Rodeo Four Production Server: Difference between revisions
Jump to navigation
Jump to search
Peterstevens (talk | contribs) Added logs and web root. |
Peterstevens (talk | contribs) Added backup and rollback scripts. |
||
| Line 24: | Line 24: | ||
==Configurations== | ==Configurations== | ||
=== Web Root === | ===Web Root=== | ||
* <code>/srv/users/serverpilot/apps/cesproduction/craft/public</code> | *<code>/srv/users/serverpilot/apps/cesproduction/craft/public</code> | ||
=== Logs === | ===Logs=== | ||
* <code>/srv/users/serverpilot/apps/cesproduction/craft/storage/runtime/logs/</code> | *<code>/srv/users/serverpilot/apps/cesproduction/craft/storage/runtime/logs/</code> | ||
===Cron jobs=== | ===Cron jobs=== | ||
| Line 46: | Line 46: | ||
<nowiki>/etc/nginx-sp/certs/ces.fas.harvard.edu/ces1.unix.fas.harvard.edu.crt | <nowiki>/etc/nginx-sp/certs/ces.fas.harvard.edu/ces1.unix.fas.harvard.edu.crt | ||
/etc/nginx-sp/certs/ces.fas.harvard.edu/ces1.unix.fas.harvard.edu.key</nowiki> | |||
The Let's Encrypt certificate and key are located at the following paths respectively: | The Let's Encrypt certificate and key are located at the following paths respectively: | ||
<nowiki>/etc/letsencrypt/live/ces.fas.harvard.edu/fullchain.pem | <nowiki>/etc/letsencrypt/live/ces.fas.harvard.edu/fullchain.pem | ||
/etc/letsencrypt/live/ces.fas.harvard.edu/privkey.pem</nowiki> | |||
The renewed InCommon certificate and key are inactive and located at the following paths respectively: | The renewed InCommon certificate and key are inactive and located at the following paths respectively: | ||
<nowiki>/etc/ssl/certs/ces.fas.harvard.edu.cer | <nowiki>/etc/ssl/certs/ces.fas.harvard.edu.cer | ||
/etc/ssl/private/ces.fas.harvard.edu.key</nowiki> | |||
====Cold standby==== | ====Cold standby==== | ||
| Line 63: | Line 63: | ||
====Updating certificate==== | ====Updating certificate==== | ||
See [https://www.robertwent.com/blog/using-letsencrypt-serverpilot/ here] for full instructions. | See [https://www.robertwent.com/blog/using-letsencrypt-serverpilot/ here] for full instructions. | ||
#Change directory: <code>/opt/certbot</code> | #Change directory: <code>/opt/certbot</code> | ||
#Execute: <code>./certbot-auto certonly --webroot -w /srv/users/serverpilot/apps/cesproduction/public -d ces.fas.harvard.edu</code> | #Execute: <code>./certbot-auto certonly --webroot -w /srv/users/serverpilot/apps/cesproduction/public -d ces.fas.harvard.edu</code> | ||
| Line 85: | Line 76: | ||
#Certbot removes the resource. | #Certbot removes the resource. | ||
#Let's encrypt issues the certificate. | #Let's encrypt issues the certificate. | ||
Backup and rollback scripts: | |||
<nowiki> | |||
#Backup | |||
sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/chain.pem ~/Backups/YYYY-MM-DD_certificates/chain.pem | |||
sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/fullchain.pem ~/Backups/YYYY-MM-DD_certificates/fullchain.pem | |||
sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/privkey.pem ~/Backups/YYYY-MM-DD_certificates/privkey.pem | |||
sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/README ~/Backups/YYYY-MM-DD_certificates/README | |||
sudo cp /etc/nginx-sp/vhosts.d/cesproduction.conf ~/Backups/YYYY-MM-DD_vhosts/cesproduction.conf | |||
sudo cp /etc/nginx-sp/vhosts.d/cesproduction.d/main.conf ~/Backups/YYYY-MM-DD_vhosts/main.conf | |||
sudo cp /etc/nginx-sp/vhosts.d/ssl.conf ~/Backups/YYYY-MM-DD_vhosts/ssl.conf | |||
#Rollback | |||
sudo cp ~/Backups/YYYY-MM-DD_certificates/cert.pem /etc/letsencrypt/live/ces.fas.harvard.edu/cert.pem | |||
sudo cp ~/Backups/YYYY-MM-DD_certificates/chain.pem /etc/letsencrypt/live/ces.fas.harvard.edu/chain.pem | |||
sudo cp ~/Backups/YYYY-MM-DD_certificates/fullchain.pem /etc/letsencrypt/live/ces.fas.harvard.edu/fullchain.pem | |||
sudo cp ~/Backups/YYYY-MM-DD_certificates/privkey.pem /etc/letsencrypt/live/ces.fas.harvard.edu/privkey.pem | |||
sudo cp ~/Backups/YYYY-MM-DD_certificates/README /etc/letsencrypt/live/ces.fas.harvard.edu/README | |||
sudo cp ~/Backups/YYYY-MM-DD_vhosts/cesproduction.conf /etc/nginx-sp/vhosts.d/cesproduction.conf | |||
sudo cp ~/Backups/YYYY-MM-DD_vhosts/main.conf /etc/nginx-sp/vhosts.d/cesproduction.d/main.conf | |||
sudo cp ~/Backups/YYYY-MM-DD_vhosts/ssl.conf /etc/nginx-sp/vhosts.d/ssl.conf</nowiki> | |||
==Installed software== | ==Installed software== | ||
Revision as of 16:48, 31 October 2019
| Web Production Server | |
| IP Address | 45.55.45.195 |
| Domain Name | ces.fas.harvard.edu |
| Droplet Name | ces.fas.harvard.edu-production |
| Operating System | Ubuntu 16.04 x64 |
| Host | DigitalOcean |
| Region | NYC3 |
| Public Launch Date | July 13, 2016 |
The web production server is a public-facing web application and database server that hosts the website. It was designed and developed by Mildly Geeky, with additional features and bug fixes performed by Shotgun Flat. The server was provisioned by Peter Stevens using a DigitalOcean droplet. It features directory information for Center affiliates, a calendar of events, information about opportunities provided by the Center, news relating to the Center and its affiliates, and publications.
Website updates
In July 2017, Gila Naderi began conversations with Mike McKenna on the 2018 Website Update Pilot Project.
Configurations
Web Root
/srv/users/serverpilot/apps/cesproduction/craft/public
Logs
/srv/users/serverpilot/apps/cesproduction/craft/storage/runtime/logs/
Cron jobs
- Every Sunday at 8am, the server will execute
/etc/cron.d/certrenewal. Note: the Let's Encrypt certificates may not be used by the web engine. They are stored as a standby in case of certificate lapses.
Database root
ServerPilot automatically generates a root account with a random password. The password is located in /root/.my.cnf.
Password authentication
Password authentication is temporarily turned on due to permission denied error messages.
SSL
The certificate is currently a Let's Encrypt certificate, which was installed on September 11, 2018, when the previous certificate expired without notification. The renewal was rejected, and a new one has been submitted and approved, but not yet installed. The expired InCommon certificate and key are located at the following paths respectively:
/etc/nginx-sp/certs/ces.fas.harvard.edu/ces1.unix.fas.harvard.edu.crt /etc/nginx-sp/certs/ces.fas.harvard.edu/ces1.unix.fas.harvard.edu.key
The Let's Encrypt certificate and key are located at the following paths respectively:
/etc/letsencrypt/live/ces.fas.harvard.edu/fullchain.pem /etc/letsencrypt/live/ces.fas.harvard.edu/privkey.pem
The renewed InCommon certificate and key are inactive and located at the following paths respectively:
/etc/ssl/certs/ces.fas.harvard.edu.cer /etc/ssl/private/ces.fas.harvard.edu.key
Cold standby
In case of certificate lapse, uncomment the lines located in /etc/nginx-sp/vhosts.d/ssl.conf which point to the Let's Encrypt certificate and key.
Updating certificate
See here for full instructions.
- Change directory:
/opt/certbot - Execute:
./certbot-auto certonly --webroot -w /srv/users/serverpilot/apps/cesproduction/public -d ces.fas.harvard.edu - Execute:
sudo service nginx-sp restart
This will update the certificate without modifying any configuration files. Server Pilot is touchy about modified configurations. This is what happens behind the scenes:
- Lets Encrypt gives certbot a challenge.
- Certbot places a resource with the challenge in a subdirectory of the web root, making it publicly visible.
- Let's Encrypt verifies the resource.
- Certbot removes the resource.
- Let's encrypt issues the certificate.
Backup and rollback scripts:
#Backup sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/chain.pem ~/Backups/YYYY-MM-DD_certificates/chain.pem sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/fullchain.pem ~/Backups/YYYY-MM-DD_certificates/fullchain.pem sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/privkey.pem ~/Backups/YYYY-MM-DD_certificates/privkey.pem sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/README ~/Backups/YYYY-MM-DD_certificates/README sudo cp /etc/nginx-sp/vhosts.d/cesproduction.conf ~/Backups/YYYY-MM-DD_vhosts/cesproduction.conf sudo cp /etc/nginx-sp/vhosts.d/cesproduction.d/main.conf ~/Backups/YYYY-MM-DD_vhosts/main.conf sudo cp /etc/nginx-sp/vhosts.d/ssl.conf ~/Backups/YYYY-MM-DD_vhosts/ssl.conf #Rollback sudo cp ~/Backups/YYYY-MM-DD_certificates/cert.pem /etc/letsencrypt/live/ces.fas.harvard.edu/cert.pem sudo cp ~/Backups/YYYY-MM-DD_certificates/chain.pem /etc/letsencrypt/live/ces.fas.harvard.edu/chain.pem sudo cp ~/Backups/YYYY-MM-DD_certificates/fullchain.pem /etc/letsencrypt/live/ces.fas.harvard.edu/fullchain.pem sudo cp ~/Backups/YYYY-MM-DD_certificates/privkey.pem /etc/letsencrypt/live/ces.fas.harvard.edu/privkey.pem sudo cp ~/Backups/YYYY-MM-DD_certificates/README /etc/letsencrypt/live/ces.fas.harvard.edu/README sudo cp ~/Backups/YYYY-MM-DD_vhosts/cesproduction.conf /etc/nginx-sp/vhosts.d/cesproduction.conf sudo cp ~/Backups/YYYY-MM-DD_vhosts/main.conf /etc/nginx-sp/vhosts.d/cesproduction.d/main.conf sudo cp ~/Backups/YYYY-MM-DD_vhosts/ssl.conf /etc/nginx-sp/vhosts.d/ssl.conf
Installed software
- Apache 2.4.34
- MySQL 14.14 Distrib 5.7.23
- nginx 1.15.2
- PHP 7.0.31
- ServerPilot
- certbot
Web applications
- Craft CMS 2.6.2911
PHP modules
- bcmath
- bz2
- calendar
- Core
- ctype
- curl
- date
- dom
- exif
- fileinfo
- filter
- ftp
- gd
- gettext
- gmp
- hash
- iconv
- imagick
- imap
- intl
- json
- ldap
- libxml
- mbstring
- mcrypt
- mysqli
- mysqlnd
- odbc
- openssl
- pcntl
- pcre
- PDO
- pdo_dblib
- pdo_mysql
- PDO_ODBC
- pdo_pgsql
- pdo_sqlite
- pgsql
- Phar
- posix
- readline
- Reflection
- session
- shmop
- SimpleXML
- snmp
- soap
- sockets
- SPL
- sqlite3
- standard
- tidy
- tokenizer
- xml
- xmlreader
- xmlrpc
- xmlwriter
- xsl
- Zend OPcache
- zip
- zlib