PREREQUISITES
Godaddy sent me this Unique ID along with instructions how to verify https://www.godaddy.com/help/verify-domain-ownership-html-or-dns-7452
gotrk05351r51q72butu6oggcr
to verify through HTML Page create the directories godaddy requested from you
$ sudo mkdir /usr/share/nginx/html/.well-known
$ sudo mkdir /usr/share/nginx/html/.well-known/pki-validation
copy paste the unique id
$ sudo vi /usr/share/nginx/html/.well-known/pki-validation/godaddy.html
v2asb963nb732eaf8cf03lc0d4
then go to this link, you should be able to see it.
https://moodle.na.edu/.well-known/pki-validation/godaddy.html
v2asb963nb732eaf8cf03lc0d4
go back to the godaddy Certificate Request Verification page and click Check My Update, you should see a green validation response that says
We have verified your domain. Please allow 5-10 minutes for this to take affect.
SETUP SSL
create the key
$ sudo openssl genrsa -out moodle2017.key 2048
create the csr
$ sudo openssl req -new -key moodle2017.key -out moodle2017.csr
Country Name (2 letter code) [XX]:US State or Province Name (full name) []:TEXAS Locality Name (eg, city) [Default City]:HOUSTON Organization Name (eg, company) [Default Company Ltd]:NORTH AMERICAN UNIVERSITY Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:moodle.na.edu Email Address []:msen@na.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
now verify the csr file, but that does only means that csr is OK, you don’t do anything with this
$ openssl req -text -noout -verify -in moodle2017.csr
verify OK Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=TEXAS, L=HOUSTON, O=NORTH AMERICAN UNIVERSITY, OU=IT, CN=moodle.na.edu/emailAddress=msen@na.edu Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 01:9e:2c:83:4f:18:44:22:35:54:67:8e:12:34:b2: 7a:a9:b3:f2:88:7f:4f:61:66:22:b0:57:f5:f4:52: 25:5a:db:ab:25:e5:11:4f:98:72:52:b3:89:05:79: 93:5a:4f:74:e3:a0:e3:81:09:a4:61:8d:9f:6b:11: 0c:10:9c:ef:b9:53:98:51:69:71:06:36:3b:c7:f2: d7:ab:0b:b6:f9:60:c5:cf:99:41:ce:7e:a5:a0:f9: 32:cd:0c:5e:38:7d:84:fc:97:f2:cb:2b:23:d9:33: 88:3e:97:25:ac:39:6e:fc:8e:31:1d:7b:0e:d8:07: ef:42:4d:4d:a1:d6:67:40:a7:c2:70:47:6c:c2:55: f8:81:bf:04:a7:3c:4d:62:eb:d2:96:29:e5:2f:c3: 90:dc:2a:6f:9b:b6:b7:f6:11:51:50:37:51:12:53: db:71:4d:65:4d:bb:c2:67:1c:64:8d:21:32:af:03: c3:82:8b:5f:e0:f5:16:e0:1b:92:96:33:7f:db:d7: 32:a8:7b:f5:b8:fc:51:80:04:a0:31:80:2f:4d:23: 03:ad:a9:16:8c:2c:94:78:d0:18:37:2d:f5:6b:b4: 38:b5:32:e3:69:01:71:cb:89:b4:4d:40:f9:08:08: 0e:01:86:27:92:e3:62:48:cb:c2:9f:2d:17:d9:d3: 76:b7 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 0f:2c:0f:c5:ea:db:65:a9:0c:9e:07:4f:d7:91:e1:9e:fe:8c: 11:08:03:db:78:20:47:dc:fb:93:07:b7:34:7a:1b:4d:71:ec: 37:f1:76:f3:9f:35:6f:43:bf:6a:c1:52:97:04:b6:04:5f:e1: 24:b4:e4:5a:c2:6f:98:7e:47:dc:58:07:92:79:f2:31:e9:45: 4e:81:fc:5d:a6:ab:46:3b:c9:90:28:78:c9:41:1a:48:40:f5: bf:d8:25:96:e6:b2:0c:1f:61:2f:0e:bb:57:af:9b:65:5d:79: 51:12:0e:90:fe:d4:da:5f:9b:fc:a3:e3:97:c1:f7:de:46:58: 4a:11:e7:84:b4:49:1f:4e:07:f1:44:35:d3:36:be:f4:67:63: e9:01:55:f2:53:49:ac:3b:b2:69:51:ef:1c:a8:a6:4c:13:10: 90:47:34:96:42:3d:34:49:aa:44:65:41:15:4f:40:be:b1:b1: 30:9b:dc:ca:26:4b:8d:99:a3:bd:d4:20:f5:d6:a2:58:5f:da: 34:8c:e0:4b:4a:b9:c0:bc:2d:32:a3:5e:55:e9:46:d9:c4:ed: 8f:cb:8f:68:d7:cf:91:95:7b:78:55:a9:fd:5e:0d:49:43:7a: 65:1c:dc:15:bf:91:af:5d:2c:cc:bb:c5:68:3c:72:b9:79:44: 6b:aa:79:38
I gave the content of the new generated moodle2017.csr to Khudoyor
$ sudo vi moodle2017.csr
-----BEGIN CERTIFICATE REQUEST----- NIIC2jCCAcICAQAwgZQxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVURVhBUzEQMA4G A1UEBwwHSE9VU1RPTjEiMCAGA1UECgwZTk9SVEggQU1FUklDQU4gVU5JVkVSU0lU WTELMAkGA1UECwwCSVQxFjAUBgNVBAMMDW1vb2RsZS5uYS5lZHUxGjAYBgkqhkiG 9w0BCQEWC21zZW5AbmEuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAniyTTxhEIjVUZ44SNLJ6qbPyiH9PYWYisFf19FIlWturJeURT5hyUrOJBXmT Wk9046DjgQmkYY2faxEMEJzvuVOYUWlxBjY7x/LXqwu2+WDFz5lBzn6loPkyzQxe OH2E/Jfyyysj2TOIPpclrDlu/I4xHXsO2AfvQk1NodZnQKfCcEdswlX4gb8EpzxN YuvSlinlL8OQ3Cpvm7a39hFRUDdRElPbcU1lTbvCZxxkjSEyrwPDgotf4PUW4BuS ljN/29cyqHv1uPxRgASgMYAvTSMDrakWjCyUeNAYNy31a7Q4tTLjaQFxy4m0TUD5 CAgOAYYnkuNhSMvCna0X2dN2twIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAA8s D8Xq22WpDJ4HT9eR4Z7+jBEIA9t4IEfc+5MHtzR6G01x7DfxdvOfNW9Dv2rBUpcE tgRf4SS05FrCb5h+R9xYB5J58jHpRU6B/F2mq0Y7yZAoeMlBGkhA9b/YJZbmsgwf cS8Ou1evm2VdeVESDpD+1Npfm/yj45fB995GWEoR54S0SR9OB/FENdM2vvRnY+kB VfJTSaw7smlR7xyopkwTEJBHNJZCPTRJqkRlQRVPQL6xsTCb3MomS42Zo73UIPXW olhf2jSM4EtKucC8LTKjXlXpRtnE7Y/Lj2jXz5GVe3hVqf1eDUlDemUc3BW/ka9d K8y7xWg8crl5RGuqeUg= -----END CERTIFICATE REQUEST-----
Khudoyor bought again the new crt and bundle file from godaddy which I renamed to moodle2017.crt and moodle2017_bundle.crt afterwards and moved only moodle2017.crt to haproxy3 /tmp/ folder using FileZilla. Then to /etc/pki/tls/certs/ folder. Actually we don’t do anything with moodle2017_bundle.crt but only with moodle2017.crt
let’s move the moodle2017 to certification folder
$ sudo mv /tmp/moodle2017.crt /etc/pki/tls/certs/
We generate and point moodle2017.pem file in haproxy config
$ sudo bash -c 'cat moodle2017.crt moodle2017.key > moodle2017.pem'
Finally, you only need to change the pem file name
$ sudo vi /etc/haproxy/haproxy.cfg
……………. ……………. rontend main bind *:80 mode http # specify port and certs bind *:443 ssl crt /etc/pki/tls/certs/moodle2017.pem # adds the https header to the end of the incoming request reqadd X-Forwarded-Proto:\ https # a security policy to prevent against downgrade attacks rspadd Strict-Transport-Security:\ max-age=31536000 option http-server-close option forwardfor default_backend webapp-main …………… …………….
restart haproxy
$ sudo systemctl restart haproxy
see haproxy configs
$ haproxy -vv
Wait a little bit, then go to the browser and check it out!
the final haproxy config looks like this
$ sudo vi /etc/haproxy/haproxy.cfg
#--------------------------------------------------------------------- # Example configuration for a possible web application. See the # full configuration options online. # # http://haproxy.1wt.eu/download/1.4/doc/configuration.txt # #--------------------------------------------------------------------- #--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global # to have these messages end up in /var/log/haproxy.log you will # need to: # # 1) configure syslog to accept network log events. This is done # by adding the '-r' option to the SYSLOGD_OPTIONS in # /etc/sysconfig/syslog # # 2) configure local2 events to go to the /var/log/haproxy.log # file. A line like the following can be added to # /etc/sysconfig/syslog # # local2.* /var/log/haproxy.log # log 127.0.0.1 local2 # max per-process number of SSL connections maxsslconn 2000 # set 2048 bits for Diffie-Hellman key tune.ssl.default-dh-param 2048 #disable SSLv3 because it is not secure anymore #ssl-default-bind-options no-sslv3 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 10000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will #use if not designated in their block #--------------------------------------------------------------------- defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 2000 #--------------------------------------------------------------------- #HAProxy statistics backend #--------------------------------------------------------------------- listen haproxy3-monitoring *:8080 mode http option forwardfor option httpclose stats enable stats show-legends stats refresh 2s stats uri /stats stats realm Haproxy\ Statistics stats auth username:password stats admin if TRUE #--------------------------------------------------------------------- # main frontend which proxys to the backends #--------------------------------------------------------------------- frontend main bind *:80 mode http # specify port and certs bind *:443 ssl crt /etc/pki/tls/certs/moodle2017.pem # adds the https header to the end of the incoming request reqadd X-Forwarded-Proto:\ https # a security policy to prevent against downgrade attacks rspadd Strict-Transport-Security:\ max-age=31536000 option http-server-close option forwardfor default_backend webapp-main # round robin balancing between the various backends #--------------------------------------------------------------------- backend webapp-main mode http # uncomment this later if you want to redirect only as https #redirect scheme https if !{ ssl_fc } balance roundrobin server web1 10.10.4.21:80 maxconn 250 check server web2 10.10.4.22:80 maxconn 250 check