remove lets encrypt dependency

This commit is contained in:
sadnub 2020-10-17 19:48:58 -04:00
parent 892520b463
commit 0524f6bc0b
1 changed files with 41 additions and 19 deletions

View File

@ -129,24 +129,46 @@ fi
echo -ne "${YELLOW}Create a username for meshcentral${NC}: " echo -ne "${YELLOW}Create a username for meshcentral${NC}: "
read meshusername read meshusername
while [[ $letsemail != *[@]*[.]* ]]
do
echo -ne "${YELLOW}Enter a valid email address for let's encrypt renewal notifications and meshcentral${NC}: "
read letsemail
done
print_green 'Getting wildcard cert'
sudo apt install -y software-properties-common sudo apt install -y software-properties-common
sudo apt update sudo apt update
sudo apt install -y certbot sudo apt install -y certbot openssl
sudo certbot certonly --manual -d *.${rootdomain} --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns -m ${letsemail} --no-eff-email until [[ $LETS_ENCRYPT =~ (y|n) ]]; do
while [[ $? -ne 0 ]] echo -ne "${YELLOW}Do you want to generate a Let's Encrypt certificate?[y,n]${NC}: "
do read LETS_ENCRYPT
sudo certbot certonly --manual -d *.${rootdomain} --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns -m ${letsemail} --no-eff-email
done done
if [[ $LETS_ENCRYPT == "y" ]]; then
while [[ $letsemail != *[@]*[.]* ]]
do
echo -ne "${YELLOW}Enter a valid email address for let's encrypt renewal notifications and meshcentral${NC}: "
read letsemail
done
print_green 'Getting wildcard cert'
sudo certbot certonly --manual -d *.${rootdomain} --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns -m ${letsemail} --no-eff-email
while [[ $? -ne 0 ]]
do
sudo certbot certonly --manual -d *.${rootdomain} --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns -m ${letsemail} --no-eff-email
done
CERT_PRIV_KEY=/etc/letsencrypt/live/${rootdomain}/privkey.pem
CERT_PUB_KEY=/etc/letsencrypt/live/${rootdomain}/fullchainkey.pem
else
echo -ne "\n${GREEN}We will generate a self-signed certificate for you.${NC}\n"
echo "\n${GREEN}You can replace this certificate later by generating the certificates and editting the nginx configuration\n"
sudo mkdir /certs
sudo mkdir /certs/${rootdomain}
sudo openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out /certs/${rootdomain}/pubkey.pem -keyout /certs/${rootdomain}/privkey.pem -subj "/C=US/ST=Some-State/L=city/O=Internet Widgits Pty Ltd/CN=*.${rootdomain}"
CERT_PRIV_KEY=/certs/${rootdomain}/privkey.pem
CERT_PUB_KEY=/certs/${rootdomain}/pubkey.pem
fi
print_green 'Creating saltapi user' print_green 'Creating saltapi user'
sudo adduser --no-create-home --disabled-password --gecos "" saltapi sudo adduser --no-create-home --disabled-password --gecos "" saltapi
@ -410,8 +432,8 @@ server {
client_max_body_size 300M; client_max_body_size 300M;
access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log; access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log;
error_log /rmm/api/tacticalrmm/tacticalrmm/private/log/error.log; error_log /rmm/api/tacticalrmm/tacticalrmm/private/log/error.log;
ssl_certificate /etc/letsencrypt/live/${rootdomain}/fullchain.pem; ssl_certificate ${CERT_PUB_KEY};
ssl_certificate_key /etc/letsencrypt/live/${rootdomain}/privkey.pem; ssl_certificate_key ${CERT_PRIV_KEY};
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
location /static/ { location /static/ {
@ -469,8 +491,8 @@ server {
proxy_send_timeout 330s; proxy_send_timeout 330s;
proxy_read_timeout 330s; proxy_read_timeout 330s;
server_name ${meshdomain}; server_name ${meshdomain};
ssl_certificate /etc/letsencrypt/live/${rootdomain}/fullchain.pem; ssl_certificate ${CERT_PUB_KEY};
ssl_certificate_key /etc/letsencrypt/live/${rootdomain}/privkey.pem; ssl_certificate_key ${CERT_PRIV_KEY};
ssl_session_cache shared:WEBSSL:10m; ssl_session_cache shared:WEBSSL:10m;
ssl_ciphers HIGH:!aNULL:!MD5; ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
@ -716,8 +738,8 @@ server {
access_log /var/log/nginx/frontend-access.log; access_log /var/log/nginx/frontend-access.log;
listen 443 ssl; listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${rootdomain}/fullchain.pem; ssl_certificate ${CERT_PUB_KEY};
ssl_certificate_key /etc/letsencrypt/live/${rootdomain}/privkey.pem; ssl_certificate_key ${CERT_PRIV_KEY};
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
} }