NPM (Nginx Proxy Manager) Enable SSL certs EVERYWHERE local w/ Lets Encrypt DNS Challenge

[admin]

Create Cloudflare account and login.
Domains > Overview > Add Domain > domainhere.com
Wait for Cloudflare to delegate (doesn't take too long (under 10mins for me)).

Change Bluehost domains to use Cloudflare NS (your CF NS hostnames could be different).

Code: Select all

irma.ns.cloudflare.com
lou.ns.cloudflare.com

Check DNS delegation @ https://dnschecker.org/

Once complete, check Cloudflare DNS records for consistency with old records.

Create Debian 13 VM (Nginx Proxy Manager).

Install docker and portainer here https://zemerdon.com/viewtopic.php?t=368

Install NPM

Code: Select all

mkdir /home/npm
pico /home/npm/docker-compose.yml

docker-compose.yml

Code: Select all

services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped

    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
      # Add any other Stream port you want to expose
      # - '21:21' # FTP

    environment:
      TZ: "Australia/Brisbane"

      # Uncomment this if you want to change the location of
      # the SQLite DB file within the container
      # DB_SQLITE_FILE: "/data/database.sqlite"

      # Uncomment this if IPv6 is not enabled on your host
      # DISABLE_IPV6: 'true'

    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

Start NPM

Code: Select all

zemerdon@NPM:~/npm$  docker compose up -d

Create Cloudflare DNS token
Cloudflare > Manage Account > Account API Tokens > Create Token

make sure you have the following permissions for validation...

Review Token > Create Token and record the information (If you accidently close the tab, status > 3 dots > Roll, to re-create)

Login to NPM @ serverip:81 > Certificates > Add Certificate > Let's Encrypt via DNS

make sure to input your Cloudflare Token from earlier

This covers zemerdon.com and any subdomains.


Create DNS A-record to point to NPM.
Cloudflare > Domain > DNS > Record. (I use real IP because I have edge facing services).
ALWAYS A GOOD IDEA TO PUT EDGE FACING SERVICES ON A SEPARATE VLAN !
You could control all you're subdomains in pfSense (or similar) through DNS Resolver e.g: someservice.zemerdon.com > 30.30.30.5.

Create NPM Proxy Hosts, and don't forget to create an Access Rule for LOCAL ONLY stuff. Here is an example for my webserver...

Credit:

[zemerdon]

This script MUST be run from NPM (Nginx Proxy Manager host and point to where your Let's Encrypt certs are).

Code: Select all

#!/bin/bash

IDRAC_IP="192.168.1.5"
IDRAC_USER="idrac_login"
IDRAC_PASS="idrac_pass"

CERT="/home/zemerdon/npm/letsencrypt/live/npm-11/fullchain.pem"
KEY="/home/zemerdon/npm/letsencrypt/live/npm-11/privkey.pem"

racadm -r "$IDRAC_IP" \
       -u "$IDRAC_USER" \
       -p "$IDRAC_PASS" \
       sslkeyupload -t 1 -f "$KEY"

racadm -r "$IDRAC_IP" \
       -u "$IDRAC_USER" \
       -p "$IDRAC_PASS" \
       sslcertupload -t 1 -f "$CERT"

racadm -r "$IDRAC_IP" \
       -u "$IDRAC_USER" \
       -p "$IDRAC_PASS" \
       racreset

[zemerdon]

1. Set hostname + domain (required)

Code: Select all

conf t
hostname cisco
ip domain-name zemerdon.com
end
write memory

2. Generate RSA keypair

Code: Select all

conf t
crypto key generate rsa modulus 2048 label cisco-https-key
end

3. Create a trustpoint

Code: Select all

conf t
crypto pki trustpoint CISCO-HTTPS
 enrollment selfsigned
 subject-name CN=cisco.zemerdon.com
 revocation-check none
 rsakeypair cisco-https-key
end

4. Enroll (create the certificate)

Code: Select all

crypto pki enroll CISCO-HTTPS

When prompted:

• Answer yes to accept self-signed cert

• Confirm generation

5. Bind cert to HTTPS server

Code: Select all

conf t
ip http secure-trustpoint CISCO-HTTPS
ip http secure-server
end
write memory

6. Verify

Code: Select all

show crypto pki certificates CISCO-HTTPS
show ip http server secure status