delta (#1), openresty (#16): primeira leva de testes com o GUI/lua-re…

…sty-auto-ssl; adicionado arquivos padrões da documentação (sem customização extra)
EticaAI · Jun 23, 2019 · 639d94e · 639d94e
1 parent 467ff4e
commit 639d94e
Show file tree

Hide file tree

Showing 2 changed files with 134 additions and 2 deletions.
diff --git a/diario-de-bordo/delta.sh b/diario-de-bordo/delta.sh
@@ -190,4 +190,52 @@ $ sudo luarocks install lua-resty-auto-ssl
 sudo mkdir /etc/resty-auto-ssl
 sudo chown www-data /etc/resty-auto-ssl
 
-## TODO: rever permissões e usuário do NGinx/OpenResty em breve (fititnt, 2019-06-22 21:40 BRT)
+## TODO: rever permissões e usuário do NGinx/OpenResty em breve (fititnt, 2019-06-22 21:40 BRT)
+
+#### OpenResty + GUI/lua-resty-auto-ssl, configuração mínima ___________________
+# Edite o arquivo do NGinx para ficar conforme https://github.com/GUI/lua-resty-auto-ssl#installation
+# Uma copia deste arquivo está em diario
+# de-bordo/delta/usr/local/openresty/nginx/conf/nginx.conf
+sudo vim /usr/local/openresty/nginx/conf/nginx.conf
+
+# É preciso criar um certificado padrão para o NGinx pelo menos poder iniciar sem erro
+sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
+  -subj '/CN=sni-support-required-for-valid-ssl' \
+  -keyout /etc/ssl/resty-auto-ssl-fallback.key \
+  -out /etc/ssl/resty-auto-ssl-fallback.crt
+
+## root@aguia-pescadora-1:~# sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
+## >   -subj '/CN=sni-support-required-for-valid-ssl' \
+## >   -keyout /etc/ssl/resty-auto-ssl-fallback.key \
+## >   -out /etc/ssl/resty-auto-ssl-fallback.crt
+## Can't load /root/.rnd into RNG
+## 140384327201216:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
+
+
+# Reinicie o Openresty
+sudo systemctl status openresty
+sudo systemctl reload openresty
+
+# Para ver erros
+tail -f /usr/local/openresty/nginx/logs/error.log
+
+# Erros para tentativa de obter HTTPS para 173.249.10.99.nip.io
+
+## /usr/local/bin/resty-auto-ssl/start_sockproc: line 55: kill: (21760) - No such process
+## 2019/06/23 01:50:14 [error] 22053#22053: *16 [lua] lets_encrypt.lua:41: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=a6e7818677010e3a6addeae5a1b8aaebf65169bd31dd063e88bf3b69cb22b7d5 HOOK_SERVER_PORT=8999 /usr/local/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain 173.249.10.99.nip.io --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config
+## + Generating account key...
+## + Registering account key with ACME server...
+## Processing 173.249.10.99.nip.io
+##  + Signing domains...
+##  + Creating new directory /etc/resty-auto-ssl/letsencrypt/certs/173.249.10.99.nip.io ...
+##  + Creating chain cache directory /etc/resty-auto-ssl/letsencrypt/chains
+##  + Generating private key...
+##  + Generating signing request...
+##  + Requesting authorization for 173.249.10.99.nip.io...
+##  err: Can't load ./.rnd into RNG
+## 140690134127040:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=./.rnd
+## /usr/local/bin/resty-auto-ssl/dehydrated: line 693: /etc/resty-auto-ssl/letsencrypt/.acme-challenges/gKNgIbdZEGhq9iIhxRK6Hn8xe_kbMJwCKAgVDnxdk3o: Permission denied
+## , context: ssl_certificate_by_lua*, client: 201.21.106.135, server: 0.0.0.0:443
+## 2019/06/23 01:50:14 [error] 22053#22053: *16 [lua] ssl_certificate.lua:97: issue_cert(): auto-ssl: issuing new certificate failed: dehydrated failure, context: ssl_certificate_by_lua*, client: 201.21.106.135, server: 0.0.0.0:443
+## 2019/06/23 01:50:14 [error] 22053#22053: *16 [lua] ssl_certificate.lua:286: auto-ssl: could not get certificate for 173.249.10.99.nip.io - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 201.21.106.135, server: 0.0.0.0:443
+## 2019/06/23 01:50:17 [error] 22053#22053: *18 [lua] lets_encrypt.lua:41: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=a6e7818677010e3a6addeae5a1b8aaebf65169bd31dd063e88bf3b69cb22b7d5 HOOK_SERVER_PORT=8999 /usr/local/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain 173.249.10.99.nip.io --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config
diff --git a/diario-de-bordo/delta/usr/local/openresty/nginx/conf/nginx.conf b/diario-de-bordo/delta/usr/local/openresty/nginx/conf/nginx.conf
@@ -1,7 +1,7 @@
 # FILE:             /etc/openresty/nginx.conf
 # SERVER:           aguia-pescadora-delta.etica.ai
 
-#user  nobody;
+user  www-data;
 worker_processes  1;
 
 #error_log  logs/error.log;
@@ -34,6 +34,90 @@ http {
 
     #gzip  on;
 
+    # The "auto_ssl" shared dict should be defined with enough storage space to
+    # hold your certificate data. 1MB of storage holds certificates for
+    # approximately 100 separate domains.
+    lua_shared_dict auto_ssl 1m;
+    # The "auto_ssl_settings" shared dict is used to temporarily store various settings
+    # like the secret used by the hook server on port 8999. Do not change or
+    # omit it.
+    lua_shared_dict auto_ssl_settings 64k;
+
+    # A DNS resolver must be defined for OCSP stapling to function.
+    #
+    # This example uses Google's DNS server. You may want to use your system's
+    # default DNS servers, which can be found in /etc/resolv.conf. If your network
+    # is not IPv6 compatible, you may wish to disable IPv6 results by using the
+    # "ipv6=off" flag (like "resolver 8.8.8.8 ipv6=off").
+    resolver 8.8.8.8;
+
+    # Initial setup tasks.
+    init_by_lua_block {
+      auto_ssl = (require "resty.auto-ssl").new()
+
+      -- Define a function to determine which SNI domains to automatically handle
+      -- and register new certificates for. Defaults to not allowing any domains,
+      -- so this must be configured.
+      auto_ssl:set("allow_domain", function(domain)
+        return true
+      end)
+
+      auto_ssl:init()
+    }
+
+    init_worker_by_lua_block {
+      auto_ssl:init_worker()
+    }
+
+    # HTTPS server
+    server {
+      listen 443 ssl;
+
+      # Dynamic handler for issuing or returning certs for SNI domains.
+      ssl_certificate_by_lua_block {
+        auto_ssl:ssl_certificate()
+      }
+
+      # You must still define a static ssl_certificate file for nginx to start.
+      #
+      # You may generate a self-signed fallback with:
+      #
+      # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
+      #   -subj '/CN=sni-support-required-for-valid-ssl' \
+      #   -keyout /etc/ssl/resty-auto-ssl-fallback.key \
+      #   -out /etc/ssl/resty-auto-ssl-fallback.crt
+      ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
+      ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
+    }
+
+    # HTTP server
+    server {
+      listen 80;
+
+      # Endpoint used for performing domain verification with Let's Encrypt.
+      location /.well-known/acme-challenge/ {
+        content_by_lua_block {
+          auto_ssl:challenge_server()
+        }
+      }
+    }
+
+    # Internal server running on port 8999 for handling certificate tasks.
+    server {
+      listen 127.0.0.1:8999;
+
+      # Increase the body buffer size, to ensure the internal POSTs can always
+      # parse the full POST contents into memory.
+      client_body_buffer_size 128k;
+      client_max_body_size 128k;
+
+      location / {
+        content_by_lua_block {
+          auto_ssl:hook_server()
+        }
+      }
+    }
+
     server {
         listen       80;
         server_name  localhost;