-
Notifications
You must be signed in to change notification settings - Fork 70
Skadi Pack 02: Secure Networking
This add-on pack is used to upgrade the default Skadi 2019.1 installation to use either self-signed or Letsencrypt provided TLS certificates.
The first portion of this script uses mkcert to install self-signed TLS certificates and configures the Skadi server to use TLS encryption. It then installs and configures protection from brute force authentication attacks through the use of Fail2Ban. It is configured to monitor and protect the SSH and Nginx Proxy authentication attempts.
The second portion of the script is optional. It will use Certbot to obtain Letsencrypt validated TLS certificates and then replaces the existing self-signed certificates.
- Ask for and validate hostname to use
- Update Nginx to use the hostname provided
- Use mkcert to create and install self-signed certs
- Install and configure fail2ban
The generation of the DHParam key takes a long time. Be patient.
This script, and these instructions, were written specifically for Skadi 2019.1. It is assumed that the user is executing the following commands on a machine either based on the Skadi 2019.1 OVA/Vagrant images or was built using the official, digitially signed, Skadi 2019.1 build script.
cd /opt/Skadi
sudo git pull
sudo bash /opt/Skadi/scripts/secure_networking.sh
At the end of the first phase of the script it installs Self Signed certificates. This is perfectly fine for home and lab use.
Internet facing, publicly accessible machines (such as cloud instances) should continue to the second phase where valid TLS certificates are issued from Letsencrypt replace the self signed certificates.
When the script is at this point choose yes or no
Would you like to install valid TLS certs using Certbot via
ACME and Letsencrypt?
CAUTION: A FQDN (example: myhost.mydomain.com) with working DNS
is required in order for Letsencrypt to access it via the Internet and
complete the installation process.
Type Yes to continue or No to stop the script:
The script ends
NOTE: This script is located at /opt/Skadi/scripts/install_tls_certs.sh and can be run separately after secure_networking.sh has already been run.
cd /opt/Skadi
sudo git pull
sudo bash /opt/Skadi/scripts/install_tls_certs.sh
There will be questions to answer and provide the information to continue
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):
and
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
If it looks anything other than like this then some troubleshooting is required
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my.example.com
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/my.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/my.example.com/privkey.pem
Your cert will expire on 2019-04-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Stopping Nginx Docker
nginx
Updating the /etc/nginx/conf.d/ to use letsencrypt certificates
Staring nginx container
nginx
Nginx Docker container has been restarted and changes applied
Letsencrypt has been used to install valid TLS certificates
- Certificates are stored in /etc/nginx/certs/letsencrypt/live/my.example.com/
For further info on Letsencrypt certs please see: https://letsencrypt.org/
Visit https://my.example.com to verify installation