-
Notifications
You must be signed in to change notification settings - Fork 6
HTTPS
As root:
./tools/update-certs.shThis will generate one certificate containing all the subdomains and will put all the .pem files in
/etc/letsencrypt/live/clementine-player.org which is symlinked to /etc/apache2/ssl/clementine-player.org.
The certs are configured in the apache config with:
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/clementine-player.org/cert.pem"
SSLCertificateChainFile "/etc/apache2/ssl/clementine-player.org/chain.pem"
SSLCertificateKeyFile "/etc/apache2/ssl/clementine-player.org/privkey.pem"
This is the same for all of {builds,buildbot,images,spotify}.clementine-player.org
{data,www}.clementine-player.org are hosted on AppEngine so they aren't updated automatically.
You will need to manually upload the generated certs to AppEngine. AppEngine expects the private key in a slightly different format though so you first need to generate that:
sudo openssl rsa -in privkey.pem -check | sudo tee rsa-privkey.pemThen you should upload (you can just cat the files and paste the contents) fullchain.pem and rsa-privkey.pem on the developers console (and repeat for clementine-www).
The Apache SSL settings for better security (disabling RC4 & compression, etc.) are:
SSLCompression off
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH