apache + certbot + modules

2021-12-22 14:23:52 -07:00 · 2021-12-22 14:23:52 -07:00 · 2cca63f99a
parent 9519a68df9
commit 2cca63f99a
1 changed files with 144 additions and 1 deletions
--- a/README-install.md
+++ b/README-install.md
@ -340,7 +340,17 @@ Install the following dependencies from Debian's repos:
 ```
 sudo apt update

-sudo apt install build-essential git openjdk-11-jre-headless python2 redis-server 
+sudo apt install			\
+	apache2				\
+	build-essential			\
+	git				\
+	openjdk-11-jre-headless		\
+	python-is-python3		\
+	python2				\
+	python3-certbot-apache		\
+	redis-server
+
+sudo apt clean
 ```

 Note: Docs say `python2` is needed, but is that still correct?
@ -447,10 +457,143 @@ debian@mychestserver:~$ yarn --version
 ```


+## Set up Webserver
+It is a bit easier to set up the webserver and get its SSL certificates
+confirmed all working correctly before installing Lila, to
+lessen any complications.
+
+
+The webserver directories will be owned by user `debian`.
+
+
+```
+# User debian owns webserver files
+sudo chown -R debian:debian /var/www
+
+# Quick words for the webserver for testing
+echo "mychestserver web" > /var/www/html/index.html
+
+# Start webserver
+sudo systemctl start apache2
+
+# Logs are:
+sudo tail -f /var/log/apache2/*.log
+```
+
+In your browser, you should now be able to see your website
+in insecure plaintext on port 80. Go to your site with your
+workstation's browser to check.
+It should say like "mychestserver web".
+
+* http://www.mychestserver.org
+
+Note, your browser may try to send you to the `https` URL,
+but that is set up below with `certbot`.
+
+```
+# Set up SSL certificates
+sudo certbot
+```
+
+It should look something like this:
+
+```
+debian@mychestserver:~$ sudo certbot
+Saving debug log to /var/log/letsencrypt/letsencrypt.log
+Plugins selected: Authenticator apache, Installer apache
+Enter email address (used for urgent renewal and security notices)
+ (Enter 'c' to cancel): webmaster@mychestserver.org
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Please read the Terms of Service at
+https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
+agree in order to register with the ACME server. Do you agree?
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+(Y)es/(N)o: y
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Would you be willing, once your first certificate is successfully issued, to
+share your email address with the Electronic Frontier Foundation, a founding
+partner of the Let's Encrypt project and the non-profit organization that
+develops Certbot? We'd like to send you email about our work encrypting the web,
+EFF news, campaigns, and ways to support digital freedom.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+(Y)es/(N)o: n
+Account registered.
+No names were found in your configuration files. Please enter in your domain
+name(s) (comma and/or space separated)  (Enter 'c' to cancel): www.mychestserver.org
+Requesting a certificate for www.mychestserver.org
+Performing the following challenges:
+http-01 challenge for www.mychestserver.org
+Enabled Apache rewrite module
+Waiting for verification...
+Cleaning up challenges
+Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
+Enabled Apache socache_shmcb module
+Enabled Apache ssl module
+Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
+Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
+Enabled Apache rewrite module
+Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Congratulations! You have successfully enabled https://www.mychestserver.org
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+IMPORTANT NOTES:
+ - Congratulations! Your certificate and chain have been saved at:
+   /etc/letsencrypt/live/www.mychestserver.org/fullchain.pem
+   Your key file has been saved at:
+   /etc/letsencrypt/live/www.mychestserver.org/privkey.pem
+   Your certificate will expire on 2022-03-22. To obtain a new or
+   tweaked version of this certificate in the future, simply run
+   certbot again with the "certonly" option. To non-interactively
+   renew *all* of your certificates, run "certbot renew"
+ - If you like Certbot, please consider supporting our work by:
+
+   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
+   Donating to EFF:                    https://eff.org/donate-le
+```
+
+Then restart your web server:
+
+```
+sudo systemctl restart apache2
+```
+
+Now go to your website, and you should see that `https` encrypted
+SSL is now working and you can view the certificate in your
+workstation's web browser:
+
+* https://www.mychestserver.org/
+
+
+Lets also enable some Apache modules we'll need later.
+
+```
+# Enable Apache modules
+sudo a2enmod headers http2 proxy proxy_http proxy_http2 proxy_wstunnel
+
+# Restart Apache
+sudo systemctl restart apache2
+
+# Enable Apache to start on boot
+sudo systemctl enable apache2
+```
+
+
 ## Install Lila
+Now we can actually install lila! See here:

 * https://github.com/ornicar/lila

+Install thusly:
+
+```
+git clone --recursive https://github.com/ornicar/lila.git
+
+
+```

 ## Install lila-ws
 * https://github.com/ornicar/lila-ws