From 639d94e0adf7d2c46cfd700cac9f7b0f0cba4fe5 Mon Sep 17 00:00:00 2001 From: Emerson Rocha Luiz Date: Sat, 22 Jun 2019 23:10:00 -0300 Subject: [PATCH] =?UTF-8?q?delta=20(#1),=20openresty=20(#16):=20primeira?= =?UTF-8?q?=20leva=20de=20testes=20com=20o=20GUI/lua-resty-auto-ssl;=20adi?= =?UTF-8?q?cionado=20arquivos=20padr=C3=B5es=20da=20documenta=C3=A7=C3=A3o?= =?UTF-8?q?=20(sem=20customiza=C3=A7=C3=A3o=20extra)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- diario-de-bordo/delta.sh | 50 ++++++++++- .../usr/local/openresty/nginx/conf/nginx.conf | 86 ++++++++++++++++++- 2 files changed, 134 insertions(+), 2 deletions(-) diff --git a/diario-de-bordo/delta.sh b/diario-de-bordo/delta.sh index 3756bf0..d31ddfa 100644 --- a/diario-de-bordo/delta.sh +++ b/diario-de-bordo/delta.sh @@ -190,4 +190,52 @@ $ sudo luarocks install lua-resty-auto-ssl sudo mkdir /etc/resty-auto-ssl sudo chown www-data /etc/resty-auto-ssl -## TODO: rever permissões e usuário do NGinx/OpenResty em breve (fititnt, 2019-06-22 21:40 BRT) \ No newline at end of file +## TODO: rever permissões e usuário do NGinx/OpenResty em breve (fititnt, 2019-06-22 21:40 BRT) + +#### OpenResty + GUI/lua-resty-auto-ssl, configuração mínima ___________________ +# Edite o arquivo do NGinx para ficar conforme https://github.com/GUI/lua-resty-auto-ssl#installation +# Uma copia deste arquivo está em diario +# de-bordo/delta/usr/local/openresty/nginx/conf/nginx.conf +sudo vim /usr/local/openresty/nginx/conf/nginx.conf + +# É preciso criar um certificado padrão para o NGinx pelo menos poder iniciar sem erro +sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \ + -subj '/CN=sni-support-required-for-valid-ssl' \ + -keyout /etc/ssl/resty-auto-ssl-fallback.key \ + -out /etc/ssl/resty-auto-ssl-fallback.crt + +## root@aguia-pescadora-1:~# sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \ +## > -subj '/CN=sni-support-required-for-valid-ssl' \ +## > -keyout /etc/ssl/resty-auto-ssl-fallback.key \ +## > -out /etc/ssl/resty-auto-ssl-fallback.crt +## Can't load /root/.rnd into RNG +## 140384327201216:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd + + +# Reinicie o Openresty +sudo systemctl status openresty +sudo systemctl reload openresty + +# Para ver erros +tail -f /usr/local/openresty/nginx/logs/error.log + +# Erros para tentativa de obter HTTPS para 173.249.10.99.nip.io + +## /usr/local/bin/resty-auto-ssl/start_sockproc: line 55: kill: (21760) - No such process +## 2019/06/23 01:50:14 [error] 22053#22053: *16 [lua] lets_encrypt.lua:41: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=a6e7818677010e3a6addeae5a1b8aaebf65169bd31dd063e88bf3b69cb22b7d5 HOOK_SERVER_PORT=8999 /usr/local/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain 173.249.10.99.nip.io --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config +## + Generating account key... +## + Registering account key with ACME server... +## Processing 173.249.10.99.nip.io +## + Signing domains... +## + Creating new directory /etc/resty-auto-ssl/letsencrypt/certs/173.249.10.99.nip.io ... +## + Creating chain cache directory /etc/resty-auto-ssl/letsencrypt/chains +## + Generating private key... +## + Generating signing request... +## + Requesting authorization for 173.249.10.99.nip.io... +## err: Can't load ./.rnd into RNG +## 140690134127040:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=./.rnd +## /usr/local/bin/resty-auto-ssl/dehydrated: line 693: /etc/resty-auto-ssl/letsencrypt/.acme-challenges/gKNgIbdZEGhq9iIhxRK6Hn8xe_kbMJwCKAgVDnxdk3o: Permission denied +## , context: ssl_certificate_by_lua*, client: 201.21.106.135, server: 0.0.0.0:443 +## 2019/06/23 01:50:14 [error] 22053#22053: *16 [lua] ssl_certificate.lua:97: issue_cert(): auto-ssl: issuing new certificate failed: dehydrated failure, context: ssl_certificate_by_lua*, client: 201.21.106.135, server: 0.0.0.0:443 +## 2019/06/23 01:50:14 [error] 22053#22053: *16 [lua] ssl_certificate.lua:286: auto-ssl: could not get certificate for 173.249.10.99.nip.io - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 201.21.106.135, server: 0.0.0.0:443 +## 2019/06/23 01:50:17 [error] 22053#22053: *18 [lua] lets_encrypt.lua:41: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=a6e7818677010e3a6addeae5a1b8aaebf65169bd31dd063e88bf3b69cb22b7d5 HOOK_SERVER_PORT=8999 /usr/local/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain 173.249.10.99.nip.io --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config diff --git a/diario-de-bordo/delta/usr/local/openresty/nginx/conf/nginx.conf b/diario-de-bordo/delta/usr/local/openresty/nginx/conf/nginx.conf index 3158886..6892ce7 100644 --- a/diario-de-bordo/delta/usr/local/openresty/nginx/conf/nginx.conf +++ b/diario-de-bordo/delta/usr/local/openresty/nginx/conf/nginx.conf @@ -1,7 +1,7 @@ # FILE: /etc/openresty/nginx.conf # SERVER: aguia-pescadora-delta.etica.ai -#user nobody; +user www-data; worker_processes 1; #error_log logs/error.log; @@ -34,6 +34,90 @@ http { #gzip on; + # The "auto_ssl" shared dict should be defined with enough storage space to + # hold your certificate data. 1MB of storage holds certificates for + # approximately 100 separate domains. + lua_shared_dict auto_ssl 1m; + # The "auto_ssl_settings" shared dict is used to temporarily store various settings + # like the secret used by the hook server on port 8999. Do not change or + # omit it. + lua_shared_dict auto_ssl_settings 64k; + + # A DNS resolver must be defined for OCSP stapling to function. + # + # This example uses Google's DNS server. You may want to use your system's + # default DNS servers, which can be found in /etc/resolv.conf. If your network + # is not IPv6 compatible, you may wish to disable IPv6 results by using the + # "ipv6=off" flag (like "resolver 8.8.8.8 ipv6=off"). + resolver 8.8.8.8; + + # Initial setup tasks. + init_by_lua_block { + auto_ssl = (require "resty.auto-ssl").new() + + -- Define a function to determine which SNI domains to automatically handle + -- and register new certificates for. Defaults to not allowing any domains, + -- so this must be configured. + auto_ssl:set("allow_domain", function(domain) + return true + end) + + auto_ssl:init() + } + + init_worker_by_lua_block { + auto_ssl:init_worker() + } + + # HTTPS server + server { + listen 443 ssl; + + # Dynamic handler for issuing or returning certs for SNI domains. + ssl_certificate_by_lua_block { + auto_ssl:ssl_certificate() + } + + # You must still define a static ssl_certificate file for nginx to start. + # + # You may generate a self-signed fallback with: + # + # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \ + # -subj '/CN=sni-support-required-for-valid-ssl' \ + # -keyout /etc/ssl/resty-auto-ssl-fallback.key \ + # -out /etc/ssl/resty-auto-ssl-fallback.crt + ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt; + ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key; + } + + # HTTP server + server { + listen 80; + + # Endpoint used for performing domain verification with Let's Encrypt. + location /.well-known/acme-challenge/ { + content_by_lua_block { + auto_ssl:challenge_server() + } + } + } + + # Internal server running on port 8999 for handling certificate tasks. + server { + listen 127.0.0.1:8999; + + # Increase the body buffer size, to ensure the internal POSTs can always + # parse the full POST contents into memory. + client_body_buffer_size 128k; + client_max_body_size 128k; + + location / { + content_by_lua_block { + auto_ssl:hook_server() + } + } + } + server { listen 80; server_name localhost;