fix certbot via pip

2025-04-25 22:45:22 -04:00 · 2023-01-01 09:16:12 -05:00 · 2023-01-01 09:16:12 -05:00 · e894dcd6f8
commit e894dcd6f8
parent e60498efd2
5 changed files with 41 additions and 19 deletions
--- a/etc/nginx/sites-available/default.conf
+++ b/etc/nginx/sites-available/default.conf
@ -1,23 +1,23 @@
 # catch-all nginx server

 server {
-	listen 80 default_server;
 	listen [::]:80 default_server;
+	listen 80 default_server;

 	server_name _;
 	return 444;
 }

 server {
-	listen 443 default_server;
 	listen [::]:443 default_server;
+	listen 443 default_server;

 	# intentionally cause an SSL error. this requires a snakeoil certificate, see:
 	# https://docs.j7k6.org/nginx-default-ssl-site/
 	ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
 	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
 	ssl_reject_handshake on;
-	include /etc/letsencrypt/options-ssl-nginx.conf;
+	include snippets/ssl-params.conf;

 	server_name _;
 	return 444;
--- a/etc/nginx/sites-available/mastodon.conf
+++ b/etc/nginx/sites-available/mastodon.conf
@ -16,22 +16,21 @@ upstream streaming {
 proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;

 server {
-	listen [::]:443 http2 ssl ipv6only=on;
+	listen [::]:443 http2 ssl;
 	listen 443 http2 ssl;

 	server_name mastodon.example.com;

 	root /home/mastodon/live/public;

+	# assumes certbot has been run, nginx will not start with this config enabled otherwise
 	ssl_certificate /etc/letsencrypt/live/mastodon.example.com/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/mastodon.example.com/privkey.pem;
-	include /etc/letsencrypt/options-ssl-nginx.conf;
+	ssl_trusted_certificate /etc/letsencrypt/live/mastodon.example.com/chain.pem;
 	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
-	# https://ssl-config.mozilla.org/#server=nginx&version=1.22.1&config=intermediate&openssl=1.1.1f&guideline=5.6
 	ssl_stapling on;
 	ssl_stapling_verify on;
-	ssl_trusted_certificate /etc/letsencrypt/live/mastodon.example.com/chain.pem;
+	include snippets/ssl-params.conf;

 	keepalive_timeout 30;
 	sendfile on;
--- a/etc/nginx/snippets/ssl-params.conf
+++ b/etc/nginx/snippets/ssl-params.conf
@ -0,0 +1,14 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
--- a/scripts/customize.sh
+++ b/scripts/customize.sh
@ -76,8 +76,8 @@ fi
 if [ "$MASTODON_IS_GLITCH" = true ]; then
  set_default() {
    as_mastodon sed \
-      -e "s/$1\s*:\s*.*/$1: $2, \/\/ updated by customize.sh/g" \
-      -i "$APP_ROOT/app/javascript/flavours/glitch/reducers/local_settings.js"
+      -i "$APP_ROOT/app/javascript/flavours/glitch/reducers/local_settings.js" \
+      -e "s/$1\s*:\s*.*/$1: $2, \/\/ updated by customize.sh/g" || true
  }

  set_default "show_reply_count" "true"
--- a/scripts/install.sh
+++ b/scripts/install.sh
@ -45,14 +45,13 @@ if ! id -u "$MASTODON_USER" >/dev/null 2>&1; then
 fi

 # install latest ubuntu updates & basic prerequisites
-sudo DEBIAN_FRONTEND=noninteractive apt-get update
+sudo apt-get update
 sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
  curl \
  wget \
  gnupg \
  apt-transport-https \
  lsb-release \
-  git \
  ca-certificates

 # add official postgresql apt repository
@ -69,7 +68,7 @@ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nginx

 # install prerequisites:
 # https://docs.joinmastodon.org/admin/install/#system-packages
-sudo DEBIAN_FRONTEND=noninteractive apt-get update
+sudo apt-get update
 sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
  autoconf \
  bison \
@ -78,6 +77,7 @@ sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
  file \
  g++ \
  gcc \
+  git \
  imagemagick \
  libaugeas-dev \
  libffi-dev \
@ -99,6 +99,7 @@ sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
  postgresql-contrib \
  protobuf-compiler \
  python3 \
+  python3-psycopg2 \
  python3-venv \
  redis-server \
  redis-tools \
@ -218,7 +219,7 @@ as_mastodon RAILS_ENV=production bundle exec rails assets:precompile
 sudo python3 -m venv /opt/certbot/
 sudo /opt/certbot/bin/pip install --upgrade pip
 sudo /opt/certbot/bin/pip install certbot certbot-nginx
-sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot
+sudo ln -s /opt/certbot/bin/certbot /usr/local/bin/certbot

 # ensure nginx hasn't started itself
 sudo systemctl stop nginx
@ -238,8 +239,10 @@ sudo cp "$UTILS_ROOT"/etc/nginx/nginx.conf /etc/nginx/nginx.conf
 sudo sed -i /etc/nginx/nginx.conf -e "s|user nginx;|user $MASTODON_USER;|g"
 sudo mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled
 sudo cp -f "$UTILS_ROOT"/etc/nginx/sites-available/*.conf /etc/nginx/sites-available/
-sudo sed -i /etc/nginx/sites-available/mastodon.conf -e "s|mastodon.example.com|$MASTODON_DOMAIN|g"
-sudo sed -i /etc/nginx/sites-available/mastodon.conf -e "s|/home/mastodon/live|$APP_ROOT|g"
+sudo sed \
+  -i /etc/nginx/sites-available/mastodon.conf \
+  -e "s|mastodon.example.com|$MASTODON_DOMAIN|g" \
+  -e "s|/home/mastodon/live|$APP_ROOT|g"
 sudo ln -sf /etc/nginx/sites-available/mastodon.conf /etc/nginx/sites-enabled/mastodon.conf
 # sudo ln -sf /etc/nginx/sites-available/default.conf /etc/nginx/sites-enabled/default.conf
 sudo cp -f "$UTILS_ROOT"/etc/nginx/modules/* /usr/lib/nginx/modules/
@ -250,9 +253,11 @@ sudo cp "$UTILS_ROOT"/etc/systemd/system/mastodon-*.service /etc/systemd/system/

 # fix hard-coded paths and usernames in systemd files
 # (they already match the defaults from init.sh, so it's likely nothing will change)
-sudo sed -i /etc/systemd/system/mastodon-*.service -e "s|/home/mastodon/live|$APP_ROOT|g"
-sudo sed -i /etc/systemd/system/mastodon-*.service -e "s|/home/mastodon|$MASTODON_ROOT|g"
-sudo sed -i /etc/systemd/system/mastodon-*.service -e "s|User=mastodon|User=$MASTODON_USER|g"
+sudo sed \
+  -i /etc/systemd/system/mastodon-*.service \
+  -e "s|/home/mastodon/live|$APP_ROOT|g" \
+  -e "s|/home/mastodon|$MASTODON_ROOT|g" \
+  -e "s|User=mastodon|User=$MASTODON_USER|g"

 # start everything up!
 sudo systemctl daemon-reload
@ -278,6 +283,10 @@ as_mastodon touch "$LOGS_ROOT"/cron.log
 (sudo crontab -l; echo -e "\n$INSTALLER_WUZ_HERE
@weekly  bash -c \"$UTILS_ROOT/scripts/weekly_cleanup.sh >> $LOGS_ROOT/cron.log 2>&1\"
@weekly  bash -c \"$UTILS_ROOT/scripts/backup.sh >> $LOGS_ROOT/cron.log 2>&1\"
+
+# automatically renew Let's Encrypt certificates
+# https://certbot.eff.org/instructions?ws=nginx&os=pip
+0 0,12 * * *  root  /opt/certbot/bin/python -c \"import random; import time; time.sleep(random.random() * 3600)\" && certbot renew -q
 ") | sudo crontab -

 echo "🎉 done! don't forget to fill in .env.production with optional credentials"