Point value crossed out in red
-
@mihairosu I'd argue that since you need a web server to host an ssl cert, use pfsense and port forward to the mango box instead. Use nginx as it offers better support for reverse proxy headers and websockets. Much simpler and allows you to have nginx automate the ssl certs to keep everything up to date.
Fox
-
Do you have an nginx configuration you can share?
The documentation shows an example for apache, but not nginx.
-
@mihairosu nginx is by far the most popular however we have internally settled on using Caddy https://caddyserver.com/
which does everything @MattFox described, auto SSL renewal from LetsEncrypt ect. The only reason I mention this is that I would be able to support you on caddy. -
@mihairosu sure, give me a moment
-
-
@MattFox
Then you for the instructions, but I ran into a problem.simply running certbot --nginx assumed it can do a challenge over port 80, i.e. mango os ip is publicly exposed, which ours is not, and that will fail.
We need do a dns challenge (cloudflare), which would look like this:
certonly --nginx --dns-cloudflare --dns-cloudflare-credentials /loc/to/cloudflare-api-token.ini -d mangoos.com
But running that will give a different error:
Too many flags setting configurators/installers/authenticators 'nginx' -> 'dns-cloudflare'
I haven't figured out to do either of these things:
- Convert your HTTP nginx config to https
- Figure out how to use the certbot --nginx with cloudflare dns challenge
When I figure it out I'll post here, but if you have any tips for either of those I would much appreciate it!
P.S. I do have the LetsEncrypt certificates on the system for step 1.
-
After running certbot, it created the certificate and key in the /etc/letsencrypt/live/fqdn.com/ directory, I was able to get it to work with the following nginx configuration:
server { listen 443 ssl; server_name fqdn.com; root /opt/mango/overrides/web/; index index.html; ssl_certificate /etc/letsencrypt/live/fqdn.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/fqdn.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; location / { proxy_pass http://127.0.0.1:8080/; proxy_http_version 1.1; # Inform Mango about the real host, port and protocol proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }
-
@mihairosu nicely done! If desired save the successful ssh call you made into a bash script followed by a
sudo service nginx restart
You can then routinely call this once a month to keep your certs always up to date via cron.monthly or using crontab itself.Fox
-
Based on the installation instructions for certbot on Ubuntu here, it looks like it should have automatically installed a renew job.
I found it in systemctl list-timers
Wed 2023-02-15 21:42:00 CST 1h 56min left n/a n/a snap.certbot.renew.timer snap.certbot.renew.service
So I assume I should be good, but thanks for the heads up.
-
@mihairosu good, it doesn't for the mango units so I'm glad everything is resolved.
Fox