Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Skadi Pack 02: Secure Networking
This add-on pack is used to upgrade the default Skadi 2019.1 installation to use either self-signed or Letsencrypt provided TLS certificates.
The first portion of this script uses mkcert to install self-signed TLS certificates and configures the Skadi server to use TLS encryption. It then installs and configures protection from brute force authentication attacks through the use of Fail2Ban. It is configured to monitor and protect the SSH and Nginx Proxy authentication attempts.
The second portion of the script is optional. It will use Certbot to obtain Letsencrypt validated TLS certificates and then replaces the existing self-signed certificates.
This script will perform the following tasks:
- Ask for and validate hostname to use
- Update Nginx to use the hostname provided
- Use mkcert to create and install self-signed certs
- Install and configure fail2ban
The generation of the DHParam key takes a long time. Be patient.
Log Into Skadi 2019.x
This script, and these instructions, were written specifically for Skadi 2019.1. It is assumed that the user is executing the following commands on a machine either based on the Skadi 2019.1 OVA/Vagrant images or was built using the official, digitially signed, Skadi 2019.1 build script.
Use the following commands to start
cd /opt/Skadi sudo git pull sudo bash /opt/Skadi/scripts/secure_networking.sh
Self Signed vs Letsencrypt Certificates
At the end of the first phase of the script it installs Self Signed certificates. This is perfectly fine for home and lab use.
Internet facing, publicly accessible machines (such as cloud instances) should continue to the second phase where valid TLS certificates are issued from Letsencrypt replace the self signed certificates.
Make a Choice
When the script is at this point choose
Would you like to install valid TLS certs using Certbot via ACME and Letsencrypt? CAUTION: A FQDN (example: myhost.mydomain.com) with working DNS is required in order for Letsencrypt to access it via the Internet and complete the installation process. Type Yes to continue or No to stop the script:
The script ends
NOTE: This script is located at
/opt/Skadi/scripts/install_tls_certs.sh and can be run separately after
secure_networking.sh has already been run.
cd /opt/Skadi sudo git pull sudo bash /opt/Skadi/scripts/install_tls_certs.sh
There will be questions to answer and provide the information to continue
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o:
Successful Results <my.example.com>
If it looks anything other than like this then some troubleshooting is required
Obtaining a new certificate Performing the following challenges: http-01 challenge for my.example.com Using the webroot path /var/www for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/my.example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/my.example.com/privkey.pem Your cert will expire on 2019-04-14. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le Stopping Nginx Docker nginx Updating the /etc/nginx/conf.d/ to use letsencrypt certificates Staring nginx container nginx Nginx Docker container has been restarted and changes applied Letsencrypt has been used to install valid TLS certificates - Certificates are stored in /etc/nginx/certs/letsencrypt/live/my.example.com/ For further info on Letsencrypt certs please see: https://letsencrypt.org/ Visit https://my.example.com to verify installation