coop-cloud-chaos-patchs
/
go-ssb-room
0
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update deployment.md with certbot acme-challenge

This commit is contained in:
André Staltz 2021-10-29 11:22:34 +03:00
parent 583bd81976
commit 794a8f9755
1 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
docs/deployment.md
View File

@ -76,10 +76,10 @@ proxying](https://en.wikipedia.org/wiki/Reverse_proxy).
Two bits of rationale:
1) People usually want to have more than one site on their server. Put differently, we could
1. People usually want to have more than one site on their server. Put differently, we could
have [LetsEncrypt](https://letsencrypt.org/) inside the go-ssb-room server but it would have to
listen on port :443—blocking the use of other domains on the same IP. 2) Listening on :443 can
be pretty annoying (you might need root privileges or similar capabilities).
listen on port :443—blocking the use of other domains on the same IP.
2. Listening on :443 can be pretty annoying (you might need root privileges or similar capabilities).
go-ssb-room needs three headers to function properly, which need to be forwarded by the
webserver.
@ -95,6 +95,22 @@ follow the steps in [this
article](https://medium.com/@alitou/getting-a-wildcard-ssl-certificate-using-certbot-and-deploy-on-nginx-15b8ffa34157),
which uses the [certbot](https://certbot.eff.org/) utility.
For example, to get a wildcard SSL certificate for `hermies.club`, we typically run
```
certbot certonly --manual --server https://acme-v02.api.letsencrypt.org/directory \
--preferred-challenges dns-01 \
-d 'hermies.club' -d '*.hermies.club'
```
(Replace `hermies.club` with your room's domain, of course)
`certbot` will tell you to update TXT DNS records with the key `_acme-challenge.hermies.club` but be
carefully with your DNS provider because you may have to input just `_acme-challenge` since the rest
is often added automatically by your provider.
When the process is complete with `certbot`, restart your server, e.g. `systemctl restart nginx`.
## Enable TCP ports
For your room to fully work the following **TCP** ports need to be allowed:
@ -134,3 +150,4 @@ example (with custom repo location, only needed if you setup your with a custom
```
You can now login in the web-front-end using these credentials