Information Technology Grimoire

Version .0.0.1

IT Notes from various projects because I forget, and hopefully they help you too.

NGINX certbot ssl

NGINX Server Blocks

All done as root

Install Certbot

snap install core; sudo snap refresh core

snap install --classic certbot
certbot 2.7.0 from Certbot Project (certbot-eff✓) installed

ln -s /snap/bin/certbot /usr/bin/certbot

Verify server_name

cat /etc/nginx/sites-available/grimoire.jamesfraze.com.conf | grep server_name
   server_name grimoire.jamesfraze.com;

Verify DNS Records

https://dnschecker.org/#A/grimoire.jamesfraze.com

Validate Configs

sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Request Certificate

certbot --nginx -d grimoire.jamesfraze.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): james@example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for hosts.jamesfraze.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/hosts.jamesfraze.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/hosts.jamesfraze.com/privkey.pem
This certificate expires on 2024-01-03.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for hosts.jamesfraze.com to /etc/nginx/sites-enabled/hosts.jamesfraze.com.conf
Congratulations! You have successfully enabled HTTPS on https://hosts.jamesfraze.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Verify Renewal Timer

systemctl status snap.certbot.renew.service

○ snap.certbot.renew.service - Service for snap application certbot.renew
     Loaded: loaded (/etc/systemd/system/snap.certbot.renew.service; static)
     Active: inactive (dead)
TriggeredBy: ● snap.certbot.renew.timer

Test Renewal

certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/hosts.jamesfraze.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for hosts.jamesfraze.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/hosts.jamesfraze.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


 /etc/letsencrypt/options-ssl-nginx.conf

Verify Redirection

(1:588)# curl -sIv http://grimoire.jamesfraze.com
*   Trying 127.0.1.1:80...
* Connected to hosts.jamesfraze.com (127.0.1.1) port 80 (#0)
> HEAD / HTTP/1.1
> Host: hosts.jamesfraze.com
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: nginx
Server: nginx
< Date: Thu, 05 Oct 2023 16:52:00 GMT
Date: Thu, 05 Oct 2023 16:52:00 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 162
Content-Length: 162
< Connection: keep-alive
Connection: keep-alive
< Location: https://hosts.jamesfraze.com/
Location: https://hosts.jamesfraze.com/

<
* Connection #0 to host hosts.jamesfraze.com left intact