TLS implementation on existing Site

Questions and discussions about Indie Computing's UBOSbox
criky
Posts: 31
Joined: Fri Jul 05, 2019 4:24 am

TLS implementation on existing Site

Post by criky » Sat Jul 20, 2019 3:41 am

Hi. :P
I saw all the UBOS articles about how to launch new site with TLS applied.(ex. https://ubos.net/docs/users/create-ssl-site.html)
But unfortunately, I can't see anything about TLS implementation on existing site.

So could I do that myself?
I think it can be realized by editing Site JSON file, but there seems to be no example when I see Site JSON section on the UBOS documents
(https://ubos.net/docs/developers/site-json.html), while current my Site JSON file doesn't have TLS section at all.

So could you please give me an example on how to add new lines on the Site JSON file for the TLS certification?

Particularly I prefer to make self-signed TLS certi since I just gonna set up my site as a personal one.

Thanks.



j12t
Posts: 106
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: TLS implementation on existing Site

Post by j12t » Sat Jul 20, 2019 8:28 pm

You are correct that when redeploying the Site JSON with additional TLS info, the site should come up as HTTPS.

Hover, for this to work, you need to have an actual DNS "A" entry that points to your box. Then you cannot access your site any more by IP address, only by that hostname. This does not have to be an "official" DNS record if you will only use it on your LAN.

Given you do self-signed, what I would do is this:
  • Back up the data on your box!
  • On our UBOS box, run "ubos-admin createsite --tls --selfsigned -n -o example.json". Enter the DNS name you picked. Enter whatever you like for apps (maybe even none at all). The -n will only create the Site JSON, not actually deploy it. It will be saved to example.json
  • Look at the TLS section in example.json, and copy it into your actual Site JSON. You want the section that starts with

    Code: Select all

    "tls" : { 
    and ends with the corresponding curly brace, and you want it at the same place in the JSON hierarchy. The key and cert inlined into the JSON are very long lines; it's important you don't accidentally break them into separate lines.
  • Redeploy your so-modified site JSON file
Warning: I may be missing some things here, as that's not something I usually do :-)

criky
Posts: 31
Joined: Fri Jul 05, 2019 4:24 am

Re: TLS implementation on existing Site

Post by criky » Sun Jul 21, 2019 4:34 am

Thanks.

Honestly I chose the self-signed certi based on the fact that it does not require of having an official DNS as you mentioned in the documents.
While I would be able to access my site via LAN, I also need to access my site via WAN(public internet) during my absence of home. And this whole process currently includes my access via IP address.

But if I have to create my "Local" DNS name(Not official) and may need to access only via LAN since the name is only valid on "Local" network, then I think this solution doesn't fit to my case.

1. Above my understanding is correct?
2. If Local DNS name is mandatory for the self signed certi, and that means external access via IP address is not possible any more, then I need to opt in to use Letsencrypt certi with official DNS name rather than self-signed certi with unofficial DNS name. What's your advice? :) In this case may I follow your advice of self-signed as well?

j12t
Posts: 106
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: TLS implementation on existing Site

Post by j12t » Sun Jul 21, 2019 6:39 pm

There was a previous thread on a related subject: viewtopic.php?f=14&t=1374 which has some relevant info.

criky
Posts: 31
Joined: Fri Jul 05, 2019 4:24 am

Re: TLS implementation on existing Site

Post by criky » Tue Jul 23, 2019 1:37 pm

During re-deploying of Site JSON file, an issue occurs due to the typo of my host name.(Actually Letsencrypt certification process failed but, new Site JSON file had been successfully created)
While what I just updated in my Site JSON file was the activation of the Letsencrypt, this issue makes the further proceeding impossible.(please see below errors when I try to run the "deploy" code again with the right host name )

please see below error messages from UBOS, and do you have any idea for dealing with this situation?
Is it possible to resolve the " ERROR : Cannot creat a temporary backup; the backup directory is not empty." situation?
Attachments
2.png
2.png (9.17 KiB) Viewed 121 times
1.png
1.png (67.54 KiB) Viewed 121 times

j12t
Posts: 106
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: TLS implementation on existing Site

Post by j12t » Tue Jul 23, 2019 10:45 pm

Added an entry to troubleshooting: https://ubos.net/docs/users/troubleshoo ... -not-empty

Hope this helps.

criky
Posts: 31
Joined: Fri Jul 05, 2019 4:24 am

Re: TLS implementation on existing Site

Post by criky » Wed Jul 24, 2019 4:16 am

I found two things when I update my Site JSON file and redeploying it.

1. If I change the log-in credentials like userid, username, passpharse, email etc other than default values, then it makes errors.
==> I have no choice but returning to the default value.

2. when I activate tls with Letsencrypt by adding new lines in the Site JSON file, certification process has been processed successfully,
but when I try to connect to my server with public internet either via IP address or DNS name, then below screen shows up.
==> Just before enabling the tls, everything was going fine.(no problem to connect the site via public internet)

Do you have any idea of this message? If there is no other solution then I have to proceed this progress again with "createsite" command?
Attachments
1.png
1.png (15.64 KiB) Viewed 114 times

j12t
Posts: 106
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: TLS implementation on existing Site

Post by j12t » Wed Jul 24, 2019 4:26 am

The hostname in your browser has to match the hostname of the site exactly once you have moved from hostname '*' to a named host.

Code: Select all

ubos-admin listsites
will show you what site(s) is/are deployed.

criky
Posts: 31
Joined: Fri Jul 05, 2019 4:24 am

Re: TLS implementation on existing Site

Post by criky » Wed Jul 24, 2019 4:49 am

I think it's a bit complicated.
I just typed the exact name of my domain, but above message occurs.
On top of that, it seems other commands are being stopped due to this problem..

Do you have any idea?
Attachments
4.png
4.png (27.83 KiB) Viewed 101 times
3.png
3.png (5.77 KiB) Viewed 107 times
2.png
2.png (11.8 KiB) Viewed 107 times

criky
Posts: 31
Joined: Fri Jul 05, 2019 4:24 am

Re: TLS implementation on existing Site

Post by criky » Wed Jul 24, 2019 5:35 am

I got one more response from UBOS.
Attachments
5.png
5.png (22.43 KiB) Viewed 98 times

Post Reply