This is a write up for setting up an Nginx LEMP Virtual Private Server (VPS) with Ajenti control panel and Let’s Encrypt HTTPS.

Skill level: Moderate. Assumes root access to shell.

Note: As Let’s Encrypt and Ajenti V are both in Beta this guide may quickly become inaccurate.

Step 1

Use a clean VPS to set up Ajenti and Ajenti V. Simple guides available on the Ajenti website, or more detailed guides at DigitalOcean.

Note 1: If you want to use MariaDB (or other) instead of MySQL, remove the mysql references from this line and install MariaDB separately.

apt-get install ajenti-v ajenti-v-nginx ajenti-v-mysql ajenti-v-php-fpm ajenti-v-mail ajenti-v-nodejs php5-mysql
service ajenti restart

If you’re doing it retrospectively, in the terminal you can use 

dpkg --get-selections | grep mysql

And then remove the packages manually (debian).

I used these instructions from the official MariaDB website to install version 10.1.

To test once installed run mysql and it should output the version of MariaDB you are running.

Step 2

Set up a website at your root domain. We’ll use this site to set up the HTTPS certificate so make sure it’s the one that Ajenti sits on (at port 8000). Guide for setting up a WordPress/PHP website.

Note 2: I found that I had to restart php5-fpm (sudo php5-fpm restart) to escape a 404 error. It also doesn’t show as running on Ajenti. Apparently this is an Ubuntu-specific problem.

Step 3

Set up HTTPS certificates. I used this lightweight script by Lukas to generate Let’s Encrypt certificates.

a). Checkout the code to a directory like /etc/letsencrypt 

Update the domains.txt file to include your domains.

b). Prep your site to recieve an ACME challenge from Let’s Encrypt. Edit config.sh to point to your web directory:

WELLKNOWN="/var/www/your-website"

c).  Add this line to your website’s ‘Custom Configuration’ in Ajenti:

location /.well-known/acme-challenge {
alias /var/www/your-website;
}

d). Run letsencrypt.sh -c

If you hit a challenge error, check your ngnix logs to see exactly what it is. I also created well-known/acme folders in my web directory.

Step 4

Your certs should now be available in the /etc/letsencrypt/certs folder. Point your website to use these certs on the SSL tab in Ajenti.

Certificate path: /etc/letsencrypt/certs/your-domain.com/fullchain.pem
SSL key path: /etc/letsencrypt/certs/your-domain.com/privkey.pem

You should now have HTTPS enabled on your site, assuming you added 443 to the ports tab.

Step 5

Enhance your HTTPS security. Here’s a good guide to achieving an A+ on SSL Labs.

Step 6

Set up Ajenti to use the same certificate. Ajenti will have given itself a self-signed certificate. If you want to enable HSTS on the root site, you’ll need to change this to use the root certificate.

a). Combine the cert.pem and privkey.pem. Easily done using cat:

cat cert.pem privkey.pem > combined.pem

b). Change the key location in /etc/ajenti/config.json on line 26:

"certificate_path": "/etc/letsencrypt/certs/your-domain.com/combined.pem"

You should now have the same HTTPS certificate enabled for Ajenti as your root site which means you can enable HSTS.

With the 90 day expiration of certificates, this introduces an additional step. The only thing I can think is to create a bash script which runs the concatenation when the certificates are renewed. I’m yet to implement this but if you do, let me know!

Step 7

Set up phpmyadmin using this guide here. To ensure this uses HTTPS only, follow the steps above and use this to force HTTPS in Config tab: 

if ($scheme != "https") { rewrite ^ https://$host$uri permanent; }

You can password protect the phpmyadmin directory using httpauth on nginx. Follow this guide here.

The post Guide: Nginx Lemp Stack with Ajenti, Lets Encrypt HTTPS and phpmyadmin appeared first on Usayd Younis.