NOT RECOMMENDED YET

RECOMMENDED AND ENFORCED ;^)

Hey all,

https://killtube.org/forum.php should work from now on. Since I had to reconfigure a bit, please post any bugs. ^^

Regards, kung foo man

Edit 1:

For later lookup:

https://nwgat.ninja/setting-up-letsencrypt-with-lighttpd/
https://redmine.lighttpd.net/projects/1/wiki/HowToSimpleSSL
https://www.ssllabs.com/ssltest/

Edit 2:

Fucking shit, the post editor is not available in https:// mode and screws up the newlines, when a post is saved:

1024

GJ, VBulletin.

My own script for letsencrypt on forum.jumpersheaven.com:



#!/bin/bash
rm -rf letsencrypt
git clone https://github.com/letsencrypt/letsencrypt
rm -rf /tmp/letsencrypt
mkdir -p /tmp/letsencrypt
./letsencrypt/letsencrypt-auto certonly --renew --webroot --webroot-path=/tmp/letsencrypt -d forum.jumpersheaven.com --email=INSERT@EMAIL.HERE
rm /etc/letsencrypt/live/forum.jumpersheaven.com/combined.pem
cat /etc/letsencrypt/live/forum.jumpersheaven.com/privkey.pem /etc/letsencrypt/live/forum.jumpersheaven.com/cert.pem > /etc/letsencrypt/live/forum.jumpersheaven.com/combined.pem
chown :www-data /etc/letsencrypt
chown :www-data /etc/letsencrypt/live
chown :www-data /etc/letsencrypt/archive
chown :www-data /etc/letsencrypt/live/forum.jumpersheaven.com/combined.pem
chmod g+x /etc/letsencrypt/live/forum.jumpersheaven.com/combined.pem
chmod g+x /etc/letsencrypt/live
chmod g+x /etc/letsencrypt/archive

With this as lighttpd.conf contents:


$HTTP["host"] =~ "forum.jumpersheaven.com"{
$SERVER["socket"] == ":443"{
ssl.engine = "enable"
ssl.ca-file = "/etc/letsencrypt/live/forum.jumpersheaven.com/chain.pem"
ssl.pemfile = "/etc/letsencrypt/live/forum.jumpersheaven.com/combined.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
ssl.ec-curve = "secp384r1"
ssl.use-compression = "disable"
setenv.add-response-header = (
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff"
)
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
else $SERVER["socket"] == ":80"{
$HTTP["url"] =~ "^/\.well-known/"{
server.dir-listing = "disable"
server.document-root = "/tmp/letsencrypt"
}
else $HTTP["url"] =~ ""{
url.redirect = ("^/(.*)"=> "https://forum.jumpersheaven.com/$1")
}
}
}

I can just cronjob the first one and itll auto-renew my certificates :)

NOT RECOMMENDED YET
Fucking shit, the post editor is not available in https:// mode and screws up the newlines, when a post is saved:

Indeed. Also the SSL labs test shows a few issues. The most important is to disable SSLv3 and check why the certificate chain is incomplete.
LetsEncrypt is very easy to setup and renew for a Apache server.

Edit: your attachment isn't https either.
Edit 2: I found the issue with the editor. It is blocked because it is loaded via http.

I grep'ed through the source code and probably its:



./includes/class_bbcode_alt.php: 'src' => $vbulletin->options['bburl'] . '/attachment.php?attachmentid=' . $attachmentid . '&stc=1',


So $vbulletin->options['bburl'] is still pointing to http://, but couldn't find yet where it is initialized. I've asked in vBulletin forum, I hope they gonna answer, shouldn't be so hard for those people.

Just add this to lighttpd.conf:


$SERVER["socket"] == ":80"{
url.redirect = ("^/(.*)"=> "https://forum.jumpersheaven.com/$1")
}

Redirecting from http to https is going to add extra-requests though (which introduces useless latencies), I rather fix the path's in vBulletin directly, once I know where the bburl-variable is initialized.

1025

Very nice, thanks IzNoGoD, config works great. :D

The missing command to generate dhparam.pem: openssl dhparam -out dhparam.pem 4096

There is an option in vBulletin to "force" a URL, which could be https:// then, but http:// wouldn't work then anymore, but rewrite all URL's directly to https:// then. I kinda wanna keep both, http:// and https://, I hope they gonna deliver a real answer in the vBulletin forum. ATM just crap like "activate that option muh". Maybe only allow https:// after all? Dunno if that could cause problems for some people.

Could cause problems for ppl on windows XP using IE, and ONLY those people.

Trutru, https["state"] = "RECOMMENDED AND ENFORCED"

The option --renew is now named --renew-by-default, so IzNoGoD's .sh would fail on that now.

Notice to myself for the next time:


./letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot --webroot-path=/var/www/forum -d killtube.org -d www.killtube.org --email=lama12345@gmail.com
cd /etc/letsencrypt/live/killtube.org/
cat privkey.pem cert.pem > privkey_plus_cert.pem
/etc/init.d/lighttpd restart


Letsencrypt auto-updates itself btw, didn't know that.

LetsEncrypt slowly becomes a Python/pip/gcc dependency hell:




root@euve78301:~# ./letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot --webroot-path=/var/www/forum -d killtube.org --email=lama12345@gmail.com
Upgrading certbot-auto 0.11.1 to 0.13.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Had a problem while installing Python packages.




pip prints the following errors:
================================================== ===
Collecting argparse==1.4.0 (from -r /tmp/tmp.phANzTUu7s/letsencrypt-auto-requirements.txt (line 11))
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
SNIMissingWarning
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Downloading argparse-1.4.0-py2.py3-none-any.whl
Collecting pycparser==2.14 (from -r /tmp/tmp.phANzTUu7s/letsencrypt-auto-requirements.txt (line 17))
Downloading pycparser-2.14.tar.gz (223kB)
Collecting cffi==1.4.2 (from -r /tmp/tmp.phANzTUu7s/letsencrypt-auto-requirements.txt (line 21))
Downloading cffi-1.4.2.tar.gz (365kB)
Complete output from command python setup.py egg_info:
unable to execute 'x86_64-linux-gnu-gcc': No such file or directory
unable to execute 'x86_64-linux-gnu-gcc': No such file or directory




No working compiler found, or bogus compiler options
passed to the compiler from Python's distutils module.
See the error messages above.
(If they are about -mno-fused-madd and you are on OS/X 10.8,
see http://stackoverflow.com/questions/22313407/ .)




----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-EPPyZ4/cffi
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
You are using pip version 8.0.3, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
================================================== ===




Certbot has problem setting up the virtual environment.




We were not be able to guess the right solution from your pip
output.




Consult https://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment
for possible solutions.
You may also find some support resources at https://certbot.eff.org/support/ .







Luckly pip install --upgrade pip fixed everything

Bumping this a bit - your www subdomain has no cert, so https://www.killtube.org/ does not properly work. Try adding -d www.killtube.org to your initial LE command.

Thanks, works nicely. Now it can reroute to http://killtube.org/forum.php

1393

And the cookie session is invalid ^^

For the next time:



apt-get update
apt-get install software-properties-common
add-apt-repository universe
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot




certbot certonly --renew-by-default --webroot --webroot-path=/var/www/forum -d killtube.org -d www.killtube.org --email=lama12345@gmail.com
cd /etc/letsencrypt/live/killtube.org/
cat privkey.pem cert.pem > privkey_plus_cert.pem
/etc/init.d/lighttpd restart


https://certbot.eff.org/lets-encrypt/ubuntuxenial-other

I added a monthly crontab now: @monthly bash cronMonthly.sh &

cronMonthly.sh


cd KILLTUBE
node update_ssl.js


update_ssl.js


const { execSync } = require('child_process');
const { readFileSync, writeFileSync } = require('fs');
const file_get_contents = filename => readFileSync(filename, 'utf8');
const email = 'lama12345@gmail.com';
const domains = [
'killtube.org',
'www.killtube.org',
//'tracker.killtube.org',
].map(domain => '-d ' + domain).join(' ');
function system(cmd) {
const stdout = execSync(cmd).toString().trim();
console.log(`<system cmd='${cmd}'>`);
console.log(stdout);
console.log('<system>');
return stdout;
}
function certbot() {
const cmd = `certbot certonly --renew-by-default --webroot --webroot-path=/var/www/forum ${domains} --email=${email}`;
const stdout = system(cmd);
return stdout.split('\n').map(x=>x.trim()).filter(x=>x.startsWith('/etc/letsencrypt'));
}
[fullchain, privkey] = certbot();
//const dir = '/etc/letsencrypt/live/killtube.org-0005';
//[fullchain, privkey] = [dir + '/fullchain.pem', dir + '/privkey.pem'];
const cert = privkey.replace('privkey', 'cert');
const chain = privkey.replace('privkey', 'chain');
const lighttpd_chain = privkey.replace('privkey', 'lighttpd_chain');
console.log(`const fullchain = '${fullchain}';`);
console.log(`const privkey = '${privkey }';`);
console.log(`const cert = '${cert }';`);
// Lighttpd requires privkey_plus_cert.pem and chain.pem (not as a link, so read/save it)
const privkey_plus_cert = [privkey, cert].map(file_get_contents).join('');
console.log('privkey_plus_cert', privkey_plus_cert);
const privkey_plus_cert_filename = privkey.replace('privkey', 'privkey_plus_cert');
writeFileSync(privkey_plus_cert_filename, privkey_plus_cert);
writeFileSync(lighttpd_chain, file_get_contents(chain));
// screen -r lighttpd
// ctrl+c
// arrow up + enter
system('pkill lighttpd');
system('screen -S lighttpd -X quit');
system('screen -AmdS lighttpd');
system('screen -S lighttpd -p 0 -X stuff "cd ~/KILLTUBE/^M"');
system('screen -S lighttpd -p 0 -X stuff "./lighttpd.sh^M"');


It all works so far, lets see in a month :^)