SSL for inphoproject.org

https://inphoproject.org uses a Let's Encrypt! domain verification (DV) certificate.

Downloading certbot

cd /var/inpho/bin

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Verifying certbot

Follow these instructions to verify keys.

Running certbot-auto on Amazon Linux

certbot-auto certonly --standalone -d inphoproject.org --debug
certbot-auto certonly --standalone -d www.inphoproject.org --debug

The e-mail is [email protected].

Installation of keys (generic)

sudo cp /etc/nginx/sites-available/inphosite.conf /tmp/inphosite.conf.bak

Edit /etc/nginx/sites-available/inphosite.conf:

server {
    listen 443 ssl;

    # ...

    ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";

    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
    ssl_prefer_server_ciphers on;

Protecting against Weak DH

Weak DH is an issue with SSL encryption that can easily be avoided. The default nginx SSL configuration strongly recommends the following solution:

sudo mkdir -p /etc/pki/nginx
sudo openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048

Add to the ssl params in inphosite.conf:

ssl_dhparam "/etc/pki/nginx/dhparams.pem";

Installation of keys (specific)

sudo cp /etc/nginx/sites-available/inphosite.conf /tmp/inphosite.conf.bak

Edit /etc/nginx/sites-available/inphosite.conf:

# sep-topics and fallback
upstream topics {
    server 18.217.162.96:8000;
    server unix:/var/inpho/topics.sock backup;
}

# HTTP -> HTTPS redirect
server {
    listen 80;
    server_name inphoproject.org www.inphoproject.org;

    return 301 https://$host$request_uri;
}

# SSL redirect for inphoproject.org -> www.inphoproject.org
server {
    listen 443 ssl;
    server_name inphoproject.org;

    ssl_certificate "/etc/letsencrypt/live/inphoproject.org/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/inphoproject.org/privkey.pem";

    include /etc/nginx/includes/default-ssl-prefs;

    return 301 https://www.inphoproject.org$request_uri;
}

# SSL Certs for www.inphoproject.org
server {
    listen 443 ssl;
    server_name www.inphoproject.org;
    
    ssl_certificate "/etc/letsencrypt/live/www.inphoproject.org/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/www.inphoproject.org/privkey.pem";

    include /etc/nginx/includes/default-ssl-prefs;

    location = /favicon.ico { access_log off; log_not_found off; }
    
    location /topics/sep/ {
        access_log off; 
        log_not_found off;
        include proxy_params;
        proxy_pass http://topics/;
    }
    
    root /var/inpho/www;
    location / {
        try_files $uri @proxy;
    }
    location @proxy {
        include proxy_params;
        proxy_pass http://unix:/var/inpho/inphosite.sock;
    }
}

Create an includes directory:

sudo mkdir -p /etc/nginx/includes

Add a shared config for ssl settings (`/etc/nginx/includes/default-ssl-prefs):

ssl_dhparam "/etc/pki/nginx/dhparams.pem";

ssl_session_cache shared:SSL:1m;
ssl_session_timeout  10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
ssl_prefer_server_ciphers on;

See Also

https://coderwall.com/p/e7gzbq/https-with-certbot-for-nginx-on-amazon-linux

Configure auto-renewal

sudo su
crontab -e

crontab for root should be:

# min hr  day     mon dow
27   0,12  *       *   *   /var/inpho/bin/certbot-auto renew

Arbitrary time selected, twice a day as reccommened.