AddingANewDomain » History » Version 3
Denis 'GNUtoo' Carikli, 05/30/2020 11:52 PM
add shell
| 1 | 1 | Denis 'GNUtoo' Carikli | h1. AddingANewDomain |
|---|---|---|---|
| 2 | |||
| 3 | Here's an example for the fictional domain r2d2.replicant.us |
||
| 4 | |||
| 5 | h2. bind |
||
| 6 | |||
| 7 | To add this domain, we first need to have the domain resolvable through the DNS system. |
||
| 8 | |||
| 9 | For that you need to first add the domain in the /etc/bind/db.replicant.us configuration file and increment the serial. |
||
| 10 | |||
| 11 | To add the example r2d2.replicant.us domain, we add this line: |
||
| 12 | <pre> |
||
| 13 | r2d2 3M IN A 18.4.89.63 |
||
| 14 | </pre> |
||
| 15 | |||
| 16 | And then we increment the serial from by at least one, here it's 1000000007: |
||
| 17 | <pre> |
||
| 18 | ; replicant.us |
||
| 19 | @ 1D IN SOA replicant.us. gnutoo.no-log.org. ( |
||
| 20 | 1000000007 ; serial |
||
| 21 | 3H ; refresh |
||
| 22 | 1H ; retry |
||
| 23 | 24D ; expiry |
||
| 24 | 3H ) ; minimum ttl |
||
| 25 | |||
| 26 | </pre> |
||
| 27 | |||
| 28 | So we make it become 1000000008: |
||
| 29 | <pre> |
||
| 30 | ; replicant.us |
||
| 31 | @ 1D IN SOA replicant.us. gnutoo.no-log.org. ( |
||
| 32 | 1000000008 ; serial |
||
| 33 | 3H ; refresh |
||
| 34 | 1H ; retry |
||
| 35 | 24D ; expiry |
||
| 36 | 3H ) ; minimum ttl |
||
| 37 | |||
| 38 | </pre> |
||
| 39 | |||
| 40 | Then we need to make bind9 take the changes into account. We can use the following command for that: |
||
| 41 | <pre> |
||
| 42 | systemctl reload bind9 |
||
| 43 | </pre> |
||
| 44 | |||
| 45 | h2. TLS certificates |
||
| 46 | |||
| 47 | As we need to protect people's privacy and security, we often need a TLS certificate associated with every new domains. |
||
| 48 | |||
| 49 | We first need to have a web server be able to serve files at that domain to make letsencrypt work. |
||
| 50 | |||
| 51 | To do that you can either add the new domain in /etc/apache2/sites-enabled/letsencrypt.conf, or another configuration file in the same directory. |
||
| 52 | |||
| 53 | Here's configuration directives for r2d2.replicant.us, you'll need to adapt it for a different domain: |
||
| 54 | <pre> |
||
| 55 | <VirtualHost *:80> |
||
| 56 | ServerName r2d2.replicant.us |
||
| 57 | DocumentRoot /var/www/letsencrypt/r2d2.replicant.us/ |
||
| 58 | </VirtualHost> |
||
| 59 | </pre> |
||
| 60 | |||
| 61 | You can paste that in any file in /etc/apache2/sites-enabled/: |
||
| 62 | * You can add it to /etc/apache2/sites-enabled/letsencrypt.conf if you plan to keep using it after for enabling letencrypt to renew the certificates automatically. This is typically useful if you don't need a web server at that domain, which can be the case if you only intend to host a mail server there for instance. |
||
| 63 | * You can add it in a temporary file like /etc/apache2/sites-enabled/r2d2.conf if you use another configuration for that later on. |
||
| 64 | * Or you can add it to any existing or new file in the /etc/apache2/sites-enabled/ depending on your needs. |
||
| 65 | |||
| 66 | Then you need to make apache2 take this into account. You can do it with the following command: |
||
| 67 | <pre> |
||
| 68 | 3 | Denis 'GNUtoo' Carikli | root@replicantserver0:~# systemctl reload apache2 |
| 69 | 1 | Denis 'GNUtoo' Carikli | </pre> |
| 70 | |||
| 71 | 2 | Denis 'GNUtoo' Carikli | You can check if apache2 is still running fine with the following command: |
| 72 | <pre> |
||
| 73 | 3 | Denis 'GNUtoo' Carikli | root@replicantserver0:~# pidof apache2 |
| 74 | 2 | Denis 'GNUtoo' Carikli | 10465 10456 10421 230 |
| 75 | </pre> |
||
| 76 | |||
| 77 | 1 | Denis 'GNUtoo' Carikli | At this point it would be a good idea to verify that everything works well before proceding as there is a limited number of (failed) attempt with letencrypt. When the limit is reached you have to wait before being able to retry which can be time consuming. |
| 78 | |||
| 79 | To check if everything is fine, it would be a good idea to: |
||
| 80 | ** make sure that you can ping the domain |
||
| 81 | ** make sure that apache responds, a "Forbidden" web page is good enough for that |
||
| 82 | |||
| 83 | It's then a good time to finally get a certifificate. You can use the 'certbot certonly --webroot' command to do that. |
||
| 84 | |||
| 85 | Here's an example of usage for the r2d2.replicant.us domain: |
||
| 86 | <pre> |
||
| 87 | root@replicantserver0:~# certbot certonly --webroot |
||
| 88 | Saving debug log to /var/log/letsencrypt/letsencrypt.log |
||
| 89 | Plugins selected: Authenticator webroot, Installer None |
||
| 90 | Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' |
||
| 91 | to cancel): r2d2.replicant.us |
||
| 92 | Obtaining a new certificate |
||
| 93 | Performing the following challenges: |
||
| 94 | http-01 challenge for r2d2.replicant.us |
||
| 95 | Input the webroot for r2d2.replicant.us: (Enter 'c' to cancel): /var/www/letsencrypt/r2d2.replicant.us/ |
||
| 96 | Waiting for verification... |
||
| 97 | Cleaning up challenges |
||
| 98 | |||
| 99 | IMPORTANT NOTES: |
||
| 100 | - Congratulations! Your certificate and chain have been saved at: |
||
| 101 | /etc/letsencrypt/live/r2d2.replicant.us/fullchain.pem |
||
| 102 | Your key file has been saved at: |
||
| 103 | /etc/letsencrypt/live/r2d2.replicant.us/privkey.pem |
||
| 104 | Your cert will expire on 2020-08-28. To obtain a new or tweaked |
||
| 105 | version of this certificate in the future, simply run certbot |
||
| 106 | again. To non-interactively renew *all* of your certificates, run |
||
| 107 | "certbot renew" |
||
| 108 | - If you like Certbot, please consider supporting our work by: |
||
| 109 | |||
| 110 | Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate |
||
| 111 | Donating to EFF: https://eff.org/donate-le |
||
| 112 | </pre> |
||
| 113 | |||
| 114 | Finally don't forget to change the apache configuration again if the changes you made were only meant to be temporary. |