Hey, so I did finally get this to work. I actually shouted with joy and woke up my kids when it finally did!
For clarity's sake:
- I am running calibre-server, installed from binary as described here, and daemonized into an upstart job using the instructions here.
- I am running calibre-server on a headless Ubuntu 14.04 VPS.
- I'm accessing calibre-server via Apache using a reverse proxy setup, as described here.
- My goal was to install the official letsencrypt ACME client, and get it to play nicely with my setup, as to take advantage of totally hands-free, automated SSL certificate renewals.
To share
the solution:
- First, as mentioned above, I had to create a static alias for doing the update, since Calibre is served up dynamically and the ACME client calls for a static webroot folder for this. There's great instruction for setting up the LetsEncrypt webroot folder here. There are many advantages to this particular setup.
- Next I had to alter the virtual host conf file for Calibre. It's quite simple, just add
Code:
RewriteCond %{REQUEST_URI} !/\.well-known/.*
to the virtual host file just above the Rewrite Rules as shown below.
Code:
<VirtualHost *:80>
ServerName example.com
RewriteEngine on
---> RewriteCond %{REQUEST_URI} !/\.well-known/.*
RewriteRule ^(.*) http://localhost:8080/$1 [proxy]
---> RewriteCond %{REQUEST_URI} !/\.well-known/.*
RewriteRule ^ http://localhost:8080 [proxy]
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</VirtualHost>
Of course, don't keep those arrows... This works some Mod_Rewrite regex exclusion magic to allow the ACME client to access the "/.well-known" alias path internally and externally for verification purposes without interfering with the calibre-server rewrite proxy. This was where the head was banging against the wall for hours.
- Assuming a standard letsencrypt client installation: Run the client as root like so:
Code:
/opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/LEwebroot -d example.com
And assuming no errors...
- Perhaps automate future updates by looking here, and here for inspiration. Plenty of info out there if this isn't enough.
- Now that the certs are in place, and automation is set up moving forward, it's time to alter the virtual host conf file again. This time I added a new virtual host as a redirect to the SSL protected connection like so:
Code:
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
and below that, this:
Code:
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLHonorCipherOrder on
SSLCompression off
ServerSignature Off
AcceptPathInfo Off
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/pdf
AddDefaultCharset UTF-8
SSLOptions +StrictRequire
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
ServerName example.com
RewriteEngine on
RewriteCond %{REQUEST_URI} !/\.well-known/.*
RewriteRule ^(.*) http://localhost:8080/$1 [proxy]
RewriteCond %{REQUEST_URI} !/\.well-known/.*
RewriteRule ^ http://localhost:8080 [proxy]
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</VirtualHost>
- Finally restart Apache and PRESTO.
Following that simple process Calibre-Server is set up with (forced) SSL encryption from LetsEncrypt with hands free, automated certificate renewals (that optionally email you alerting you of your success).
I wanted to share that solution here because it was such a hassle for me, and hopefully someone can lean on this work.
Happy Day.