Objective: Install a private instance of Etherpad.org secured with TLS encryption and configuring the system to have good level of controll over who gets to see and edit what i.e. to authenticate the users.
First I will be getting and installing a new cert for use on pad.byjuho.fi which will host an Etherpad instance to fulfill my secure textual collaboration needs safely.
Second I will be replacing the shortly expiring commercial certificate for *.consumium.org. So far I know that I can have the old cert still in place and insert the new certs under a subjectAltName. This way the free social media that I host can continue operating normally (hopefully) without any downtime.
as instructed by CertBot interactive website. That complained that it did not find any ‘ServerName’s in the configuration files which is slightly strange. When answering ‘no’ to the “Do you want to proceed?” question it exited and hinted to specify domain name with the ‘–domains’ switch
sudo certbot --apache --domains byjuho.fi
A blue screen comes up that asks for the “emergency” email address. Put one that you will never lose like an https://iki.fi address which I’ve used for over 20 yrs now and which is valid for a lifetime.
Next the blue screen asks if you want to have all traffic redirected to TLS encrypted. I chose to allow normal http too.
The encrypted URL now leads to the default Apache2 on Debian landing page “It works.. blahblahblah…” so I need to make a new VirtualHost directive for the encrypted site in /etc/apache2/sites-enabled/001-hosts which is where I keep the directives.
So I need to figure where the CertBot put the certificate and the key.
CertBot puts the very secret key and the very public certificate in
‘/etc/letsencrypt/live/domain.tld’ and the automagic from the blue screen creates a VirtualHost entry in ‘/etc/apache2/sites-enabled/000-default-le-ssl.conf’. After I made a normal VirtualHost entry in ‘/etc/apache2/sites-enabled/001-sites.conf’ and commented everything out in the 000-default-le-ssl.conf this blog is now available also in TLS protected https://ByJuho.fi.
Friendly folks at #freenode pointed out that
sudo apachectl -S
is very useful for locating problem points regarding conflicting VirtualHost directives
Next I am going to figure out if the commenting out stuff from 000-default-le-ssl.conf has any adverse effects. It seems the files with lower prefixed number takes precedence.
Next I try to replicate the necessary steps described in this blog post to actually enable https://pad.byjuho.fi
All that was needed to bring up the default Debian/Apache “it works page” over TLS encrypted https was one run of
sudo certbot --apache --domains pad.byjuho.fi
and fix the VirtualHost directive to your liking to actually serve your content.
Getting new certs with nginx.
There doesn’t seem to be quite the same level of automation with Nginx hosted sites than the Apache ones.
Short answer: The installation instructions given are required to be read to be completely understood. So I’ll be installing again a third time.
GNU MediaGoblin 0.8.0 I accidentally set to use SQLite, instead of Postgresql the intended database backend. No migration script exists so reinstall was needed
GNU MediaGoblin 0.9.0 I managed to install the 0.9.0 using Py2 instead of Py3.
GNU MediaGoblin 0.9.0 with python3 version is what I am aiming at the third time around installing UPDATE: Seems installation of GNU MediaGoblin 0.9.0 with python3 support is currently impossible if the idea was to use flup and fcgi. Follow this ticket for updates on the situation.
Since the installation using python3 is impossible at the moment I have installed the py2 version instead at https://media.consumium.org. using py2, Nginx and fcgi for serving content.