leviolson
/
website
1
1
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
My personal website https://leviolson.com
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
58 Commits
5 Branches
39 MiB
Branch: tesla
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'tesla'
${ noResults }
website/README2.md

142 lines
4.2 KiB
Raw Permalink Normal View History

Creating a post to sell the Tesla, but archiving because we traded it instead
4 years ago
 
  1. # Let's Encrypt

  2. 

  3. ## Working with NGINX configs locally

  4. 

  5. Sync your local file to the server (run after every update)
  6. ```bash
  7. rsync -rtvpl path/to/local/leviolson.com.conf base-droplet:/etc/nginx/sites-available/
  8. ```
  9. Create a symlink in nginx `sites-enabled`
  10. ```bash
  11. ssh base-droplet ln -s /etc/nginx/sites-available/leviolson.com.conf /etc/nginx/sites-enabled/
  12. ```
  13. Restart Nginx after each `rsync` command
  14. ```bash
  15. ssh base-droplet sudo service nginx restart
  16. ```
  17. 

  18. ## Setup NGINX for cert creation

  19. Nginx must be minimally configured at this point to allow port 80 to work and not fail trying to access port 443 or redirecting you.  Our main nginx config (below) tries to redirct to HTTPS which would cause Let's Encrypt to fail.
  20. 

  21. ```nginx
  22. server {
  23.     listen 80;
  24.     server_name leviolson.com www.leviolson.com;
  25. 

  26.     location / {
  27.         proxy_pass http://localhost:3000; # port must match the same as the node app
  28.         proxy_http_version 1.1;
  29.         proxy_set_header Upgrade $http_upgrade;
  30.         proxy_set_header Connection 'upgrade';
  31.         proxy_set_header Host $host;
  32.         proxy_cache_bypass $http_upgrade;
  33.     }
  34. }
  35. ```
  36. 

  37. Sync this file:
  38. ```bash
  39. rsync -rtvpl ./leviolson.com.conf base-droplet:/etc/nginx/sites-available/
  40. ```
  41. Restart Nginx:
  42. ```bash
  43. ssh base-droplet sudo service nginx restart
  44. ```
  45. 

  46. ## Create the cert

  47. 

  48. ```bash
  49. sudo certbot certonly --nginx --manual -d leviolson.com -d www.leviolson.com
  50. ```
  51. 

  52. This will start the process of generating a cert for the two domain names provided.
  53. 

  54. As part of that process it will look for `.well-known/acme-challenge/{file}` where `{file}` is provided by the command output.  The contents of that file are provided as well.
  55. 

  56. Something like the following will create this file for you:
  57. 

  58. ```bash
  59. echo "long string provided" > {file}
  60. ```
  61. 

  62. After creating the file(s), you can complete the cert process and at that point you need to change the nginx conf file.
  63. 

  64. ## NGINX final state

  65. 

  66. ```nginx
  67. server {
  68.     if ($host = www.leviolson.com) {
  69.         return 301 https://leviolson.com$request_uri;
  70.     }
  71.     server_name leviolson.com www.leviolson.com;
  72. 

  73.     location / {
  74.         proxy_pass http://localhost:3000; # port must match the same as the node app
  75.         proxy_http_version 1.1;
  76.         proxy_set_header Upgrade $http_upgrade;
  77.         proxy_set_header Connection 'upgrade';
  78.         proxy_set_header Host $host;
  79.         proxy_cache_bypass $http_upgrade;
  80.     }
  81. 

  82.     listen 443 ssl; # managed by Certbot
  83.     ssl_certificate /etc/letsencrypt/live/leviolson.com-0001/fullchain.pem; # managed by Certbot
  84.     ssl_certificate_key /etc/letsencrypt/live/leviolson.com-0001/privkey.pem; # managed by Certbot
  85.     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  86.     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  87. }
  88. 

  89. server {
  90.     if ($host = leviolson.com) {
  91.         return 301 https://$host$request_uri;
  92.     }
  93.     if ($host = www.leviolson.com) {
  94.         return 301 https://leviolson.com$request_uri;
  95.     }
  96. 

  97.     server_name leviolson.com www.leviolson.com;
  98.     listen 80;
  99.     return 404;
  100. }
  101. ```
  102. 

  103. You'll want to verify the location of the `*.pem` files linked in the nginx config above.
  104. ```bash
  105. ssh base-droplet ls -al /etc/letsencrypt/live/leviolson.com-0001/
  106. ```
  107. This should return something like the following:
  108. ```
  109. total 12
  110. drwxr-xr-x 2 root root 4096 Jul 20 18:14 .
  111. drwxr-xr-x 7 root root 4096 Jul 20 19:21 ..
  112. lrwxrwxrwx 1 root root   42 Jul 20 18:14 cert.pem -> ../../archive/leviolson.com-0001/cert1.pem
  113. lrwxrwxrwx 1 root root   43 Jul 20 18:14 chain.pem -> ../../archive/leviolson.com-0001/chain1.pem
  114. lrwxrwxrwx 1 root root   47 Jul 20 18:14 fullchain.pem -> ../../archive/leviolson.com-0001/fullchain1.pem
  115. lrwxrwxrwx 1 root root   45 Jul 20 18:14 privkey.pem -> ../../archive/leviolson.com-0001/privkey1.pem
  116. -rw-r--r-- 1 root root  692 Jul 20 18:14 README
  117. ```
  118. 

  119. 

  120. Sync this file:
  121. ```bash
  122. rsync -rtvpl ./leviolson.com.conf base-droplet:/etc/nginx/sites-available/
  123. ```
  124. Restart Nginx:
  125. ```bash
  126. ssh base-droplet sudo service nginx restart
  127. ```
  128. 

  129. ## Some helpful debugging commands

  130. 

  131. ```bash
  132. pm2 status
  133. ```
  134. 

  135. ```bash 
  136. journalctl -xe
  137. ```
  138. 

  139. ```bash
  140. sudo ufw status
  141. ```
  142. 

  143. This should include the port you are serving if you wish to have that port accessible to the public as well.