Rodeo Four Production Server

From CES IT Wiki
Revision as of 18:51, 2 June 2020 by Peterstevens (talk | contribs) (Peterstevens moved page Web Production Server to Rodeo Four Production Server: To distinguish it from the new production server.)
Jump to navigation Jump to search
Web Production Server
IP Address 45.55.45.195
Domain Name ces.fas.harvard.edu
Droplet Name ces.fas.harvard.edu-production
Operating System Ubuntu 16.04 x64
Host DigitalOcean
Region NYC3
Public Launch Date July 13, 2016

The web production server is a public-facing web application and database server that hosts the website. It was designed and developed by Mildly Geeky, with additional features and bug fixes performed by Shotgun Flat. The server was provisioned by Peter Stevens using a DigitalOcean droplet. It features directory information for Center affiliates, a calendar of events, information about opportunities provided by the Center, news relating to the Center and its affiliates, and publications.

Website updates

In July 2017, Gila Naderi began conversations with Mike McKenna on the 2018 Website Update Pilot Project.

Configurations

Web Root

  • /srv/users/serverpilot/apps/cesproduction/craft/public

Logs

  • /srv/users/serverpilot/apps/cesproduction/craft/storage/runtime/logs/

Cron jobs

  • Every Sunday at 8am, the server will execute /etc/cron.d/certrenewal. Note: the Let's Encrypt certificates may not be used by the web engine. They are stored as a standby in case of certificate lapses.

Database root

ServerPilot automatically generates a root account with a random password. The password is located in /root/.my.cnf.

Password authentication

Password authentication is temporarily turned on due to permission denied error messages.

SSL

The certificate is currently a Let's Encrypt certificate, which was installed on September 11, 2018, when the previous certificate expired without notification. The renewal was rejected, and a new one has been submitted and approved, but not yet installed. The expired InCommon certificate and key are located at the following paths respectively: 

/etc/nginx-sp/certs/ces.fas.harvard.edu/ces1.unix.fas.harvard.edu.crt
  /etc/nginx-sp/certs/ces.fas.harvard.edu/ces1.unix.fas.harvard.edu.key

The Let's Encrypt certificate and key are located at the following paths respectively: 

/etc/letsencrypt/live/ces.fas.harvard.edu/fullchain.pem
  /etc/letsencrypt/live/ces.fas.harvard.edu/privkey.pem

The renewed InCommon certificate and key are inactive and located at the following paths respectively: 

/etc/ssl/certs/ces.fas.harvard.edu.cer
  /etc/ssl/private/ces.fas.harvard.edu.key

Cold standby

In case of certificate lapse, uncomment the lines located in /etc/nginx-sp/vhosts.d/ssl.conf which point to the Let's Encrypt certificate and key.

Updating certificate

See here for full instructions. 

#Backup
mkdir ~/Backups/YYYY-MM-DD_certificates
mkdir ~/Backups/YYYY-MM-DD_vhosts
sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/chain.pem  ~/Backups/YYYY-MM-DD_certificates/chain.pem
sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/fullchain.pem ~/Backups/YYYY-MM-DD_certificates/fullchain.pem
sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/privkey.pem ~/Backups/YYYY-MM-DD_certificates/privkey.pem
sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/README  ~/Backups/YYYY-MM-DD_certificates/README
sudo cp /etc/nginx-sp/vhosts.d/cesproduction.conf  ~/Backups/YYYY-MM-DD_vhosts/cesproduction.conf
sudo cp /etc/nginx-sp/vhosts.d/cesproduction.d/main.conf  ~/Backups/YYYY-MM-DD_vhosts/main.conf
sudo cp /etc/nginx-sp/vhosts.d/ssl.conf  ~/Backups/YYYY-MM-DD_vhosts/ssl.conf
cd /opt/certbot
./certbot-auto certonly --webroot -w /srv/users/serverpilot/apps/cesproduction/public -d ces.fas.harvard.edu
sudo service nginx-sp restart

#Rollback
sudo cp ~/Backups/YYYY-MM-DD_certificates/cert.pem /etc/letsencrypt/live/ces.fas.harvard.edu/cert.pem
sudo cp ~/Backups/YYYY-MM-DD_certificates/chain.pem /etc/letsencrypt/live/ces.fas.harvard.edu/chain.pem
sudo cp ~/Backups/YYYY-MM-DD_certificates/fullchain.pem /etc/letsencrypt/live/ces.fas.harvard.edu/fullchain.pem
sudo cp ~/Backups/YYYY-MM-DD_certificates/privkey.pem /etc/letsencrypt/live/ces.fas.harvard.edu/privkey.pem
sudo cp ~/Backups/YYYY-MM-DD_certificates/README /etc/letsencrypt/live/ces.fas.harvard.edu/README
sudo cp ~/Backups/YYYY-MM-DD_vhosts/cesproduction.conf /etc/nginx-sp/vhosts.d/cesproduction.conf
sudo cp ~/Backups/YYYY-MM-DD_vhosts/main.conf /etc/nginx-sp/vhosts.d/cesproduction.d/main.conf
sudo cp ~/Backups/YYYY-MM-DD_vhosts/ssl.conf /etc/nginx-sp/vhosts.d/ssl.conf

This will update the certificate without modifying any configuration files. Server Pilot is touchy about modified configurations. This is what happens behind the scenes:

  1. Lets Encrypt gives certbot a challenge.
  2. Certbot places a resource with the challenge in a subdirectory of the web root, making it publicly visible.
  3. Let's Encrypt verifies the resource.
  4. Certbot removes the resource.
  5. Let's encrypt issues the certificate.

Installed software

  • Apache 2.4.34
  • MySQL 14.14 Distrib 5.7.23
  • nginx 1.15.2
  • PHP 7.0.31
  • ServerPilot
  • certbot

Web applications

  • Craft CMS 2.6.2911

PHP modules

  • bcmath
  • bz2
  • calendar
  • Core
  • ctype
  • curl
  • date
  • dom
  • exif
  • fileinfo
  • filter
  • ftp
  • gd
  • gettext
  • gmp
  • hash
  • iconv
  • imagick
  • imap
  • intl
  • json
  • ldap
  • libxml
  • mbstring
  • mcrypt
  • mysqli
  • mysqlnd
  • odbc
  • openssl
  • pcntl
  • pcre
  • PDO
  • pdo_dblib
  • pdo_mysql
  • PDO_ODBC
  • pdo_pgsql
  • pdo_sqlite
  • pgsql
  • Phar
  • posix
  • readline
  • Reflection
  • session
  • shmop
  • SimpleXML
  • snmp
  • soap
  • sockets
  • SPL
  • sqlite3
  • standard
  • tidy
  • tokenizer
  • xml
  • xmlreader
  • xmlrpc
  • xmlwriter
  • xsl
  • Zend OPcache
  • zip
  • zlib
Retrieved from "https://ces-wiki.fas.harvard.edu/index.php?title=Rodeo_Four_Production_Server&oldid=948"