AI Skill Library
Back

SSL & DNS Setup

DNS records, Let's Encrypt SSL, Certbot, Cloudflare proxy, wildcard certs.

ssldnsdevopsdeployment
# SSL & DNS Setup

## DNS record types
| Record | Purpose | Example |
|--------|---------|--------|
| A | Domain -> IPv4 | `example.com -> 1.2.3.4` |
| AAAA | Domain -> IPv6 | `example.com -> 2001::1` |
| CNAME | Alias -> domain | `www -> example.com` |
| MX | Mail server | `@ -> mail.example.com` priority 10 |
| TXT | Verification, SPF, DKIM | `v=spf1 include:sendgrid.net ~all` |
| NS | Name servers | Delegated nameservers |
| CAA | Allowed CAs | `0 issue "letsencrypt.org"` |

## Typical web app DNS
```
example.com          A      1.2.3.4
www.example.com      CNAME  example.com
api.example.com      A      1.2.3.4
*.example.com        A      1.2.3.4    # wildcard
```
TTL: use 300s (5min) when migrating, 3600s (1hr) stable.

## Let's Encrypt with Certbot
```bash
# Install certbot + nginx plugin
apt install certbot python3-certbot-nginx

# Auto configure nginx + obtain cert
certbot --nginx -d example.com -d www.example.com

# Standalone (no web server running)
certbot certonly --standalone -d example.com

# Wildcard (requires DNS challenge)
certbot certonly --manual --preferred-challenges dns -d '*.example.com'
# -> Add TXT record: _acme-challenge.example.com

# Auto-renew (already set up by certbot)
systemctl status certbot.timer
# Test renewal
certbot renew --dry-run
```

## Cert files
```
/etc/letsencrypt/live/example.com/
  fullchain.pem   # cert + intermediates -> ssl_certificate
  privkey.pem     # private key -> ssl_certificate_key
  cert.pem        # cert only
  chain.pem       # intermediates only
```

## Cloudflare setup
1. Add site -> change nameservers at registrar
2. Orange cloud (proxy) -> hides origin IP, adds CDN + DDoS protection
3. Grey cloud (DNS only) -> no proxy, direct connection
4. SSL/TLS mode: Full (strict) when origin has valid cert
5. Page Rules / Transform Rules for redirects
6. Rate limiting, firewall rules, bot fight mode

## Cloudflare Origin CA (self-signed for origin)
```bash
# Generate at Cloudflare dashboard -> SSL/TLS -> Origin Server
# Use Cloudflare Root CA cert on origin
# Set SSL mode to "Full (strict)" in Cloudflare
```

## nginx SSL config (after certbot)
```nginx
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
```

API: /api/skills/ssl-dns-domain