ServerName your_domain;
...

If it does, exit your editor and move on to the next step.

If it doesn’t, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits:

  • sudo apache2ctl configtest

     

If you get an error, reopen the virtual host file and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Apache to load the new configuration:

  • sudo systemctl reload apache2

     

Certbot can now find the correct VirtualHost block and update it.

Next, let’s update the firewall to allow HTTPS traffic.

Step 3 — Allowing HTTPS Through the Firewall

If you have the ufw firewall enabled, as recommended by the prerequisite guides, you’ll need to adjust the settings to allow for HTTPS traffic. Luckily, Apache registers a few profiles with ufw upon installation.

You can see the current setting by typing:

  • sudo ufw status

     

It will probably look like this, meaning that only HTTP traffic is allowed to the web server:

Output

Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Apache ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Apache (v6) ALLOW Anywhere (v6)

To additionally let in HTTPS traffic, allow the Apache Full profile and delete the redundant Apache profile allowance: 

  • sudo ufw allow 'Apache Full'
    sudo ufw delete allow 'Apache'

Your status should now look like this:

  • sudo ufw status

    Output

Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Apache Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Apache Full (v6) ALLOW Anywhere (v6)

Next, let’s run Certbot and fetch our certificates.

Step 4 — Obtaining an SSL Certificate

Certbot provides a variety of ways to obtain SSL certificates through plugins. The Apache plugin will take care of reconfiguring Apache and reloading the config whenever necessary. To use this plugin, type the following: 

  • sudo certbot --apache -d your_domain -d www.your_domain

     

This runs certbot with the --apache plugin, using -d to specify the names you’d like the certificate to be valid for.

If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.

If that’s successful, certbot will ask how you’d like to configure your HTTPS settings: 

Output

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select your choice then hit ENTER. The configuration will be updated, and Apache will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored: 

Output

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your_domain/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your_domain/privkey.pem Your cert will expire on 2018-07-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

Your certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.

Let’s finish by testing the renewal process.

Step 5 — Verifying Certbot Auto-Renewal

Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.

To test the renewal process, you can do a dry run with certbot

  • sudo certbot renew --dry-run

     

If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Apache to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.

To save time I copied this from an online tutorial that is frankly very well explained, of course better than I would have. It applies to Linux servers with Apache in general.

Source: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04

Edited by Riggs
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...