DevOps

Nginx / Comodo PositiveSSL / CentOS 7

Standard

1. Before you purchase your SSL

Before any purchase of an SSL you’ll need a key file and a csr (Certificate Signing Request).

Shell
0
1
2
3
4
5
6
7
8
 
# I always assume you are logged in as root
# ssh into server and run
openssl req -nodes -newkey rsa:2048 -keyout server_name.key -out server_name.csr
 
# you have now generated 2 files server_name.key and server_name.csr
 
cat server_name.csr
 

The certificate registrar is going to ask for the contents of your csr file, just cut and paste whats inside the file into the webform. Make sure you register with the domain name you plan on using. Purchase your SSL, they’ll send your administrator an email validate that. Then wait for an email from Comodo with a zip file.

Within this zip file you’ll receive 4 files:

  • AddTrustExternalCARoot.crt – Root Cert
  • COMODORSAAddTrustCA.crt – Intermediate Cert
  • COMODORSADomainValidationSecureServerCA.crt – Intermediate Cert
  • server_name.crt – Your Positive Cert

2. Prep for installing SSL Cert

Shell
0
1
2
3
4
5
6
7
8
9
10
11
12
 
# combine your crt files into a bundle for nginx
 
cat server_name.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> server_name.ssl_bundle.crt
 
ls
 
# you should have server_name.ssl_bundle.crt
# copy files into place (you can move mv or copy cp files)
cp server_name.ssl_bundle.crt /etc/ssl/certs/server_name.ssl_bundle.crt
mkdir /etc/ssl/private
cp server_name.key /etc/ssl/private/server_name.key
 

3. Installing the SSL Certificate

Now to configure Nginx.

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
 
    server {
        listen       ip_address:443;
        server_name  example_com;
 
        ssl on;
        ssl_certificate      /etc/ssl/certs/server_name.ssl_bundle.crt;
        ssl_certificate_key  /etc/ssl/private/server_name.key;
 
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
 
        ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
 
        ssl_ciphers  ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
        ssl_prefer_server_ciphers  on;
 
        location / {
            root   /html;
            index  index.html index.htm;
        }
    }
 

4. Restart Nginx

Shell
0
1
2
 
service restart nginx
 

To test your ssl: https://www.ssllabs.com/ssltest/

Jenkins 1.59 / CentOS 7 / GitHub / Rails / RSpec / Rbenv

Standard

As this is for personal use the system I configured has 1 64bit CPU, 1GB of RAM, and 30GB SSD HDD (the $10/mo DigitalOcean plan). I first tried it with the $5 plan, that kept giving me memory issues as Jenkins/Hudson runs on a JavaVM so for my needs 1GB of ram was needed. I won’t be running multiple builds with multiple nodes, pretty much whenever I push code to GitHub/BitBucket I want Jenkins to build and deploy code. If I push to master and it passes deploy to production, If I push to development and it passes deploy to staging.

My setup: 1 VM production server, 1 Physical staging server (in my office), 1 JenkinsCI VM server, and numerous repositories on GitHub and BitBucket.

Setting up Jenkins on CentOS 7

Shell
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
 
# ssh as root into your server
 
# grab Jenkins repo
wget -O /etc/yum.repos.d/jenkins.repo http://pkg.jenkins-ci.org/redhat/jenkins.repo
 
# add to rpm
rpm --import http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key
 
# update yum
yum update
 
# install git
yum install git
 
# install dev tools
yum groupinstall "Development Tools"
 
# install jenkins
yum install jenkins
 
# install java for jenkins
yum install java-1.7.0-openjdk
 
# open firewall for 8080 if you have firewalld on and are going to use 8080
firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload
 
# restart jenkins service
systemctl restart jenkins.service
 
# check on status
systemctl status jenkins.service
 
# add jenkins service boot on restart
chkconfig jenkins on
 
# at this point jenkins should be running point your browser to http://ip_address:8080
 
# additional steps if you want to have nginx in front of jenkins
# follow install procedures for nginx here: http://wiki.nginx.org/Install
# or here: https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-centos-7
# i prefer the digitalocean guide
# and here for nginx conf: https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy
 
# things you might need
yum install epel-release
yum install nodejs
yum install npm
yum install sqlite-devel
 

Setup for Rails / Rbenv

Shell
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
 
# for rbenv sourced from: https://github.com/sstephenson/ruby-build/wiki#suggested-build-environment
yum install -y gcc openssl-devel libyaml-devel readline-devel zlib-devel
 
# you might need to change jenkins user to be able to use a shell
vi /etc/passwd
 
# change jenkins entry from /bin/false to /bin/bash
 
# switch to jenkins user
su - jenkins
 
# install rbenv
git clone https://github.com/sstephenson/rbenv.git ~/.rbenv
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bash_profile
echo 'eval "$(rbenv init -)"' >> ~/.bash_profile
exec -l $SHELL
 
# list all versions of ruby available
rbenv install --list
 
# install ruby 2.1.5
rbenv install 2.1.5
 
# 'rbenv rehash' with newer versions of rbenv this is not required 0.4.0 or later
 
# set 2.1.5 as global ruby
rbenv global 2.1.5
 
ruby
 

Adding EPEL to CentOS 7

Standard

Shell
0
1
2
3
4
5
6
 
# download latest rpm
curl -O http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm
 
# add rpm
rpm -ivh epel-release-7-2.noarch.rpm
 

 

CentOS 7 and PostgreSQL 9.3

Standard

Process to install and initialize.