Thursday, October 05, 2017

6.1 DL160 Gen9: Bought myself a domain, now to configure Nginx + acme-client.

Hi,

Except the fact that the server's Smart Array Battery failing, my ProLiant DL160 Gen9 is doing great. I've long changed to running ESXi 6.0 and now it's VMware ESXi 6.5. Last time I wrote that I'm using XenServer but it's just a brief encounter. Having to install additional program for a web management feature is one of the negative point for me. So that's why I went back to VMware ESXi. Been learning a lot from this machine so I'm very excited and grateful.

What else is new? Ah. Got a very crazy deal for a domain registration which is buy 2 years and get 2 more years free for RM160! So I went for it and bought meself a domain. I should've bought more but I have no more budget. And before that I registered for a bargain 10Mbps Unifi plan for RM129/mth. Oh yeah and I moved to a new place.

As now I have my internet line at home, I can properly play around with the server and OpenBSD. My plan is to bring up my Odoo web online and *finally* start my small business.

So far, I have 2 OpenBSD vm. 1 vm is basically serving the local DNS (in progress), web (using Nginx), PostgreSQL, Fossil SCM and the other vm is doing nothing important (yet). In details:

serv1.mydomain.my (also known as www.mydomain.my):
- Unbound (not done).
- Nginx (serving Odoo through reverse proxy, Fossil SCM through SCGI, proxy pass to ESXi all in HTTPS).
- PostgreSQL.
- acme-client for SSL Certs (This particular post).

I learned acme-client quite a hard way. I configured the acme-client related files (/etc/acme-client.conf & /etc/nginx/nginx.conf) but every time I run the "acme-client -vAD mydomain.my" I received errors:

# acme-client: bad exit: netproc(xxxx): 1

Thinking that I can do trial/error as much as I wanted, I kept reconfiguring the files until I reached the limit of registration tries. Is it then that I read about it at https://letsencrypt.org/docs/rate-limits/. Then I read about the "Staging" function (acme-client --staging) which I tried but not in the installed version in OpenBSD. I checked the /etc/acme-client.conf and found the staging block. So I altered it as:

===== /etc/acme-client.conf =====
#authority letsencrypt {
#    *snipped
#}

#authority letsencrypt-staging {
authority letsencrypt {
    agreement url "bla bla
    bla bla bla
    account key "bla bla
}
===== /etc/acme-client.conf =====

Basically I commented the production block and "authority letsencrypt-staging" line. Using the same "acme-client -vAD mydomain.my" now will basically use the Staging URL instead of the production one so the limit is much higher which is useful for testing/debugging. I wish I knew this earlier. Because of the production limit, now I have to wait for a full 7 days before I can try and register again. Ah well, I can do more testing in the mean time.

After much re-configuration / testing cycle, I found that this configuration managed to successfully register my domain. Here's the additional block in /etc/acme-client.conf:

===== /etc/acme-client.conf =====
* snipped

domain mydomain.my {
    alternative names { www.mydomain.my esx.mydomain.my fossil.mydomain.my }
    domain key "/etc/ssl/private/mydomain.my.key"
    domain certificate "/etc/ssl/mydomain.my.crt"
    domain full chain certificate "/etc/ssl/mydomain.my.fullchain.pem"
    sign with letsencrypt
    challengedir "/var/www/acme/.well-known/acme-challenge"
}
===== /etc/acme-client.conf =====

And to compliment the above configuration, here's the /etc/nginx/nginx.conf configuration.

===== /etc/nginx/nginx.conf =====
# Default server
server {
    listen 80;
    server_name mydomain.my www.mydomain.my;

    location ^~ /.well-known/acme-challenge {
        default_type "text/plain";
        root /var/www/acme;
    }

    location / {
        return 307 https://www.mydomain.my$request_uri;
    }
}

# ESXi
server {
    listen 80;
    server_name esx.mydomain,my;

    location ^~ /.well-known/acme-challenge {
        default_type "text/plain";
        root /var/www/acme;
    }

    location / {
        return 307 https://$host$request_uri;
    }
}

server {
    listen 443;
    ssl on;
    ssl_certificate    /etc/ssl/mydomain.my.fullchain.pem;
    ssl_certificate_key    /etc/ssl/private/mydomain.my.key;

    *snipped
}
===== /etc/nginx/nginx.conf =====

Do take note that the "default_type "text/plain";" line is optional. I tried registering without it and it's fine. The "ESX" block is also not completed yet as virtual console have "Failed to connect" error which is for another post. After reconfiguration then I restarted Nginx then run acme-client again.

# rcctl restart nginx
# acme-client -vAD mydomain.my
* snipped
acme-client: /etc/ssl/mydomain.my.crt: created
acme-client: /etc/ssl//mydomain.my.fullchain.pem: created

Noted the the double-slash "//" on the fullchain.pem. Although it seems like something not working, I can still find the fullchain.pem file in /etc/ssl folder. And when I checked the SSL Certificate, the issuer > Common Name (CN) is stated as "Fake LE Intermediate X1" which is as what Let's Encrypt documented.

So far I've done a few test and it's ok. I need to wait until this Sunday (or next Monday) before I can try and register again. Later.

No comments:

6.5 amd64: Modify existing certbot certificates.

Hi, It's been quite some time eh. As you can see, I still upgrade my OpenBSD system regularly but currently I do not have the time to ...