From c493769364432adefa102e4773073344734f5239 Mon Sep 17 00:00:00 2001 From: Norm Date: Sat, 20 Apr 2024 21:31:48 -0400 Subject: [PATCH] Update Nginx setup docs for Fedora and Red Hat OTP --- docs/docs/installation/fedora_based_en.md | 32 +++++++++-------------- docs/docs/installation/otp_redhat_en.md | 30 +++++++++------------ 2 files changed, 25 insertions(+), 37 deletions(-) diff --git a/docs/docs/installation/fedora_based_en.md b/docs/docs/installation/fedora_based_en.md index 3e09f6996..40cdaf19a 100644 --- a/docs/docs/installation/fedora_based_en.md +++ b/docs/docs/installation/fedora_based_en.md @@ -135,23 +135,6 @@ If you want to open your newly installed instance to the world, you should run n sudo dnf install nginx ``` -* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it: - -```shell -sudo dnf install certbot -``` - -and then set it up: - -```shell -sudo mkdir -p /var/lib/letsencrypt/ -sudo certbot certonly --email -d --standalone -``` - -If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again). - ---- - * Copy the example nginx configuration and activate it: ```shell @@ -165,12 +148,23 @@ sudo cp /opt/akkoma/installation/nginx/akkoma.nginx /etc/nginx/conf.d/akkoma.con sudo systemctl enable --now nginx.service ``` -If you need to renew the certificate in the future, uncomment the relevant location block in the nginx config and run: +* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it: ```shell -sudo certbot certonly --email -d --webroot -w /var/lib/letsencrypt/ +sudo dnf install certbot python3-certbot-nginx ``` +and then set it up: + +```shell +sudo certbot --email -d -d --nginx +``` + +If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`. + +Certificate renewal should be handled automatically by Certbot from now on. + + #### Other webserver/proxies You can find example configurations for them in `/opt/akkoma/installation/`. diff --git a/docs/docs/installation/otp_redhat_en.md b/docs/docs/installation/otp_redhat_en.md index ea27af6f4..38c1b96db 100644 --- a/docs/docs/installation/otp_redhat_en.md +++ b/docs/docs/installation/otp_redhat_en.md @@ -82,6 +82,7 @@ Other than things bundled in the OTP release Akkoma depends on: * PostgreSQL (also utilizes extensions in postgresql-contrib) * nginx (could be swapped with another reverse proxy but this guide covers only it) * certbot (for Let's Encrypt certificates, could be swapped with another ACME client, but this guide covers only it) + * If you are using certbot, also install the `python3-certbot-nginx` package for the nginx plugin * libmagic/file First, update your system, if not already done: @@ -169,12 +170,6 @@ sudo -Hu akkoma ./bin/pleroma stop ### Setting up nginx and getting Let's Encrypt SSL certificaties -#### Get a Let's Encrypt certificate - -```shell -certbot certonly --standalone --preferred-challenges http -d yourinstance.tld -``` - #### Copy Akkoma nginx configuration to the nginx folder ```shell @@ -195,8 +190,15 @@ sudo nginx -t sudo systemctl start nginx ``` -At this point if you open your (sub)domain in a browser you should see a 502 error, that's because Akkoma is not started yet. +#### Get a Let's Encrypt certificate +```shell +sudo certbot --email -d -d --nginx +``` + +If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`. + +If you're successful with obtaining the certificates, opening your (sub)domain in a browser will result in a 502 error, since Akkoma hasn't been started yet. ### Setting up a system service @@ -239,19 +241,11 @@ sudo nginx -t # Restart nginx sudo systemctl restart nginx -# Ensure the webroot menthod and post hook is working -sudo certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --dry-run --post-hook 'systemctl reload nginx' - -# Add it to the daily cron -echo '#!/bin/sh -certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx" -' > /etc/cron.daily/renew-akkoma-cert -sudo chmod +x /etc/cron.daily/renew-akkoma-cert - -# If everything worked the output should contain /etc/cron.daily/renew-akkoma-cert -sudo run-parts --test /etc/cron.daily +# Test that renewals work properly +sudo certbot renew --cert-name yourinstance.tld --nginx --dry-run ``` +Assuming the commands were run successfully, certbot should be able to renew your certificates automatically via the `certbot-renew.timer` systemd unit. ## Create your first user and set as admin ```shell