PageRenderTime 39ms CodeModel.GetById 14ms RepoModel.GetById 0ms app.codeStats 0ms

/README.md

https://gitlab.com/aegir/hosting_https
Markdown | 82 lines | 54 code | 28 blank | 0 comment | 0 complexity | 68909b726bdb51ce0cfa1168499e5562 MD5 | raw file
    

  1. # Aegir HTTPS
    2. 

  2. 

  3. This module enables HTTPS support for sites within the [Aegir Hosting System](http://www.aegirproject.org/) using certificate management services such as [Let's Encrypt](https://letsencrypt.org/), whose support is included.
    4. 

  4. 

  5. It provides a cleaner, more sustainable and more extensible implementation that what's currently offered in Aegir SSL within Aegir core, and doesn't require workarounds such as [hosting_le](https://github.com/omega8cc/hosting_le).
    6. 

  6. 

  7. ## Requirements
    8. 

  8. 

  9. 1. Aegir 3.9+ or the patch from [Remove 'node_access' check from default hosting_get_servers() calls](https://www.drupal.org/node/2824329#comment-11772591).  See [hosting_certificate_prevent_orphaned_services() causing recursive/loop cache rebuild](https://gitlab.com/aegir/hosting_https/issues/7) for details.
    10. 

  10. 2. If you're running the Nginx Web server and would like to use Let's Encrypt certificates, be sure to prevent Nginx's default configuration from running.  Otherwise, it will prevent this server configuration from allowing access to the challenge directory.
    11. 

  11.     * `sudo rm /etc/nginx/sites-enabled/default`
    12. 

  12. 3. By using the LetsEncrypt submodule you accept the terms of service from [LetsEncrypt](https://acme-v01.api.letsencrypt.org/terms)
    13. 

  13. 4. To get a LetsEncrypt certificate all your site's aliases need to be resolvable in the global DNS.
    14. 

    15. 

  15. ## Architecture
    16. 

  16. 

  17. This module is build up of several sub-modules that let the user choose between Apache and Nginx, and between certificate services.
    18. 

  18. Certificates are generated on the hostmaster server and pushed out to (cluster) slaves.
    19. 

  19. For the LetsEncrypt submodule also the well-known/acme-challenge files are synced out to the slave server for validation.
    20. 

  20. 

  21. 

  22. ## Installation
    23. 

  23. 

  24. 1. Cleanup old SSL usage.
    25. 

  25.     * Check that the hostmaster site is not set to Encryption: Required. (e.g. on /hosting/c/hostmaster) to avoid locking yourself out.
    26. 

  26.     * Edit the server nodes(e.g. /hosting/c/server_master) to not use an SSL service.
    27. 

  27.     * Disable any of the SSL modules (including hosting_le) you may have already enabled.
    28. 

  28. 2. Surf to Administration » Hosting » Optional » Aegir HTTPS.
    29. 

  29. 3. Enable at least one certificate service (e.g. Let's Encrypt or Self-signed).
    30. 

  30. 4. Enable at least one Web serrver service (e.g. Apache HTTPS or Nginx HTTPS).
    31. 

  31. 5. Save the configuration.
    32. 

  32. 

  33. ## Server Set-Up
    34. 

  34. 

  35. 1. Surf to the Servers tab.
    36. 

  36. 2. Click on the Web server where you'd like HTTPS enabled.
    37. 

  37. 3. Click on the Edit tab.
    38. 

  38. 4. Under Certificate, choose your desired certificate service (and set any of its additional configuration).
    39. 

  39. 5. Under Web, choose the HTTPS option for your Web server (and set any of its additional configuration).
    40. 

  40. 6. Hit the Save button.
    41. 

  41. 

  42. ## Site Set-Up
    43. 

  43. 

  44. 1. Ensure that there's a DNS entry for the site that you'd like HTTPS enabled (unless already handled by a wildcard entry pointing to your Aegir server).
    45. 

  45. 2. Verify the site if this hasn't been done since the server was set up with the above steps.  This ensures that the site can respond to the certificate authority's challenge.
    46. 

  46. 3. Edit the site.
    47. 

  47. 4. In the HTTPS Settings section, choose either Enabled or Required.
    48. 

  48. 5. Save the form.
    49. 

  49. 6. Repeat these steps for any other sites for which you'd like to enable HTTPS.
    50. 

    51. 

  51. ## Upgrading from site specific installation
    52. 

  52. 

  53. Since 3.14.0 hosting_https is included in the main Aegir distribution.
    54. 

  54. If you installed it earlier in e.g. the sites/example.com/modules then you can get errors when you just remove that old version.
    55. 

  55. To avoid these you have to manually fix the paths in /var/aegir/.drush/drushrc.php to point to the profile version of this module. After that you can verify the hostmaster site.
    56. 

  56. 

  57. ## Certificate Renewals
    58. 

  58. 

  59. For the Let's Encrypt certificate service, this should get done automatically via the Let's Encrypt queue. It will run a Verify task on each site every week as site verification is where certificates get renewed if needed. The seven-day default was chosen to match the CA's [rate limits](https://letsencrypt.org/docs/rate-limits/).
    60. 

    61. 

  61. ## Forcing Certificate Regeneration
    62. 

  62. 

  63. If you'd like to force a site's certificate regeneration, perhaps because you just changed the Web server configuration from Staging to Production, you can use this Drush command:
    64. 

  64. 

  65. `drush @site1.example.com letsencrypt-force-key-regenerate`
    66. 

  66. 

  67. If the new certificate isn't immediately available afterwards, you'll also have to Verify the site.  This is generally required for Hostmaster, the Aegir site itself.
    68. 

  68. 

  69. ## Known Issues
    70. 

  70. 

  71. See [the issue queue](https://www.drupal.org/project/issues/hosting_https).
    72. 

  72. 

  73. ## Troubleshooting
    74. 

  74. 

  75. If you notice that the certificate generation fails you can check the Aegir 'Verify' task logs for details.
    76. 

  76. See also http://docs.aegirproject.org for more generic help.
    77. 

  77. 

  78. ### Test the challenge directory
    79. 

  79. 

  80. Create a file e.g. called `index.html` in `/var/aegir/config/letsencrypt.d/well-known/acme-challenge/` and test if you can access it over http via http://www.example.com/.well-known/acme-challenge/index.html
    81. 

  81. 

  82. If your request is redirected to a *https* url then that could pose a problem when the certificate there is either invalid or expired. Try to remove the redirects.
    83. 

  83.