issues I've encountered - slightly slower lag in display -
won't update - just hangs on first line of update and never changes.
go over to http and it works without issue.
Pi Star SSL
This is more a rough Draft!
your mileage may vary!
-- certbot -- setup
Assumes
- IP address,user:pass known & set static via reservation / other
- NAT Port Forwarding know how.
- SSH already prepped and
- Pistar has inet access.
- Using Cloudflare (one of the best most Reliable & Efficient cost effective "Free" DNS providers)
HTTPS ports supported by Cloudflare:
443
2053
2083
2087
2096 #<--- Using this port for my setup
8443
Get started
4.1.2 > SSH
Drop into Root vs having to type sudo each command
Code: Select all
sudo -i
rpi-rw
apt-get install certbot python-certbot-nginx
apt-get install python3-certbot-dns-cloudflare
mkdir ~/.secrets/certbot/
chmod 0700 ~/.secrets/certbot/
#touch ~/.secrets/certbot/cloudflare.ini
chmod 0400 ~/.secrets/certbot/cloudflare.ini
nano ~/.secrets/certbot/cloudflare.ini
[b]modify below with your info from cflare[/b]
Code: Select all
### add below this info ####
# Cloudflare API credentials used by Certbot
dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234
### add above this info ####
Code: Select all
chmod 600 ~/.secrets/certbot/cloudflare.ini
http://wiki.pistar.uk/Adding_custom_fir ... to_Pi-Star
Code: Select all
nano /root/ipv4.fw
### add below this info ####
# Comments can be added using the hash at the start of a line
# This line adds outgoing access to UDP/41401
## iptables -A OUTPUT -p udp --dport 41401 -j ACCEPT # NXDN Outbound to extra host
# This line adds DSCP marking to this traffic to give it voice priority on the network
# you dont need this but its a good thing for voice packets
## iptables -t mangle -A POSTROUTING -p udp --dport 41401 -j DSCP --set-dscp 46
iptables -A INPUT -m state --state NEW -p tcp --dport 2096 -j ACCEPT
### add above this info ####
pistar-firewall
Code: Select all
certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
--dns-cloudflare-propagation-seconds 45 \
-d sub.domain.com
Initial Run will ask for email for notifications
[email protected] used (use your own email)
Agree ToS - Y
Share email EFF - N
Performing DNS-01 challenge
/etc/letsencrypt/live/sub.domain.com/fullchain.pem
Edit nginx listeners for HTTPS
Code: Select all
nano /etc/nginx/sites-enabled/pi-star
Don't forget to edit your domain name and remove the <>
Code: Select all
listen 80 default # Existing Line
# Add for Cerbot
listen 2096 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/<dom.domain.com>/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/<dom.domain.com>/privkey.pem; # managed by Certbot
# End for Cerbot
Code: Select all
nginx -t
nginx -s reload
Code: Select all
crontab -e
Choose nano
Paste at end
14 5 * * * /usr/local/bin/certbot renew --quiet --post-hook "/usr/sbin/service nginx reload" > /dev/null 2>&1
Code: Select all
crontab -l
rpi-ro
single line install - haven't retested this though - have to edit domain, cfemail and key in the lines though.
Gets through Firewall Setup - then start at edit nginx listeners line...I think...
Code: Select all
apt-get install certbot python-certbot-nginx python3-certbot-dns-cloudflare \
;mkdir -p ~/.secrets/certbot/ \
;echo -e "# Cloudflare API credentials used by Certbot \ndns_cloudflare_email = [email protected] \ndns_cloudflare_api_key = your_cf_global_token \n" > ~/.secrets/certbot/cloudflare.ini \
;chmod 0700 ~/.secrets/certbot \
;chmod 0400 ~/.secrets/certbot/cloudflare.ini \
;echo -e "# Comments can be added using the hash at the start of a line \n# This line adds outgoing access to UDP/41401 \n## iptables -A OUTPUT -p udp --dport 41401 -j ACCEPT # NXDN Outbound to extra host \n# This line adds DSCP marking to this traffic to give it voice priority on the network \n# you dont need this but its a good thing for voice packets \n## iptables -t mangle -A POSTROUTING -p udp --dport 41401 -j DSCP --set-dscp 46 \n\n\niptables -A INPUT -m state --state NEW -p tcp --dport 2096 -j ACCEPT" >> /root/ipv4.fw \
;pistar-firewall