Church-Music/new-site/SSL_SETUP_GUIDE.md

SSL and DNS Setup Guide

Quick Deployment

To deploy the entire site with SSL and systemd services:

cd /media/pts/Website/Church_HOP_MusicData/new-site
sudo ./deploy.sh

This will:

• ✅ Install systemd services for backend and frontend
• ✅ Obtain SSL certificate from Let's Encrypt
• ✅ Configure Nginx as reverse proxy
• ✅ Set up automatic SSL renewal
• ✅ Enable services to start on boot

Manual Setup

Step 1: Install SSL Certificate Only

cd /media/pts/Website/Church_HOP_MusicData/new-site
sudo ./setup-ssl.sh

Step 2: Restart Backend with Updated CORS

sudo systemctl restart church-music-backend
# OR manually:
cd /media/pts/Website/Church_HOP_MusicData/new-site/backend
pkill -f "node server.js"
nohup node server.js > /tmp/backend.log 2>&1 &

Configuration Details

Domain

• DNS: houseofprayer.ddns.net
• HTTP: Port 80 (redirects to HTTPS)
• HTTPS: Port 443 (SSL/TLS)

Backend

• Port: 8080 (internal)
• URL: https://houseofprayer.ddns.net/api/
• CORS: Allows localhost and houseofprayer.ddns.net

Frontend

• Port: 5100 (internal, Vite dev server)
• URL: https://houseofprayer.ddns.net/
• Proxy: Nginx forwards to localhost:5100

SSL Certificate

• Provider: Let's Encrypt
• Location: /etc/letsencrypt/live/houseofprayer.ddns.net/
• Renewal: Automatic (daily at 3 AM)
• Manual Renewal: sudo certbot renew

Service Management

Start/Stop Services

# Backend
sudo systemctl start church-music-backend
sudo systemctl stop church-music-backend
sudo systemctl restart church-music-backend
sudo systemctl status church-music-backend

# Frontend
sudo systemctl start church-music-frontend
sudo systemctl stop church-music-frontend
sudo systemctl restart church-music-frontend
sudo systemctl status church-music-frontend

# Nginx
sudo systemctl start nginx
sudo systemctl stop nginx
sudo systemctl restart nginx
sudo systemctl status nginx

View Logs

# Backend logs (real-time)
sudo journalctl -u church-music-backend -f

# Frontend logs (real-time)
sudo journalctl -u church-music-frontend -f

# Nginx access logs
sudo tail -f /var/log/nginx/church-music-access.log

# Nginx error logs
sudo tail -f /var/log/nginx/church-music-error.log

Firewall Configuration

Make sure these ports are open:

# Check current firewall status
sudo ufw status

# Allow HTTP (for Let's Encrypt)
sudo ufw allow 80/tcp

# Allow HTTPS
sudo ufw allow 443/tcp

# Allow SSH (if not already)
sudo ufw allow 22/tcp

# Enable firewall
sudo ufw enable

Router Port Forwarding

Ensure your router forwards these ports to this server:

• Port 80 → Internal IP:80 (HTTP)
• Port 443 → Internal IP:443 (HTTPS)

Testing

1. Test SSL Certificate

# Check certificate validity
sudo certbot certificates

# Test SSL configuration
curl -I https://houseofprayer.ddns.net

# Check SSL rating
# Visit: https://www.ssllabs.com/ssltest/analyze.html?d=houseofprayer.ddns.net

2. Test API Endpoints

# Test backend API
curl https://houseofprayer.ddns.net/api/stats

# Test login
curl -X POST https://houseofprayer.ddns.net/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"hop","password":"hopmusic2025"}'

3. Test from Browser

Open: https://houseofprayer.ddns.net

Expected:

• ✅ Valid SSL certificate (green padlock)
• ✅ Login page appears
• ✅ Can log in with credentials
• ✅ All features work normally

Troubleshooting

SSL Certificate Issues

# Check if certificate exists
ls -la /etc/letsencrypt/live/houseofprayer.ddns.net/

# Verify DNS is pointing to this server
nslookup houseofprayer.ddns.net

# Test port 80 accessibility
curl -I http://houseofprayer.ddns.net

# Force certificate renewal
sudo certbot renew --force-renewal

Service Won't Start

# Check service status
sudo systemctl status church-music-backend

# View recent logs
sudo journalctl -u church-music-backend -n 50

# Check if port is already in use
sudo lsof -i:8080
sudo lsof -i:5100

# Manually test backend
cd /media/pts/Website/Church_HOP_MusicData/new-site/backend
node server.js

Nginx Issues

# Test Nginx configuration
sudo nginx -t

# View Nginx error log
sudo tail -f /var/log/nginx/error.log

# Reload Nginx configuration
sudo systemctl reload nginx

Can't Access from Outside

1. Check DNS: nslookup houseofprayer.ddns.net
2. Check router port forwarding: Ports 80 and 443
3. Check firewall: sudo ufw status
4. Check if ports are listening: sudo netstat -tlnp | grep -E ':(80|443)'
5. Test from external site: https://www.isitdownrightnow.com/houseofprayer.ddns.net.html

Security Recommendations

1. Change Default Passwords

Update all user passwords from defaults in CREDENTIALS.md

2. Enable Production CORS

Edit backend/server.js and restrict CORS to only your domain

3. Rate Limiting

Already enabled (1000 requests per 15 minutes)

4. Keep System Updated

# Update packages
sudo apt update && sudo apt upgrade -y

# Update Node.js packages
cd /media/pts/Website/Church_HOP_MusicData/new-site/backend
npm update

cd /media/pts/Website/Church_HOP_MusicData/new-site/frontend
npm update

5. Monitor Logs Regularly

# Set up log rotation (already configured by systemd)
# Check logs weekly for suspicious activity
sudo journalctl -u church-music-backend --since "1 week ago" | grep -i error

Backup SSL Certificates

# Backup certificates
sudo tar -czf ~/letsencrypt-backup-$(date +%Y%m%d).tar.gz /etc/letsencrypt/

# Restore certificates (if needed)
sudo tar -xzf ~/letsencrypt-backup-YYYYMMDD.tar.gz -C /

Additional Resources

• Let's Encrypt: https://letsencrypt.org/
• Nginx Documentation: https://nginx.org/en/docs/
• Certbot: https://certbot.eff.org/
• SSL Labs Test: https://www.ssllabs.com/ssltest/

---

Last Updated: January 25, 2026