Fix SSL certificate

[easoncxz]

The problem is that, despite server cronjob logs not showing it, the acme.sh command for renewing certificates has failed. Something about Nginx squatting port 80 and hence needing some "Nginx mode" for acme.sh usage.

Reading:

• Discussion: https://community.letsencrypt.org/t/renew-certificate-with-acme-sh-connection-refused/45238
• acme.sh docs: https://github.com/acmesh-official/acme.sh

[easoncxz]

Forgoing acme.sh's "Nginx mode" a la --nginx, in favour of the simpler "Webroot mode" a la -w aka --webroot, via the use of an always-on static serving of the .well-known/ public directory. Guide:

• https://www.rmedgar.com/blog/using-acme-sh-with-nginx/

[easoncxz]

Yeah, this command worked well with the above --webroot approach:

$ ./acme.sh --issue --webroot /var/www/letsencrypt-webroot/ --domain twitanalysis.easoncxz.com

Corresponding Nginx config:

# /etc/nginx/conf.d/twitanalysis.easoncxz.com.conf

# https://www.linode.com/docs/guides/tls-deployment-best-practices-for-nginx/
server {
    listen         80;
    server_name    twitanalysis.easoncxz.com;

    # https://www.rmedgar.com/blog/using-acme-sh-with-nginx/
    location /.well-known/acme-challenge/ {
        alias /var/www/letsencrypt-webroot/.well-known/acme-challenge/;
    }

    location / {
        return     302 https://twitanalysis.easoncxz.com$request_uri;
    }
}

server {
    listen       443 ssl;
    server_name twitanalysis.easoncxz.com;

    ssl_certificate      some-cert.pem;
    ssl_certificate_key  some-key.pem;
    #ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    location / {
      proxy_pass       http://localhost:5000;
      proxy_set_header Host      $host;
      proxy_set_header X-Real-IP $remote_addr;
    }
}

The resulting behaviour is that on port 80 and HTTP, the /.well-known/acme-challenge/ path will serve the static files, and other paths will redirect to port 443 HTTPS, which reverse-proxies to the Haskell app as normal.

[easoncxz]

Finishing off with acme.sh's install-cert command:

./acme.sh --install-cert -d twitanalysis.easoncxz.com \
  --cert-file      somewhere/certs/twitanalysis.easoncxz.com/cert.pem \
  --key-file       somewhere/certs/twitanalysis.easoncxz.com/key.pem \
  --fullchain-file somewhere/certs/twitanalysis.easoncxz.com/fullchain.pem \
  --reloadcmd 'systemctl reload nginx'

Hoping that in late May 2021, the auto-renewal will Just Work.

[easoncxz]

SSL is fixed for now.