Skip to content

Latest commit

 

History

History
132 lines (92 loc) · 4.27 KB

install_nginx_wsgi.md

File metadata and controls

132 lines (92 loc) · 4.27 KB
Raw

Installation on NGINX runnig on CentOS

The setup is done in a way that uWSGI will serve acme2certifier while NGINX will act as reverse proxy to provide better connection handling.

A readymade shell script performing the below tasks will can be found in the examples/install_scripts directory.

  1. download the archive and unpack it into a temporary directory.
cd /tmp
curl https://codeload.github.com/grindsa/acme2certifier/tar.gz/refs/heads/master -o a2c-master.tgz
tar xvfz a2c-master.tgz
cd /tmp/acme2certifier-master
  1. Install missing packages
sudo yum install -y epel-release
sudo yum update -y
sudo yum install -y python-pip nginx python3-uwsgidecorators.x86_64 tar uwsgi-plugin-python3 policycoreutils-python-utils
  1. Setup your project directory
sudo mkdir /opt/acme2certifier
  1. Install the missing python modules
sudo pip install -r /opt/acme2certifier/requirements.txt
  1. create a configuration file acme_srv.cfg in /opt/acme2certifier/acme_srv/ or use the example stored in the examples directory
  2. modify the configuration file according to you needs
  3. set the handler_file parameter in acme_srv.cfg or copy the correct ca handler from /opt/acme2certifier/examples/ca_handler directory to /opt/acme2certifier/acme_srv/ca_handler.py
  4. configure the connection to your ca server. Example for Insta Certifier
  5. activate the wsgi database handler
sudo cp /opt/acme2certifier/examples/db_handler/wsgi_handler.py /opt/acme2certifier/acme_srv/db_handler.py
  1. copy the application file "acme2certifer_wsgi.py" from examples directory
sudo cp /opt/acme2certifier/examples/acme2certifier_wsgi.py /opt/acme2certifier/
  1. set the correct permissions to the acme_srv-subdirectory
sudo chmod a+x /opt/acme2certifier/acme_srv
  1. set the ownership of the acme_srv subdirectory to the user running nginx
sudo chown -R nginx /opt/acme2certifier/acme_srv
  1. Test acme2certifier by starting the application
cd /opt/acme2certifier
sudo uwsgi --http-socket :8000 --plugin python3 --wsgi-file acme2certifier_wsgi.py
  1. Check access to directory resource in a parallel session to verify that everything works so far
curl http://127.0.0.1:8000/directory
{"newAccount": "http://127.0.0.1:8000/acme_srv/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://127.0.0.1:8000/acme_srv/key-change", "newNonce": "http://127.0.0.1:8000/acme_srv/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <[email protected]>"}, "newOrder": "http://127.0.0.1:8000/acme_srv/neworders", "revokeCert": "http://127.0.0.1:8000/acme_srv/revokecert"}$
  1. create an uWSGI config file or use the one stored in examples/nginx directory
sudo cp examples/nginx/acme2certifier.ini /opt/acme2certifier
  1. activate python3 module in uWSGI config file
sudo echo "plugins = python3" >> examples/nginx/acme2certifier.ini
  1. Create a Systemd Unit File for uWSGI or use the one stored in excample/nginx directory
sudo cp examples/nginx/uwsgi.service /etc/systemd/system/
sudo systemctl enable uwsgi.service
  1. start uWSGI as service
sudo systemctl start uwsgi
  1. configure NGINX as reverse proxy or use example stored in examples/nginx directory and modify it according to your needs
sudo cp examples/nginx/nginx_acme.conf /etc/nginx/conf.d/acme.conf
  1. restart nginx
sudo systemctl restart nginx
  1. adapt SELinux configuration by applying a customized policy allowing nginx to communicate with uwsgi by using Unix sockets
sudo checkmodule -M -m -o acme2certifier.mod examples/nginx/acme2certifier.te
sudo semodule_package -o acme2certifier.pp -m acme2certifier.mod
sudo semodule -i acme2certifier.pp
  1. test the server by accessing the directory resource
curl http://<your server name>/directory

The above command should result in an error as the Selinx configuration needs to be adapted.