Hosting web applications + Running Drone CI in one VPS

[Alvaro__]

Hello everyone,
I'm trying to use my web applications VPS as a drone CI server (with docker) as well.

In order to avoid conflicts with Apache on default ports (80,443), the drone server was published in 8080 (port is open in firewall).
The problem is that I'm forced to use HTTP in this port.
Meaning I can reach drone server on http://VPS_IP:8080, but can't it on https://VPS_IP:8080.
Does anyone have an advice?
Thanks.

 

[cPanelAaronH]

Hello,

Https will need to run on a separate port. 8080 for HTTP and 8081 for HTTPS for example. You'll need to look at your configurations and make the necessary changes.

 

[Alvaro__]

Hello,

Https will need to run on a separate port. 8080 for HTTP and 8081 for HTTPS for example. You'll need to look at your configurations and make the necessary changes.

Thanks for the replay.
So, if I understand you correctly, I'll have to open another port, even if I'm interested only in HTTPS?
I can't just change port 8080 to HTTPS and that's it?

Can you please direct me to the relevant configuration files that I'll have to change?
And how?


Thanks again.

 

[cPRex]

You'll still want to leave the insecure ports open as well, even if you plan to route all traffic to https.

Since this software isn't something that is provided with cPanel I can't tell you exactly what changes would need to be made. If you wanted to change the ports for Apache we have a guide on that here:

How do I change the Apache port?

Introduction There may be times you need to leave Apache running but you need to run this on a different port. Luckily the WHM has a section to quickly change this. Procedure To change the p...

support.cpanel.net

but you'd need to check the documentation for your specific software to see how that gets handled.

 

[Alvaro__]

Thanks

 

[cPRex]

Sure thing!

 

[Alvaro__]

Hi,
After more investigation, I found that I should use ssl .key and .cert files from server.
Something like :

-v /path/to/server.crt:/path/to/server.crt \
-v /path/to/server.key:/path/to/server.key

With docker run command.

I was able to find these files in /home/my_user/ssl/certs and /home/my_user/ssl/keys
The problem is that each folder includes a lot of files (.crt and .key files) and I don't know which I should choose.

I've tried a few pairs, but every time I got
“Your connection is not private” “ERR_CERT_COMMON_NAME_INVALID” errors.

Maybe anyone know how to fix this?
Thanks.

 

[cPRex]

Inside of the /home/username/ssl/certs and /keys directory, you'd just want to use the most recent .crt file and .key file. With AutoSSL there will be multiple files in there as those SSLs only last for 90 days and then get renewed.

For example, I just checked my personal machine and found there are .crt and .key files both from October 17 that are a match:

/home/username/ssl/certs

-rw-r--r-- 1 user user 2288 Oct 17 00:49 domain_com_b8769_0db53_1610755199_xxxxxxxxxxx80ae78beb92e9d.crt

/home/username/ssl/keys

-rw-r----- 1 user user 1678 Oct 17 00:49 b8769_0db53_xxxxxxxxxxxae808576c647a6e5f0c82.key

 

[Alvaro__]

Inside of the /home/username/ssl/certs and /keys directory, you'd just want to use the most recent .crt file and .key file. With AutoSSL there will be multiple files in there as those SSLs only last for 90 days and then get renewed.

For example, I just checked my personal machine and found there are .crt and .key files both from October 17 that are a match:

/home/username/ssl/certs

-rw-r--r-- 1 user user 2288 Oct 17 00:49 domain_com_b8769_0db53_1610755199_xxxxxxxxxxx80ae78beb92e9d.crt

/home/username/ssl/keys

-rw-r----- 1 user user 1678 Oct 17 00:49 b8769_0db53_xxxxxxxxxxxae808576c647a6e5f0c82.key

Thanks,
The problem was that I used the newest pair, but the newest pair belongs to a different sub-domain.

So I need to change the keys in my docker every 90 days?

 

[cPRex]

If you are using any type of automation that needs those key files to be applied directly to the server, then yes, those would need to be updated every time the AutoSSL is updated on the machine.

 

[Alvaro__]

If you are using any type of automation that needs those key files to be applied directly to the server, then yes, those would need to be updated every time the AutoSSL is updated on the machine.

Do you know a way to configure AutoSSL so that every new key/cert file will be named exactly as the previous one (overwrite the old one)?
Or Maybe a way to trigger some event when AutoSSL is updated, maybe even call a WebHook?

I guess I can create a Cron job that checks for new AutoSSl files, but I'm looking for a "cleaner" solution.

Thanks.

 

[cPRex]

There isn't a way for the system to overwrite the SSL files using the same name. If you'd like a consistent filename that will always have the latest certificate, you may be able to use /var/cpanel/ssl/apache_tls/domain.com/combined as that has the cert, key, and CA Bundle all in one file.

 

[Alvaro__]

There isn't a way for the system to overwrite the SSL files using the same name. If you'd like a consistent filename that will always have the latest certificate, you may be able to use /var/cpanel/ssl/apache_tls/domain.com/combined as that has the cert, key, and CA Bundle all in one file.

Thanks