WHEN SSL IS EXPIRED FOR MOODLE

PREREQUISITES

Godaddy sent me this Unique ID along with instructions how to verify https://www.godaddy.com/help/verify-domain-ownership-html-or-dns-7452

gotrk05351r51q72butu6oggcr

to verify through HTML Page create the directories godaddy requested from you
$ sudo mkdir /usr/share/nginx/html/.well-known
$ sudo mkdir /usr/share/nginx/html/.well-known/pki-validation

copy paste the unique id
$ sudo vi /usr/share/nginx/html/.well-known/pki-validation/godaddy.html

v2asb963nb732eaf8cf03lc0d4

then go to this link, you should be able to see it.
https://moodle.na.edu/.well-known/pki-validation/godaddy.html

v2asb963nb732eaf8cf03lc0d4

go back to the godaddy Certificate Request Verification page and click Check My Update, you should see a green validation response that says
We have verified your domain. Please allow 5-10 minutes for this to take affect.


SETUP SSL

create the key
$ sudo openssl genrsa -out moodle2017.key 2048
create the csr
$ sudo openssl req -new -key moodle2017.key -out moodle2017.csr

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:TEXAS
Locality Name (eg, city) [Default City]:HOUSTON
Organization Name (eg, company) [Default Company Ltd]:NORTH AMERICAN UNIVERSITY
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:moodle.na.edu
Email Address []:msen@na.edu

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

now verify the csr file, but that does only means that csr is OK, you don’t do anything with this
$ openssl req -text -noout -verify -in moodle2017.csr

verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=TEXAS, L=HOUSTON, O=NORTH AMERICAN UNIVERSITY, OU=IT, CN=moodle.na.edu/emailAddress=msen@na.edu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    01:9e:2c:83:4f:18:44:22:35:54:67:8e:12:34:b2:
                    7a:a9:b3:f2:88:7f:4f:61:66:22:b0:57:f5:f4:52:
                    25:5a:db:ab:25:e5:11:4f:98:72:52:b3:89:05:79:
                    93:5a:4f:74:e3:a0:e3:81:09:a4:61:8d:9f:6b:11:
                    0c:10:9c:ef:b9:53:98:51:69:71:06:36:3b:c7:f2:
                    d7:ab:0b:b6:f9:60:c5:cf:99:41:ce:7e:a5:a0:f9:
                    32:cd:0c:5e:38:7d:84:fc:97:f2:cb:2b:23:d9:33:
                    88:3e:97:25:ac:39:6e:fc:8e:31:1d:7b:0e:d8:07:
                    ef:42:4d:4d:a1:d6:67:40:a7:c2:70:47:6c:c2:55:
                    f8:81:bf:04:a7:3c:4d:62:eb:d2:96:29:e5:2f:c3:
                    90:dc:2a:6f:9b:b6:b7:f6:11:51:50:37:51:12:53:
                    db:71:4d:65:4d:bb:c2:67:1c:64:8d:21:32:af:03:
                    c3:82:8b:5f:e0:f5:16:e0:1b:92:96:33:7f:db:d7:
                    32:a8:7b:f5:b8:fc:51:80:04:a0:31:80:2f:4d:23:
                    03:ad:a9:16:8c:2c:94:78:d0:18:37:2d:f5:6b:b4:
                    38:b5:32:e3:69:01:71:cb:89:b4:4d:40:f9:08:08:
                    0e:01:86:27:92:e3:62:48:cb:c2:9f:2d:17:d9:d3:
                    76:b7
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         0f:2c:0f:c5:ea:db:65:a9:0c:9e:07:4f:d7:91:e1:9e:fe:8c:
         11:08:03:db:78:20:47:dc:fb:93:07:b7:34:7a:1b:4d:71:ec:
         37:f1:76:f3:9f:35:6f:43:bf:6a:c1:52:97:04:b6:04:5f:e1:
         24:b4:e4:5a:c2:6f:98:7e:47:dc:58:07:92:79:f2:31:e9:45:
         4e:81:fc:5d:a6:ab:46:3b:c9:90:28:78:c9:41:1a:48:40:f5:
         bf:d8:25:96:e6:b2:0c:1f:61:2f:0e:bb:57:af:9b:65:5d:79:
         51:12:0e:90:fe:d4:da:5f:9b:fc:a3:e3:97:c1:f7:de:46:58:
         4a:11:e7:84:b4:49:1f:4e:07:f1:44:35:d3:36:be:f4:67:63:
         e9:01:55:f2:53:49:ac:3b:b2:69:51:ef:1c:a8:a6:4c:13:10:
         90:47:34:96:42:3d:34:49:aa:44:65:41:15:4f:40:be:b1:b1:
         30:9b:dc:ca:26:4b:8d:99:a3:bd:d4:20:f5:d6:a2:58:5f:da:
         34:8c:e0:4b:4a:b9:c0:bc:2d:32:a3:5e:55:e9:46:d9:c4:ed:
         8f:cb:8f:68:d7:cf:91:95:7b:78:55:a9:fd:5e:0d:49:43:7a:
         65:1c:dc:15:bf:91:af:5d:2c:cc:bb:c5:68:3c:72:b9:79:44:
         6b:aa:79:38

I gave the content of the new generated moodle2017.csr to Khudoyor
$ sudo vi moodle2017.csr

-----BEGIN CERTIFICATE REQUEST-----
NIIC2jCCAcICAQAwgZQxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVURVhBUzEQMA4G
A1UEBwwHSE9VU1RPTjEiMCAGA1UECgwZTk9SVEggQU1FUklDQU4gVU5JVkVSU0lU
WTELMAkGA1UECwwCSVQxFjAUBgNVBAMMDW1vb2RsZS5uYS5lZHUxGjAYBgkqhkiG
9w0BCQEWC21zZW5AbmEuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAniyTTxhEIjVUZ44SNLJ6qbPyiH9PYWYisFf19FIlWturJeURT5hyUrOJBXmT
Wk9046DjgQmkYY2faxEMEJzvuVOYUWlxBjY7x/LXqwu2+WDFz5lBzn6loPkyzQxe
OH2E/Jfyyysj2TOIPpclrDlu/I4xHXsO2AfvQk1NodZnQKfCcEdswlX4gb8EpzxN
YuvSlinlL8OQ3Cpvm7a39hFRUDdRElPbcU1lTbvCZxxkjSEyrwPDgotf4PUW4BuS
ljN/29cyqHv1uPxRgASgMYAvTSMDrakWjCyUeNAYNy31a7Q4tTLjaQFxy4m0TUD5
CAgOAYYnkuNhSMvCna0X2dN2twIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAA8s
D8Xq22WpDJ4HT9eR4Z7+jBEIA9t4IEfc+5MHtzR6G01x7DfxdvOfNW9Dv2rBUpcE
tgRf4SS05FrCb5h+R9xYB5J58jHpRU6B/F2mq0Y7yZAoeMlBGkhA9b/YJZbmsgwf
cS8Ou1evm2VdeVESDpD+1Npfm/yj45fB995GWEoR54S0SR9OB/FENdM2vvRnY+kB
VfJTSaw7smlR7xyopkwTEJBHNJZCPTRJqkRlQRVPQL6xsTCb3MomS42Zo73UIPXW
olhf2jSM4EtKucC8LTKjXlXpRtnE7Y/Lj2jXz5GVe3hVqf1eDUlDemUc3BW/ka9d
K8y7xWg8crl5RGuqeUg=
-----END CERTIFICATE REQUEST-----

Khudoyor bought again the new crt and bundle file from godaddy which I renamed to moodle2017.crt and moodle2017_bundle.crt afterwards and moved only moodle2017.crt to haproxy3 /tmp/ folder using FileZilla. Then to /etc/pki/tls/certs/ folder. Actually we don’t do anything with moodle2017_bundle.crt but only with moodle2017.crt

let’s move the moodle2017 to certification folder
$ sudo mv /tmp/moodle2017.crt /etc/pki/tls/certs/

We generate and point moodle2017.pem file in haproxy config
$ sudo bash -c 'cat moodle2017.crt moodle2017.key > moodle2017.pem'

Finally, you only need to change the pem file name
$ sudo vi /etc/haproxy/haproxy.cfg

…………….
…………….
rontend main
        bind *:80
        mode http
        # specify port and certs
        bind *:443 ssl  crt /etc/pki/tls/certs/moodle2017.pem
        # adds the https header to the end of the incoming request
        reqadd X-Forwarded-Proto:\ https
        # a security policy to prevent against downgrade attacks
        rspadd Strict-Transport-Security:\ max-age=31536000
        option http-server-close
        option forwardfor
        default_backend webapp-main
……………
…………….

restart haproxy
$ sudo systemctl restart haproxy
see haproxy configs
$ haproxy -vv

Wait a little bit, then go to the browser and check it out!

the final haproxy config looks like this
$ sudo vi /etc/haproxy/haproxy.cfg

#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    log         127.0.0.1 local2

    # max per-process number of SSL connections
    maxsslconn  2000
    # set 2048 bits for Diffie-Hellman key
    tune.ssl.default-dh-param 2048
    #disable SSLv3 because it is not secure anymore
    #ssl-default-bind-options no-sslv3
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     10000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 2000


#---------------------------------------------------------------------
#HAProxy statistics backend
#---------------------------------------------------------------------
listen haproxy3-monitoring *:8080
  mode    http
  option forwardfor
  option httpclose
  stats   enable
  stats   show-legends
  stats   refresh           2s
  stats   uri               /stats
  stats   realm             Haproxy\ Statistics
  stats   auth              username:password
  stats   admin             if TRUE

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main
        bind *:80
        mode http
        # specify port and certs
        bind *:443 ssl  crt /etc/pki/tls/certs/moodle2017.pem
        # adds the https header to the end of the incoming request
        reqadd X-Forwarded-Proto:\ https
        # a security policy to prevent against downgrade attacks
        rspadd Strict-Transport-Security:\ max-age=31536000
        option http-server-close
        option forwardfor
        default_backend webapp-main

# round robin balancing between the various backends
#---------------------------------------------------------------------
backend webapp-main
        mode http
        # uncomment this later if you want to redirect only as https
        #redirect scheme https if !{ ssl_fc }
        balance roundrobin

        server  web1 10.10.4.21:80 maxconn 250  check
        server  web2 10.10.4.22:80 maxconn 250  check
Advertisements

One thought on “WHEN SSL IS EXPIRED FOR MOODLE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s