Page History
...
- Download & Install YourKit Profiler. Put in your open source license key (available to all DSpace Committers).
- Open up YourKit, select "Connect to remote application..." option.
- Point it at "demo.dspace.org:10001" and start doing some profiling!
- If it's not running, start it using ~/yjp/bin/yjp.sh
- If needed, logs are in ~/.yjp/log/
Let's Encrypt free DV X.509 certificate
TODO: add to puppet scripts (install package, pull configuration from S3, create cron file)
First-time installation will validate domain ownership and generate a private key. Any subsequent certificate requests will reuse the private key. The /etc/letsencrypt
directory should be backed up in private S3 storage (TODO).
The certificate is issued for 3 months. The script that checks for renewals needed is running twice a day on a random minute from /etc/cron.d/certbot
.
Code Block |
---|
sudo apt-get install python-letsencrypt-apache
# register and request firt certificate, but do not change Apache configuration (we'll do it manually)
sudo letsencrypt --apache certonly
Enter email address (used for urgent notices and lost key recovery)
sysadmin@duraspace.org
Which names would you like to activate HTTPS for?
[*] demo.dspace.org
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to sysadmin@duraspace.org.
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/demo.dspace.org/fullchain.pem. Your cert will
expire on 2017-01-04. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
# replace self-signed certificates with Let's Encrypt certificates
sudo vim /etc/apache2/sites-enabled/25-ssl-demo.dspace.org.conf
## SSL directives
SSLEngine on
# SSLCertificateFile "/etc/ssl/certs/ssl-cert-snakeoil.pem"
# SSLCertificateKeyFile "/etc/ssl/private/ssl-cert-snakeoil.key"
# SSLCACertificatePath "/etc/ssl/certs"
SSLCertificateFile /etc/letsencrypt/live/demo.dspace.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/demo.dspace.org/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/demo.dspace.org/fullchain.pem
# test renewal (dry run)
sudo letsencrypt renew --dry-run --agree-tos
# set up renewal from cron
sudo vim /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/letsencrypt && perl -e 'sleep int(rand(3600))' && letsencrypt -q renew
|
Overview
Content Tools