TDS, nginx and LetsEncrypt // We'll see how to setup the TDS behind nginx with SSL from LetsEncrypt and autorenewal of certificate.

Examples

Login/password for demo TDS: boss:bossadmin

In this example we are going to configure LetsEncrypt SSL for the TDS running behind nginx. We will use mytds.com and www.mytds.com as domain names for the TDS. Change them to your own domain names. We will use Centos 7.5 and Debian 9.7. There can be differences if you try to do this with other distros and versions of distros, but nothing too serious. This guide assumes that you have a fresh VPS or server, without Apache, firewalls and other unnecessary packages.

As a result of this example you will have TDS running on ssl domain and ssl certificate will be autorenewed each time it comes close to the expiration date.

  • Install the TDS behind nginx without SSL. Refer to the manual here [http://bosstds.com/setup_easy/] - Installing BossTDS. We are not going to copy everything from this manual, so just follow it (or contact our support) and ensure that everything works on http://yourtds.com domain, without port. Don't proceed with the next steps before you have it working.

  • Now we need to install LetsEncrypt tools and scripts.

    Centos 7.5:
    yum install epel-release yum -y install certbot-nginx
    Debian 9.7: echo 'deb http://deb.debian.org/debian stretch-backports main contrib non-free' | tee /etc/apt/sources.list.d/backports.list apt-get update apt install python-certbot-nginx -t stretch-backports -y
  • Generate LetsEncrypt config and certificates for your domain. certbot --nginx -d mytds.com -d www.mytds.com
    You'll be asked a number of questions. See the answers in the copypasted text below, they are highlighted with the red colour. 
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): zzz@yahoo.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mytds.com
http-01 challenge for www.mytds.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
Deploying Certificate to VirtualHost /etc/nginx/conf.d/bosstds.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/bosstds.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://mytds.com and
https://www.mytds.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=mytds.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.mytds.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mytds.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mytds.com/privkey.pem
   Your cert will expire on 2019-06-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


  • Restart nginx with

    systemctl restart nginx Now the TDS should work on https domain. If it doesn't then something went wrong and next steps would be useless.

  • Now we need to set up autorenewal.
    Let's Encrypt's certificates are only valid for 90 days. We'll check regularly if a certificate is about to expire and renew it automatically.
    Execute: crontab -e Insert into the opened file this row: 0 3 * * * /usr/bin/certbot renew --quiet Save and quit.
    If you have problems with the crontab editor (it is the infamous vim by default in the Centos) use the following commands after the ediror is opened:
    INSERT [copypaste the row above] ESCAPE :wq ENTER
www.megastock.ru www.paypal.com www.paxum.com
Hide dock Show dock Back to top
Loading