MobileRead Forums - View Single Post

josh.p.23 · 04-01-2016, 12:11 PM

Hey, so I did finally get this to work. I actually shouted with joy and woke up my kids when it finally did!

For clarity's sake:

I am running calibre-server, installed from binary as described here, and daemonized into an upstart job using the instructions here.
I am running calibre-server on a headless Ubuntu 14.04 VPS.
I'm accessing calibre-server via Apache using a reverse proxy setup, as described here.
My goal was to install the official letsencrypt ACME client, and get it to play nicely with my setup, as to take advantage of totally hands-free, automated SSL certificate renewals.

To share the solution:

First, as mentioned above, I had to create a static alias for doing the update, since Calibre is served up dynamically and the ACME client calls for a static webroot folder for this. There's great instruction for setting up the LetsEncrypt webroot folder here. There are many advantages to this particular setup.
Next I had to alter the virtual host conf file for Calibre. It's quite simple, just add
Code:
```
RewriteCond %{REQUEST_URI} !/\.well-known/.*
```
to the virtual host file just above the Rewrite Rules as shown below.
Code:
```
<VirtualHost *:80>
		ServerName example.com
	RewriteEngine on
 ---> RewriteCond %{REQUEST_URI} !/\.well-known/.*
	RewriteRule ^(.*) http://localhost:8080/$1 [proxy]
 ---> RewriteCond %{REQUEST_URI} !/\.well-known/.*
	RewriteRule ^ http://localhost:8080 [proxy]
	SetEnv force-proxy-request-1.0 1
	SetEnv proxy-nokeepalive 1
</VirtualHost>
```
Of course, don't keep those arrows... This works some Mod_Rewrite regex exclusion magic to allow the ACME client to access the "/.well-known" alias path internally and externally for verification purposes without interfering with the calibre-server rewrite proxy. This was where the head was banging against the wall for hours.
Assuming a standard letsencrypt client installation: Run the client as root like so:
Code:
```
/opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/LEwebroot -d example.com
```
And assuming no errors...
Perhaps automate future updates by looking here, and here for inspiration. Plenty of info out there if this isn't enough.

Now that the certs are in place, and automation is set up moving forward, it's time to alter the virtual host conf file again. This time I added a new virtual host as a redirect to the SSL protected connection like so:

Code:

<VirtualHost *:80>
	ServerName example.com
	Redirect permanent / https://example.com/
</VirtualHost>

and below that, this:

Code:

<VirtualHost *:443>
		SSLEngine on                                                                
	SSLProtocol all -SSLv2 -SSLv3                                       
        SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
  	SSLHonorCipherOrder     on
	SSLCompression          off
	ServerSignature Off
	AcceptPathInfo Off
	AddOutputFilterByType DEFLATE text/html text/plain text/xml application/pdf
	AddDefaultCharset UTF-8
	SSLOptions +StrictRequire  
 
	SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
	SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
	SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

	ServerName example.com
	RewriteEngine on
	RewriteCond %{REQUEST_URI} !/\.well-known/.*
	RewriteRule ^(.*) http://localhost:8080/$1 [proxy]
	RewriteCond %{REQUEST_URI} !/\.well-known/.*
	RewriteRule ^ http://localhost:8080 [proxy]
	SetEnv force-proxy-request-1.0 1
	SetEnv proxy-nokeepalive 1
</VirtualHost>

Finally restart Apache and PRESTO.

Following that simple process Calibre-Server is set up with (forced) SSL encryption from LetsEncrypt with hands free, automated certificate renewals (that optionally email you alerting you of your success).

I wanted to share that solution here because it was such a hassle for me, and hopefully someone can lean on this work.

Happy Day.

04-01-2016, 12:11 PM	#8
josh.p.23 Member Posts: 18 Karma: 12 Join Date: Aug 2013 Device: android kindle app, FB Reader, several tablets	SOLUTION! Hey, so I did finally get this to work. I actually shouted with joy and woke up my kids when it finally did! For clarity's sake: I am running calibre-server, installed from binary as described here, and daemonized into an upstart job using the instructions here. I am running calibre-server on a headless Ubuntu 14.04 VPS. I'm accessing calibre-server via Apache using a reverse proxy setup, as described here. My goal was to install the official letsencrypt ACME client, and get it to play nicely with my setup, as to take advantage of totally hands-free, automated SSL certificate renewals. To share the solution: First, as mentioned above, I had to create a static alias for doing the update, since Calibre is served up dynamically and the ACME client calls for a static webroot folder for this. There's great instruction for setting up the LetsEncrypt webroot folder here. There are many advantages to this particular setup. Next I had to alter the virtual host conf file for Calibre. It's quite simple, just add Code: RewriteCond %{REQUEST_URI} !/\.well-known/.* to the virtual host file just above the Rewrite Rules as shown below. Code: <VirtualHost :80> ServerName example.com RewriteEngine on ---> RewriteCond %{REQUEST_URI} !/\.well-known/. RewriteRule ^(.) http://localhost:8080/$1 [proxy] ---> RewriteCond %{REQUEST_URI} !/\.well-known/. RewriteRule ^ http://localhost:8080 [proxy] SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 </VirtualHost> Of course, don't keep those arrows... This works some Mod_Rewrite regex exclusion magic to allow the ACME client to access the "/.well-known" alias path internally and externally for verification purposes *without* interfering with the calibre-server rewrite proxy. This was where the head was banging against the wall for hours. Assuming a standard letsencrypt client installation: Run the client as root like so: Code: /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/LEwebroot -d example.com And assuming no errors... Perhaps automate future updates by looking here, and here for inspiration. Plenty of info out there if this isn't enough. Now that the certs are in place, and automation is set up moving forward, it's time to alter the virtual host conf file again. This time I added a new virtual host as a redirect to the SSL protected connection like so: Code: <VirtualHost :80> ServerName example.com Redirect permanent / https://example.com/ </VirtualHost> and below that, this: Code: <VirtualHost :443> SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS SSLHonorCipherOrder on SSLCompression off ServerSignature Off AcceptPathInfo Off AddOutputFilterByType DEFLATE text/html text/plain text/xml application/pdf AddDefaultCharset UTF-8 SSLOptions +StrictRequire SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem ServerName example.com RewriteEngine on RewriteCond %{REQUEST_URI} !/\.well-known/.* RewriteRule ^(.) http://localhost:8080/$1 [proxy] RewriteCond %{REQUEST_URI} !/\.well-known/. RewriteRule ^ http://localhost:8080 [proxy] SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 </VirtualHost> Finally restart Apache and PRESTO. Following that simple process Calibre-Server is set up with (forced) SSL encryption from LetsEncrypt with hands free, automated certificate renewals (that optionally email you alerting you of your success). I wanted to share that solution here because it was such a hassle for me, and hopefully someone can lean on this work. Happy Day.