1,234
edits
Changes
no edit summary
You have new mail in /var/mail/root
root@p51:/home/andrew# cp /etc/letsencrypt/live/asmith15.ops345.ca/cert.pem ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.cert.pemroot@p51:/home/andrew# cp /etc/letsencrypt/live/asmith15.ops345.ca/privkey.pem ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.privkeykey.pemroot@p51:/home/andrew# chown andrew ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.privkey.pem*
root@p51:/home/andrew# exit
</source>
* The file in /etc/letsencrypt/live/asmith15.ops345.ca/privkey.pem is what a CA would send you after you paid them. This one is free but it expires in 90 days, which is good enough for this course.
* Get Apache to use the key:
** /etc/httpd/conf/httpd.conf ServerName asmith15.ops345.ca:80
** yum install mod_ssl
** scp -P 2211 -i keys/ssh/ops345-all-aws-machines.pem keys/asmith15.ops345.ca.* andrew@34.202.103.43:~
** [root@www andrew]# cp asmith15.ops345.ca.cert.pem /etc/pki/tls/certs/
** [root@www andrew]# cp asmith15.ops345.ca.key.pem /etc/pki/tls/private/
** /etc/httpd/conf.d/ssl.conf
*** SSLCertificateFile /etc/pki/tls/certs/asmith15.ops345.ca.cert.pem
*** SSLCertificateKeyFile /etc/pki/tls/private/asmith15.ops345.ca.key.pem
** restart apache, confirm no errors
* Edit ops345sgprivate, add https
* Edit ops345sg, add https
* On router: iptables -t nat -I PREROUTING 2 -p tcp --dport 443 -j DNAT --to 10.3.45.11:443
* On www: iptables -I INPUT 4 -p tcp --dport 443 -j ACCEPT
* Test with firefox https. www gives a warning because the certificate is not for that FQDN. fix it for homework.