Admintagebuch - Dokumentation der Admintätigkeiten

Technik Infrastruktur / Backbone
1264

Zertifikate des Wikis repariert.

Da es dämlich ist, die Wiki-Konfiguration im Wiki zu sichern, mache ich das mal hier:

root@wiki ~ # cat /etc/apache2/sites-enabled/000-default.conf 
<VirtualHost *:80>
	Redirect permanent /secure https://wiki.freifunk-muensterland.de
	ServerName wiki.freifunk-muensterland.de
	ServerAlias wiki.freifunk-muensterland.org
	ServerAlias wiki.freifunk-muenster.de
	ServerAlias wiki.freifunk-muensterland.net
	ServerAlias wiki.ffmsl.de
	ServerAdmin info@freifunk-muensterland.de


	ErrorLog ${APACHE_LOG_DIR}/error.log
	LogLevel alert rewrite:trace6
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	RewriteEngine on
	RewriteCond %{HTTPS} off [OR]
	RewriteCond %{HTTP:X-Forwarded-Proto} !https
	RewriteRule ^(.*) https://wiki.freifunk-muensterland.de/$1 [NC,R=301,L]
RewriteCond %{SERVER_NAME} =wiki.ffmsl.de [OR]
RewriteCond %{SERVER_NAME} =wiki.freifunk-muensterland.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
root@wiki ~ # cat /etc/apache2/sites-enabled/001-default-le-ssl.conf 
Protocols h2 http/1.1
<IfModule mod_ssl.c>
SSLSessionCache memcache:127.0.0.1:11211
<VirtualHost *:443>
	Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload"
	SSLProxyEngine on
	SSLProxyVerify none
	SSLProxyCheckPeerCN Off
        SSLProxyCheckPeerName Off
	ServerAdmin iotter@mac.com
#	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	LogLevel info 


	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined


	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
	SSLCertificateFile /etc/letsencrypt/live/hc.infrastruktur.ms/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/hc.infrastruktur.ms/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
	ServerName hc.infrastruktur.ms

        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
	Header set Host hc.infrastruktur.ms

	SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
        ProxyPass / https://hc.infrastruktur.ms/
        ProxyPassReverse / https://hc.infrastruktur.ms/
        
</VirtualHost>


# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>

Im Ordner /root liegt der certbot-auto von https://dl.eff.org/certbot-auto. Dieser hat noch einen Cronjob:

# Certbot-Auto
27 5 * * * "/root/certbot-auto -n renew"

Es sollten jetzt alle TLDs funktionieren.

3 „Gefällt mir“