Notes to pass Sandstorm from http to https using wildcard from letsencrypt.org

[Florian Schmitt]

Hi there,

I just wanted to share my basic notes to get https on my instance, in case it may help someone. It doesn't cover all the possible setup, but if you installed sandstorm with classical ports, and pxoxied it with nginx or apache, it will get you started :

1.Have your DNS entry pointing to your server’s IP for *.sandstorm.yourdomain.ext and *.sandstorm.yourdomain.ext
2.Install certbot on your server. See https://certbot.eff.org/
3. Run
certbot certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual --preferred-challenges dns \
 -d *.sandstorm.yourdomain.ext -d sandstorm.yourdomain.ext

 Agree on TOS and give your email for certbot
 When asked, enter the DNS's TXT entry as showed by certbot for _acme-challenge.sandstorm.yourdomain.ext
 Finalise the creation of the certificate by pressing enter after 10 minutes so that the txt entry may be propagated

4. Adjust your nginx or apache config that is the sandstorm’s proxy by adding the certificate’s key and chain, and redirect http to https
5. Restart nginx
6. edit /opt/sandstorm/sandstorm.conf to add https to BASE_URL
7. Restart sandstorm
DONE!

PS: I also had to change google cloud app setting with https urls to enable oath with google

Cheers!

[Tim McCormack]

On Wed, 25 Apr 2018 04:27:10 -0700 (PDT), Florian Schmitt wrote:
> I just wanted to share my basic notes to get https on my instance, in
> case it may help someone. It doesn't cover all the possible setup,
> but if you installed sandstorm with classical ports, and pxoxied it
> with nginx or apache, it will get you started

I think this is missing a step 8: Set a repeating calendar event to do
step 3 again every couple months. :-)

Does certbot yet support hooks for calling out to a custom script that
updates DNS?

- Tim

[Florian Schmitt]

You are totally right Tim, with my procedure, you will need to renew the
dns by yourselft every 2 or 3 months when you will renew the certificate..

I don't know about hooks, but there is a cloudflare plugin for certbot
that automates dns challenge

https://certbot-dns-cloudflare.readthedocs.io/en/latest/

[Matt Vis]

Is appending the "sandstorm" as a subdomain required even if you have everything configured as "*.yourdomain.com" in  /opt/sandstorm/sandstorm.conf?

[Jacob Weisz]

I would assume that's just a sample URL.

--

  Jacob Weisz

  goo...@jacobweisz.com

On Fri, Jun 8, 2018, at 11:54 AM, Matt Vis wrote:

Is appending the "sandstorm" as a subdomain required even if you have everything configured as "*.yourdomain.com" in  /opt/sandstorm/sandstorm.conf?

--

You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sandstorm-dev/386b544f-a461-4ef1-a4ac-e9940ff3e3d6%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Kevin Reid]

On Wed, Apr 25, 2018 at 4:27 AM Florian Schmitt <mrf...@gmail.com> wrote:

I just wanted to share my basic notes to get https on my instance, in case it may help someone. It doesn't cover all the possible setup, but if you installed sandstorm with classical ports, and pxoxied it with nginx or apache, it will get you started :

I've been meaning to get around to doing this (I currently have a very messy setup which is good neither for my main site nor Sandstorm), and at the time I looked into it the documentation didn't make it clear there was a manual DNS option. Thanks for the writeup.