Use this to register Digital Ocean with $10 credit.
Droplet Setup (Ubuntu) for Node.js App (Meteor etc)
follow
Follow mup guide:
And you also need to add NOPASSWD to your sudoers file. Open it with:
sudo visudo
Then, replace the line that says %sudo ALL=(ALL) ALL with
%sudo ALL=(ALL) NOPASSWD:ALL
Add Public Key to New Remote User, by follow
disable root access, change port(using the same guide by editing '/etc/ssh/sshd_config')
follow
add fail2ban by:
Don't need to add swap when using SSD
Use to only do security updates (Otherwise when you do apt-get upgrade it'll update your version to Non-LTS version!)
Optional:
change editor to use vi sudo update-alternatives --config editor
Make sure A record is already updated for your domain first
SSH to server:
# ssh to your server
git clone https://github.com/letsencrypt/letsencrypt
./letsencrypt-auto certonly --standalone --agree-tos --email YOUR_EMAIL -d YOURDOMAIN.COM -d www.YOURDOMAIN.COM
The following 4 files will be generated in the archive folder: /etc/letsencrypt/archive/YOURDOMAIN.COM
(Note the ones in /etc/letsencrypt/live/YOURDOMAIN.COM is symlinked to archive folder)
cert1.pem
chain1.pem
fullchain1.pem
privkey1.pem
Now we want to copy those files to your local machine:
# compress them on server first
sudo tar -cvvf letsencrypt_YYYY_MM_DD.tar /etc/letsencrypt/archive/YOURDOMAIN.COM
# then on your local terminal, use scp to get the above file, copy to home folder
scp -P 22 USER@IP:/home/USER/letsencrypt_YYYY_MM_DD.tar ~
# or
Put the downloaded two files (fullchain.pem and privkey.pem) in your local folder where mup can access (see mup.json)
Update mup.json
“ROOT_URL”: “https://yourdomain.com",
...
"ssl": {
"certificate": "PATH_TO/fullchain.pem", // this is a bundle of certificates
"key": "PATH_TO/privkey.pem", // this is the private key of the certificate
"port": 443 // 443 is the default value and it's the standard HTTPS port
},
Don't forget to add force-ssl package: meteor add force-ssl
Renew automatically
NOTE this will NOT work because the server has to be stopped
Let’s Encrypt expires 90 days, so we create cron job to automatically update:
# on dev machine, stop server:
mupx stop
# on server
/home/USER/letsencrypt/letsencrypt-auto renew
# above command will generate new files (cert2.pem etc), get the files to local machine
# by doing the same steps above: 'sudo tar -cvvf ...' (see above)
mupx setup
mupx deploy
Key points:
You need to stop server before running renew.
if cert is expired, you need to run mpux setup again
if you run letsencrypt renew, new files will be generated (such as cert2.pem)
cert.pem: Your domain's certificate
chain.pem: The Let's Encrypt chain certificate
fullchain.pem: cert.pem and chain.pem combined
privkey.pem: Your certificate's private key
Reference:
)
Additional:
(which automatically use nginx, you don't need to setup anything)
More security setup from this :
(outdated: it's using mongodb 2.4)
Online tool:
Or use ssl-cert-check on server ():
(LATEST 2021) With you don't need to do manual setup SSL anymore
