Login/password for demo TDS: boss:bossadmin
In this example we are going to configure LetsEncrypt SSL for the TDS running behind nginx. We will use mytds.com and www.mytds.com as domain names for the TDS. Change them to your own domain names. We will use Centos 7.5 and Debian 9.7. There can be differences if you try to do this with other distros and versions of distros, but nothing too serious. This guide assumes that you have a fresh VPS or server, without Apache, firewalls and other unnecessary packages.
As a result of this example you will have TDS running on ssl domain and ssl certificate will be autorenewed each time it comes close to the expiration date.
- Install the TDS behind nginx without SSL. Refer to the manual
here [http://bosstds.com/setup_easy/] - Installing BossTDS.
We are not going to copy everything from this manual, so just follow it (or contact our support) and ensure that everything works on http://yourtds.com domain, without port. Don't proceed
with the next steps before you have it working.
-
Now we need to install LetsEncrypt tools and scripts.
Centos 7.5:
yum install epel-release yum -y install certbot-nginx
Debian 9.7:echo 'deb http://deb.debian.org/debian stretch-backports main contrib non-free' | tee /etc/apt/sources.list.d/backports.list apt-get update apt install python-certbot-nginx -t stretch-backports -y
-
Generate LetsEncrypt config and certificates for your domain.
certbot --nginx -d mytds.com -d www.mytds.com
You'll be asked a number of questions. See the answers in the copypasted text below, they are highlighted with the red colour.Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): zzz@yahoo.com Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Obtaining a new certificate Performing the following challenges: http-01 challenge for mytds.com http-01 challenge for www.mytds.com Waiting for verification... Cleaning up challenges Resetting dropped connection: acme-v02.api.letsencrypt.org Deploying Certificate to VirtualHost /etc/nginx/conf.d/bosstds.conf Deploying Certificate to VirtualHost /etc/nginx/conf.d/bosstds.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://mytds.com and https://www.mytds.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=mytds.com https://www.ssllabs.com/ssltest/analyze.html?d=www.mytds.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/mytds.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/mytds.com/privkey.pem Your cert will expire on 2019-06-16. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
-
Restart nginx with
systemctl restart nginx
Now the TDS should work on https domain. If it doesn't then something went wrong and next steps would be useless.
-
Now we need to set up autorenewal.
Let's Encrypt's certificates are only valid for 90 days. We'll check regularly if a certificate is about to expire and renew it automatically.
Execute:crontab -e
Insert into the opened file this row:0 3 * * * /usr/bin/certbot renew --quiet
Save and quit.
If you have problems with the crontab editor (it is the infamous vim by default in the Centos) use the following commands after the ediror is opened:
INSERT [copypaste the row above] ESCAPE :wq ENTER