Lately I've been following several security blogs in order to be notified about the state of art of cryptography standards compliance in the browsers. One of them, Charles Engelke's Blog, published a series of posts about getting a Google SaaS up and running with its own SSL certificate. This series is composed of:
- Let’s Encrypt on Google Compute Engine
- Creating a Compute Engine Instance
- Setting up Apache Web Server
- Getting a Certificate from Let’s Encrypt
Since my last project, autoinstall, fits into this task quite good, I've decided to extend it to accomplish these goals:
- Install and config a Tomcat server, in the default 80 and 443 ports, with its manager prepared for remote maven deploys.
- Install and config a daemon, which it's given the task of renewing the let's encrypt SSL cert when it's necessary.
- Install mysql 5.5 database.
- Install other tools: ftpd, nmap, tree, etc.
So, the steps to get this running are:
- Buy a domain, or obtain one, but be sure that it allows you to create A records
- Go to https://console.cloud.google.com/compute, sign up if you haven't done it yet and setup all the payment details. At the time of this writing you can get 1 year testing period.
- Create a new VM instance, my configuration is Debian 8 with default settings and http/s allowed. I've further created a ssh keys to login to the machine directly through common ssh apps, but you can skip this. Please go to Charles Engelke's post for more info.
- Once you have the new instance running, go to your DNS maintenance page and create a new A record that points to the public IP of the new fresh instance.
- Login to the instance, and
There you have it, try to access your instance with http and https protocols, and test its SSL config with SSL Labs SSL Server Test. If you wish to improve autoinstall, or want to add another standard system, just make a pull request.
Till the next one!
- Let’s Encrypt on Google Compute Engine
- Creating a Compute Engine Instance
- Setting up Apache Web Server
- Getting a Certificate from Let’s Encrypt
Since my last project, autoinstall, fits into this task quite good, I've decided to extend it to accomplish these goals:
- Install and config a Tomcat server, in the default 80 and 443 ports, with its manager prepared for remote maven deploys.
- Install and config a daemon, which it's given the task of renewing the let's encrypt SSL cert when it's necessary.
- Install mysql 5.5 database.
- Install other tools: ftpd, nmap, tree, etc.
So, the steps to get this running are:
- Buy a domain, or obtain one, but be sure that it allows you to create A records
- Go to https://console.cloud.google.com/compute, sign up if you haven't done it yet and setup all the payment details. At the time of this writing you can get 1 year testing period.
- Create a new VM instance, my configuration is Debian 8 with default settings and http/s allowed. I've further created a ssh keys to login to the machine directly through common ssh apps, but you can skip this. Please go to Charles Engelke's post for more info.
- Once you have the new instance running, go to your DNS maintenance page and create a new A record that points to the public IP of the new fresh instance.
- Login to the instance, and
debuti@alien:~$ ssh test.nubuza.com
The authenticity of host 'test.nubuza.com (130.211.193.122)' can't be established.
ECDSA key fingerprint is db:c4:6f:c2:27:5a:b2:10:2b:65:ea:92:20:1a:62:01.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'test.nubuza.com,130.211.193.122' (ECDSA) to the list of known hosts.
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
debuti@test:~$ sudo su
root@test:/home/debuti# apt-get -y install git
Reading package lists... Done
Building dependency tree
Reading state information... Done
...
root@test:/home/debuti# git clone https://github.com/debuti/autoinstall
Cloning into 'autoinstall'...
...
root@test:/home/debuti# cd autoinstall/
root@test:/home/debuti/autoinstall# ./src/autoinstall.sh res/repositories/cloud/compute-engine/compute-engine.config
./src/autoinstall.sh: line 30: bc: command not found
./src/autoinstall.sh: line 31: bc: command not found
Retrieving info:
/home/debuti/autoinstall/res/repositories/cloud/compute-engine/x86_64/debian/8/expect/latest/expect.sh preinstall
/home/debuti/autoinstall/res/repositories/cloud/compute-engine/x86_64/debian/8/vsftpd/latest/vsftpd.sh preinstall
/home/debuti/autoinstall/res/repositories/cloud/compute-engine/x86_64/debian/8/vsftpd/latest/vsftpd.sh preconfigure
/home/debuti/autoinstall/res/repositories/cloud/compute-engine/x86_64/debian/8/openssl/latest/openssl.sh preinstall
/home/debuti/autoinstall/res/repositories/cloud/compute-engine/x86_64/debian/8/authbind/latest/authbind.sh preinstall
/home/debuti/autoinstall/res/repositories/cloud/compute-engine/x86_64/debian/8/tomcat/8/tomcat.sh preinstall
/home/debuti/autoinstall/res/repositories/cloud/compute-engine/x86_64/debian/8/tomcat/8/tomcat.sh preconfigure
Tomcat Manager user: admin
Tomcat Manager password: ********
HTTPS cert pwd: ********
/home/debuti/autoinstall/res/repositories/cloud/compute-engine/x86_64/debian/8/certbot/latest/certbot.sh preinstall
/home/debuti/autoinstall/res/repositories/cloud/compute-engine/x86_64/debian/8/certbot/latest/certbot.sh preconfigure
Hostname (just whole dns name, without http and shit): test.nubuza.com
Password for tomcat keystore: ********
/home/debuti/autoinstall/res/repositories/cloud/compute-engine/x86_64/debian/8/mysql/5.5/mysql.sh preinstall
Mysql root passwd: ********
/home/debuti/autoinstall/res/repositories/cloud/compute-engine/x86_64/debian/8/vim/latest/vim.sh preinstall
/home/debuti/autoinstall/res/repositories/cloud/compute-engine/x86_64/debian/8/tree/latest/tree.sh preinstall
/home/debuti/autoinstall/res/repositories/cloud/compute-engine/x86_64/debian/8/ncdu/latest/ncdu.sh preinstall
/home/debuti/autoinstall/res/repositories/cloud/compute-engine/x86_64/debian/8/nmap/latest/nmap.sh preinstall
/home/debuti/autoinstall/res/repositories/cloud/compute-engine/x86_64/debian/8/screen/latest/screen.sh preinstall
/home/debuti/autoinstall/res/repositories/cloud/compute-engine/x86_64/debian/8/crontab/latest/crontab.sh preconfigure
Applying actions:
System:compute-engine Arq:x86_64 OS:debian OSver:8 App:expect v:latest Action:install[OK]
System:compute-engine Arq:x86_64 OS:debian OSver:8 App:vsftpd v:latest Action:install[OK]
System:compute-engine Arq:x86_64 OS:debian OSver:8 App:vsftpd v:latest Action:configure[OK]
System:compute-engine Arq:x86_64 OS:debian OSver:8 App:openssl v:latest Action:install[FAIL]Unknown error: 236
System:compute-engine Arq:x86_64 OS:debian OSver:8 App:authbind v:latest Action:install[OK]
System:compute-engine Arq:x86_64 OS:debian OSver:8 App:tomcat v:8 Action:install[OK]
System:compute-engine Arq:x86_64 OS:debian OSver:8 App:tomcat v:8 Action:configure[OK]
System:compute-engine Arq:x86_64 OS:debian OSver:8 App:certbot v:latest Action:install[OK]
System:compute-engine Arq:x86_64 OS:debian OSver:8 App:certbot v:latest Action:configure[OK]
System:compute-engine Arq:x86_64 OS:debian OSver:8 App:mysql v:5.5 Action:install[OK]
System:compute-engine Arq:x86_64 OS:debian OSver:8 App:vim v:latest Action:install[FAIL]Unknown error: 236
System:compute-engine Arq:x86_64 OS:debian OSver:8 App:tree v:latest Action:install[OK]
System:compute-engine Arq:x86_64 OS:debian OSver:8 App:ncdu v:latest Action:install[OK]
System:compute-engine Arq:x86_64 OS:debian OSver:8 App:nmap v:latest Action:install[OK]
System:compute-engine Arq:x86_64 OS:debian OSver:8 App:screen v:latest Action:install[FAIL]Unknown error: 236
System:compute-engine Arq:x86_64 OS:debian OSver:8 App:crontab v:latest Action:configure[OK]
root@test:/home/debuti/autoinstall#
There you have it, try to access your instance with http and https protocols, and test its SSL config with SSL Labs SSL Server Test. If you wish to improve autoinstall, or want to add another standard system, just make a pull request.
Till the next one!
Comentarios
Publicar un comentario