Update deployment.md with certbot acme-challenge
This commit is contained in:
parent
583bd81976
commit
794a8f9755
|
@ -76,10 +76,10 @@ proxying](https://en.wikipedia.org/wiki/Reverse_proxy).
|
|||
|
||||
Two bits of rationale:
|
||||
|
||||
1) People usually want to have more than one site on their server. Put differently, we could
|
||||
1. People usually want to have more than one site on their server. Put differently, we could
|
||||
have [LetsEncrypt](https://letsencrypt.org/) inside the go-ssb-room server but it would have to
|
||||
listen on port :443—blocking the use of other domains on the same IP. 2) Listening on :443 can
|
||||
be pretty annoying (you might need root privileges or similar capabilities).
|
||||
listen on port :443—blocking the use of other domains on the same IP.
|
||||
2. Listening on :443 can be pretty annoying (you might need root privileges or similar capabilities).
|
||||
|
||||
go-ssb-room needs three headers to function properly, which need to be forwarded by the
|
||||
webserver.
|
||||
|
@ -95,6 +95,22 @@ follow the steps in [this
|
|||
article](https://medium.com/@alitou/getting-a-wildcard-ssl-certificate-using-certbot-and-deploy-on-nginx-15b8ffa34157),
|
||||
which uses the [certbot](https://certbot.eff.org/) utility.
|
||||
|
||||
For example, to get a wildcard SSL certificate for `hermies.club`, we typically run
|
||||
|
||||
```
|
||||
certbot certonly --manual --server https://acme-v02.api.letsencrypt.org/directory \
|
||||
--preferred-challenges dns-01 \
|
||||
-d 'hermies.club' -d '*.hermies.club'
|
||||
```
|
||||
|
||||
(Replace `hermies.club` with your room's domain, of course)
|
||||
|
||||
`certbot` will tell you to update TXT DNS records with the key `_acme-challenge.hermies.club` but be
|
||||
carefully with your DNS provider because you may have to input just `_acme-challenge` since the rest
|
||||
is often added automatically by your provider.
|
||||
|
||||
When the process is complete with `certbot`, restart your server, e.g. `systemctl restart nginx`.
|
||||
|
||||
## Enable TCP ports
|
||||
|
||||
For your room to fully work the following **TCP** ports need to be allowed:
|
||||
|
@ -134,3 +150,4 @@ example (with custom repo location, only needed if you setup your with a custom
|
|||
```
|
||||
|
||||
You can now login in the web-front-end using these credentials
|
||||
|
||||
|
|
Loading…
Reference in New Issue