sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-apache
Tag Archives: ssl
How to Install and Secure the Mosquitto MQTT Messaging Broker on Ubuntu 16.04
Installing Mosquitto
sudo add-apt-repository ppa:mosquitto-dev/mosquitto-ppa sudo apt-get update sudo apt-get install mosquitto mosquitto-clients
Installing Certbot for Let’s Encrypt Certificates
sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot
Running Certbot
sudo ufw allow 80 sudo ufw allow 443
sudo certbot certonly --standalone
Enter your domain : mqtt.example.com
Setting up Certbot Automatic Renewals
sudo crontab -e
. . . 15 3 * * * certbot renew --noninteractive --post-hook "systemctl restart mosquitto"
Configuring MQTT Passwords
sudo mosquitto_passwd -c /etc/mosquitto/passwd sammy
sudo nano /etc/mosquitto/conf.d/default.conf
allow_anonymous false password_file /etc/mosquitto/passwd
sudo systemctl restart mosquitto
Configuring MQTT SSL
sudo nano /etc/mosquitto/conf.d/default.conf
. . . listener 1883 localhost listener 8883 certfile /etc/letsencrypt/live/mqtt.example.com/cert.pem cafile /etc/letsencrypt/live/mqtt.example.com/chain.pem keyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem
sudo systemctl restart mosquitto
sudo ufw allow 8883
Redirect Request to SSL on Apache
NameVirtualHost *:80 <VirtualHost *:80> ServerName mysite.example.com DocumentRoot /usr/local/apache2/htdocs Redirect /secure https://mysite.example.com/secure </VirtualHost> <VirtualHost _default_:443> ServerName mysite.example.com DocumentRoot /usr/local/apache2/htdocs SSLEngine On # etc... </VirtualHost>
When redirecting everything you don’t even need a DocumentRoot:
NameVirtualHost *:80 <VirtualHost *:80> ServerName www.example.com Redirect / https://secure.example.com/ </VirtualHost> <VirtualHost _default_:443> ServerName secure.example.com DocumentRoot /usr/local/apache2/htdocs SSLEngine On # etc... </VirtualHost>
Note: Once the configuration is working as intended, a permanent redirection can be considered. This avoids caching issues by most browsers while testing. The directive would then become:
Redirect permanent / https://secure.example.com/
—————
<Directory /topsecret> SSLRequireSSL </Directory>
References
https://wiki.apache.org/httpd/RedirectSSL
https://serverfault.com/questions/429634/restrict-apache-to-only-allow-access-using-ssl-for-some-directories
Configure Let’s Encrypt for Apache on Ubuntu
sudo apt-get install python-letsencrypt-apache
letsencrypt --apache
nano /etc/apache2/apache2.conf
<VirtualHost *:443>
SSLEngine on
SSLCertificateKeyFile /etc/letsencrypt/live/dl.mhdr.ir/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/dl.mhdr.ir/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/dl.mhdr.ir/chain.pem
DocumentRoot "/var/www/html/dl"
ServerName dl.mhdr.ir
</VirtualHost>
service apache2 restart
PPA
$ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install python-certbot-apache
note : only the last VitualHost will be detected by letsencrypt
References
https://certbot.eff.org/#ubuntuxenial-apache
https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension
https://letsencrypt.org/