Commit 49b7a0ff by Adi Amir

update knowledgebase

parent 92eb52dc
NOTES:
OBJECTIVE:
- The handling certificate renewal mechansim has changed!
Now, the domains (1.80 and safeyme.com) generates there own certificates using the
linuxserver/letsencrypt image.
currently, the mcx-front-emd.yml runs the "letsencrypt"
which runs the linuxserver/letsencrypt image.
Now, the domains: ipgallery-mcz.com(1.80) and safeyme.com generates there own certificates using the
letsencrypt image (in letsencrypt.yml).
- certificates are generated into /opt/mcz/config-letsencrypt/keys/letsencrypt
- nginx configuration file on domain machine:
/opt/mcz/config-letsencrypt/nginx/site-confs/default
==========================================================================================
To re-generate a new valid certficate on one of the domains(safeyme.com/ipgallery-mcz.com)
==========================================================================================
- subdomain machines (such as 72 or 244) runs now an nginx image as "front-end"
config file: default.conf is located at: opt/mcx/config/front-end
1. login
> ssh root@ipgallery-mcz.com
- certificate location in nginx default file:
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/letsencrypt//keys/privkey.pem;
2. backup the current certtficate
>cd /opt/mcz
>tar czvf config-letsencrypt-20190616.tar.gz config-letsencrypt
3. stop the frontend
>dc -f mcx-frontend.yml stop
4. generate a new certifcate - run the docker: letsencrypt
>dc -f letsencrypt.yml up
Ctrl+C too stop !
5. restart the system
>./sys-down
>./sys-up
6. browse to: https://ipgallery-mcz.com/control/app/main/control.html
and verify that the sites is loaded without any certificate issue.
NOTES:
- Each renewal is valid for 3 months !!!
- Certificates are generated into /opt/mcz/config-letsencrypt/keys/letsencrypt
- nginx configuration file on domain machine: /opt/mcz/config-letsencrypt/nginx/site-confs/default
- install a certifcate on a sub-domain:
1. copy a valid crtificate directory as tar from 1.80 like:
example: scp root@172.16.1.80:/opt/mcz/config-letsencrypt.1803.tar.gz root@172.16.1.72/opt/mcz/
2. stop front-end
3. cd /opt/mcz
4. mv config-letsencrypt config-letsencrypt_last
5. tar xvf config-letsencrypt.1803.tar.gz
=================================================================
To update certifcate on one of the subdomain machines (72 or 244)
=================================================================
1. make a tar from a valid config-letsencrypt directory in 1.80: config-letsencrypt.valid-20190616.tar.gz
1. copy a valid crtificate directory as A tar from 1.80.
example: scp root@172.16.1.80:/opt/mcz/config-letsencrypt.valid-20190616.tar.gz root@172.16.1.72/opt/mcz/
2. stop front-end
>dc -f mcx-frontend.yml stop
3. open the new config-letsencrypt (copied from 1.80) under /opt/mcz
>cd /opt/mcz
>mv config-letsencrypt config-letsencrypt_last
>tar xvf config-letsencrypt.1803.tar.gz
- nginx error logs
tailf /tmp/log/error.log
nginx access logs
tailf /tmp/log/access.log
https
NOTES:
- subdomain machines (such as 72 or 244) runs now an nginx image as "front-end"
config file: default.conf is located at: opt/mcx/config/front-end
- certificate location in nginx default file:
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/letsencrypt//keys/privkey.pem;
- all sub-domain should run as front-end the nginx image:
example of ngin configuration in tml:
https
front-end:
image: nginx
environment:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment