jpeppol: check list before deploy in production

checklist
– copy wildfly-10 with apps inside
– copy wildfly init.d scripts
– copy mysql script to connect from shell
– install shell client mysql
– install a minimal mysql db
– install jdk 1.8 oracle using apt
– install jre security ext (to resolve ca cert key)
– install nginx  and create configuration files
– install letsencrypt and generate certificates
– configure nginx to use letsencrypt
– configure timezone on ubuntu
– create working dir on /mnt/jpeppol
– set max number of connections (mysql)
– copy latest jpeppol version
– verify sml registration (using official cacert)
– cd /etc/ssl/certs; sudo openssl dhparam -out dhparam.pem 4096
– add to nginx:
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”;
ssl_ecdh_curve secp384r1;
# Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
#ssl_session_tickets off;
# Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
#resolver_timeout 5s;
add_header Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”;
add_header X-Frame-Options DENY;
– restart nginx
– verify ssl configuration on: https://www.ssllabs.com/ssltest/analyze.html?d=www.xxx.xld
– install le-renew
#!/bin/sh
service nginx stop # or whatever your webserver is
/home/admin/letsencrypt/letsencrypt-auto renew -nvv –standalone > /var/log/le-renew.log 2>&1
LE_STATUS=$?
service nginx start # or whatever your webserver is
if [ “$LE_STATUS” != 0 ]; then
echo Automated renewal failed:
cat /var/log/le-renew.log
exit 1
fi
– configure crontab: crontab -e
0 2 * * * /usr/bin/find /opt/wildfly/standalone/log/server.log.* -exec /bin/gzip ‘{}’ \;
30 2 * * 1 /etc/init.d/le-renew