bookmark_borderLet’s Encrypt / Certbot / NGINX / Cloudflare setup

Generate CloudFlare API token

  • Login to CloudFlare
  • My Profile > API Token > Create Token
  • Use template from “Edit zone DNS”
  • Keep default values from “Permissions”
  • In “Zone Resources”, include only the domain for which the certificate will be generated
  • Copy generated token

docker-compose – Dockerfile

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
letsencrypt:
build: ./folder-to-dockerfile/
command: /bin/true
volumes:
- letsencrypt_certs:/etc/letsencrypt
- letsencrypt_www:/var/www/letsencrypt
container_name: letsencrypt
letsencrypt: build: ./folder-to-dockerfile/ command: /bin/true volumes: - letsencrypt_certs:/etc/letsencrypt - letsencrypt_www:/var/www/letsencrypt container_name: letsencrypt
letsencrypt:
    build: ./folder-to-dockerfile/
    command: /bin/true
    volumes:
        - letsencrypt_certs:/etc/letsencrypt
        - letsencrypt_www:/var/www/letsencrypt
    container_name: letsencrypt
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
FROM certbot/dns-cloudflare
COPY my_secrets_settings.ini .
FROM certbot/dns-cloudflare COPY my_secrets_settings.ini .
FROM certbot/dns-cloudflare

COPY my_secrets_settings.ini .

Where my_secrets_settings.ini contains your previously generated API token :

dns_cloudflare_api_token = your_api_token

Generate single entry certificate

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
docker-compose run --rm letsencrypt certonly -w /var/www/letsencrypt --dns-cloudflare --dns-cloudflare-credentials my_secrets_settings.ini -d losnia.com
docker-compose run --rm letsencrypt certonly -w /var/www/letsencrypt --dns-cloudflare --dns-cloudflare-credentials my_secrets_settings.ini -d losnia.com
docker-compose run --rm letsencrypt certonly -w /var/www/letsencrypt --dns-cloudflare --dns-cloudflare-credentials my_secrets_settings.ini -d losnia.com

Generate multiple entries certificate

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
docker-compose run --rm letsencrypt certonly -w /var/www/letsencrypt --dns-cloudflare --dns-cloudflare-credentials my_secrets_settings.ini -d losnia.com -d subdomain.losnia.com
docker-compose run --rm letsencrypt certonly -w /var/www/letsencrypt --dns-cloudflare --dns-cloudflare-credentials my_secrets_settings.ini -d losnia.com -d subdomain.losnia.com
docker-compose run --rm letsencrypt certonly -w /var/www/letsencrypt --dns-cloudflare --dns-cloudflare-credentials my_secrets_settings.ini -d losnia.com -d subdomain.losnia.com

Generate wildcard certificate

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
docker-compose run --rm letsencrypt certonly -w /var/www/letsencrypt --dns-cloudflare --dns-cloudflare-credentials my_secrets_settings.ini -d losnia.com -d "*.losnia.com"
docker-compose run --rm letsencrypt certonly -w /var/www/letsencrypt --dns-cloudflare --dns-cloudflare-credentials my_secrets_settings.ini -d losnia.com -d "*.losnia.com"
docker-compose run --rm letsencrypt certonly -w /var/www/letsencrypt --dns-cloudflare --dns-cloudflare-credentials my_secrets_settings.ini -d losnia.com -d "*.losnia.com"

NGINX configuration

Mount the same volume as used by the Certbot container :

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
volumes:
- letsencrypt_certs:/etc/nginx/certs
- letsencrypt_www:/var/www/letsencrypt
volumes: - letsencrypt_certs:/etc/nginx/certs - letsencrypt_www:/var/www/letsencrypt
volumes:
        - letsencrypt_certs:/etc/nginx/certs
        - letsencrypt_www:/var/www/letsencrypt

Target generated certificate :

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
http {
ssl_certificate certs/live/losnia.com/fullchain.pem;
ssl_certificate_key certs/live/losnia.com/privkey.pem;
include /etc/nginx/conf.d/*;
}
http { ssl_certificate certs/live/losnia.com/fullchain.pem; ssl_certificate_key certs/live/losnia.com/privkey.pem; include /etc/nginx/conf.d/*; }
http {
    ssl_certificate certs/live/losnia.com/fullchain.pem;
    ssl_certificate_key certs/live/losnia.com/privkey.pem;

    include    /etc/nginx/conf.d/*;
}

bookmark_borderWSL2 – Disable resolv.conf automatic generation / Update DNS servers

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
echo -e "[network]
generateResolvConf = false" > /etc/wsl.conf
rm /etc/resolv.conf
echo -e "options timeout:1 attempts:1 rotate
nameserver 1.1.1.1
nameserver 1.0.0.1" > /etc/resolv.conf
chattr -f +i /etc/resolv.conf
echo -e "[network] generateResolvConf = false" > /etc/wsl.conf rm /etc/resolv.conf echo -e "options timeout:1 attempts:1 rotate nameserver 1.1.1.1 nameserver 1.0.0.1" > /etc/resolv.conf chattr -f +i /etc/resolv.conf
echo -e "[network]
generateResolvConf = false" > /etc/wsl.conf

rm /etc/resolv.conf

echo -e "options timeout:1 attempts:1 rotate
nameserver 1.1.1.1
nameserver 1.0.0.1" > /etc/resolv.conf

chattr -f +i /etc/resolv.conf

bookmark_borderDebian Buster – Revert from nftables to iptables

Many software like Docker or fail2ban won’t work out-of-the-box if you’re using now default nftables in Debian Buster.

To revert back to iptables, run the following :

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy
update-alternatives --set iptables /usr/sbin/iptables-legacy update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy update-alternatives --set arptables /usr/sbin/arptables-legacy update-alternatives --set ebtables /usr/sbin/ebtables-legacy
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy

To cancel the change and use nftables :

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
update-alternatives --set iptables /usr/sbin/iptables-nft
update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
update-alternatives --set arptables /usr/sbin/arptables-nft
update-alternatives --set ebtables /usr/sbin/ebtables-nft
update-alternatives --set iptables /usr/sbin/iptables-nft update-alternatives --set ip6tables /usr/sbin/ip6tables-nft update-alternatives --set arptables /usr/sbin/arptables-nft update-alternatives --set ebtables /usr/sbin/ebtables-nft
update-alternatives --set iptables /usr/sbin/iptables-nft
update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
update-alternatives --set arptables /usr/sbin/arptables-nft
update-alternatives --set ebtables /usr/sbin/ebtables-nft

bookmark_borderQuickly clear all your iptables

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

bookmark_borderBackup and restore all MySQL databases

To backup all databases at the same time:

mysqldump –user=[USER] –password=[PASSWORD] –all-databases > [BACKUP_FILENAME]

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
mysqldump --user=[USER] --password=[PASSWORD] --all-databases > [BACKUP_FILENAME]
mysqldump --user=[USER] --password=[PASSWORD] --all-databases > [BACKUP_FILENAME]
mysqldump --user=[USER] --password=[PASSWORD] --all-databases > [BACKUP_FILENAME]

To restore a dump (in our case, all databases):

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
mysql -u [USER] -p < [BACKUP_FILENAME]
mysql -u [USER] -p < [BACKUP_FILENAME]
mysql -u [USER] -p < [BACKUP_FILENAME]

bookmark_borderCreate a self-signed SSL certificate

# AS USER

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
openssl genrsa 2048 > server.key
openssl req -new -x509 -nodes -sha1 -days 365 -key server.key > server.crt
openssl genrsa 2048 > server.key openssl req -new -x509 -nodes -sha1 -days 365 -key server.key > server.crt
openssl genrsa 2048 > server.key
openssl req -new -x509 -nodes -sha1 -days 365 -key server.key > server.crt