Différences

Ci-dessous, les différences entre deux révisions de la page.

--- let_s_encrypt [2018/01/10 01:48] – simon
+++ let_s_encrypt [2018/04/24 14:29] – [Clés plus longues] simon
@@ Ligne 5: / Ligne 5: @@
 J'ai configuré les certificats pour plusieurs noms de domaines et voici la procédure suivie, pour le domaine fictif "plouf.com".
-J'ai utilisé l'outil [[https://github.com/diafygi/acme-tiny|acme-tiny]], on commence par le télécharger et l'installer.
+On commence par activer les backports (sous Stretch) afin de bénéficier de la version de [[certbot]] la plus récente.
 <code bash>
-# wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py -O /usr/local/bin/acme-tiny.py
+# vim /etc/apt/sources.list
---2018-01-10 02:30:22--  https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
+  #(...ajouter à la fin du fichier :)
-Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.120.133
+  # Backports repository
-Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.120.133|:443... connected.
+  deb http://ftp.debian.org/debian stretch-backports main
-HTTP request sent, awaiting response... 200 OK
-Length: 9179 (9.0K) [text/plain]
-Saving to: ‘/usr/local/bin/acme-tiny.py’
-/usr/local/bin/acme-tiny.py         100%[================================================================>]   8.96K  --.-KB/s    in 0s
--01-10 02:30:22 (51.4 MB/s) - ‘/usr/local/bin/acme-tiny.py’ saved [9179/9179]
 </code>
-On crée un dossier pour Let's Encrypt, avec les bons droits :
+Dans mon cas, après installation sans les backports, certbot était en version 0.10 alors qu'avec les backports, on a la version 0.19.0.
-<code bash>
-# mkdir /etc/letsencrypt
-# chown root:ssl-cert /etc/letsencrypt/
-# chmod 750 /etc/letsencrypt/
-</code>
-On se déplace dans le dossier qu'on vient de créer :
 <code bash>
-# cd /etc/letsencrypt/
+# apt-get -t stretch-backports install python-certbot-apache
 </code>
-Et on lance la génération d'une clé privée :
 <code bash>
+# certbot --version
+certbot 0.19.0
 </code>
+<WRAP center round alert 60%>
+Sur une installation plus récente, j'ai du passer par [[pip]] pour installer certbot 0.21. L'installation depuis les backports ne fonctionnait pas.
-NOUVELLE SOLUTION :
+</WRAP>
-<code bash>
-# apt install python-certbot-apache
-</code>
-<hidden>
-<code bash>
-Reading package lists... Done
-Building dependency tree
-Reading state information... Done
-The following additional packages will be installed:
-  augeas-lenses certbot libaugeas0 python-acme python-augeas python-certbot python-chardet python-configargparse python-configobj
-  python-dnspython python-funcsigs python-mock python-openssl python-parsedatetime python-pbr python-psutil python-pyicu python-requests
-  python-rfc3339 python-tz python-urllib3 python-zope.component python-zope.event python-zope.hookable python-zope.interface
-Suggested packages:
-  augeas-doc python-certbot-doc augeas-tools python-acme-doc python-certbot-apache-doc python-configobj-doc python-funcsigs-doc
-  python-mock-doc python-openssl-doc python-openssl-dbg python-psutil-doc python-socks python-ntlm
-The following NEW packages will be installed:
-  augeas-lenses certbot libaugeas0 python-acme python-augeas python-certbot python-certbot-apache python-chardet python-configargparse
-  python-configobj python-dnspython python-funcsigs python-mock python-openssl python-parsedatetime python-pbr python-psutil python-pyicu
-  python-requests python-rfc3339 python-tz python-urllib3 python-zope.component python-zope.event python-zope.hookable
-  python-zope.interface
-upgraded, 26 newly installed, 0 to remove and 0 not upgraded.
-Need to get 2,133 kB of archives.
-After this operation, 9,863 kB of additional disk space will be used.
-Do you want to continue? [Y/n]
-(...)
-</code>
@@ Ligne 72: / Ligne 33: @@
 # certbot --apache
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
+Plugins selected: Authenticator apache, Installer apache
 Which names would you like to activate HTTPS for?
 -------------------------------------------------------------------------------
 : plouf.com
-: sous.plouf.com
+: chat.plouf.com
-: piscine.plouf.com
+: wiki.plouf.com
 -------------------------------------------------------------------------------
 Select the appropriate numbers separated by commas and/or spaces, or leave input
-blank to select all options shown (Enter 'c' to cancel):1,2,3
+blank to select all options shown (Enter 'c' to cancel): 1
-Enter email address (used for urgent renewal and security notices) (Enter 'c' to
-cancel):mon@mail.com
--------------------------------------------------------------------------------
-Please read the Terms of Service at
-https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
-agree in order to register with the ACME server at
-https://acme-v01.api.letsencrypt.org/directory
--------------------------------------------------------------------------------
-(A)gree/(C)ancel: A
 Obtaining a new certificate
 Performing the following challenges:
-tls-sni-01 challenge for plouf.com
+tls-sni-01 challenge for caliban.be
-tls-sni-01 challenge for sous.plouf.com
-tls-sni-01 challenge for piscine.plouf.com
 Enabled Apache socache_shmcb module
 Enabled Apache ssl module
 Waiting for verification...
 Cleaning up challenges
-Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
+Created an SSL vhost at /etc/apache2/sites-available/plouf.com-le-ssl.conf
-Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
-Created an SSL vhost at /etc/apache2/sites-available/vps89550.ovh.net-le-ssl.conf
 Enabled Apache socache_shmcb module
 Enabled Apache ssl module
-Deploying Certificate to VirtualHost /etc/apache2/sites-available/vps89550.ovh.net-le-ssl.conf
+Deploying Certificate for caliban.be to VirtualHost /etc/apache2/sites-available/plouf.com-le-ssl.conf
-Enabling available site: /etc/apache2/sites-available/vps89550.ovh.net-le-ssl.conf
+Enabling available site: /etc/apache2/sites-available/plouf.com-le-ssl.conf
-An unexpected error occurred:
-StopIteration
-Please see the logfiles in /var/log/letsencrypt for more details.
-IMPORTANT NOTES:
+Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - Unable to install the certificate
+-------------------------------------------------------------------------------
- - Congratulations! Your certificate and chain have been saved at
+: No redirect - Make no further changes to the webserver configuration.
-   /etc/letsencrypt/live/caliban.be/fullchain.pem. Your cert will
+: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
-   expire on 2018-04-10. To obtain a new or tweaked version of this
+new sites, or if you're confident your site works on HTTPS. You can undo this
-   certificate in the future, simply run certbot again with the
+change by editing your web server's configuration.
-   "certonly" option. To non-interactively renew *all* of your
+-------------------------------------------------------------------------------
-   certificates, run "certbot renew"
+Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
- - If you lose your account credentials, you can recover through
+Redirecting vhost in /etc/apache2/sites-enabled/cplouf.com.conf to ssl vhost in /etc/apache2/sites-available/plouf.com-le-ssl.conf
-   e-mails sent to moi@simonlefort.be.
- - Your account credentials have been saved in your Certbot
-   configuration directory at /etc/letsencrypt. You should make a
-   secure backup of this folder now. This configuration directory will
-   also contain certificates and private keys obtained by Certbot so
-   making regular backups of this folder is ideal.
-</code>
-<code bash>
+-------------------------------------------------------------------------------
-</code>
+Congratulations! You have successfully enabled https://plouf.com
-<code bash>
+You should test your configuration at:
-</code>
+https://www.ssllabs.com/ssltest/analyze.html?d=plouf.com
+-------------------------------------------------------------------------------
-<code bash>
+IMPORTANT NOTES:
-</code>
+ - Congratulations! Your certificate and chain have been saved at:
+   /etc/letsencrypt/live/plouf.com-0001/fullchain.pem
+   Your key file has been saved at:
+   /etc/letsencrypt/live/plouf.com-0001/privkey.pem
+   Your cert will expire on 2018-04-10. To obtain a new or tweaked
+   version of this certificate in the future, simply run certbot again
+   with the "certonly" option. To non-interactively renew *all* of
+   your certificates, run "certbot renew"
+ - If you like Certbot, please consider supporting our work by:
-<code bash>
+   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
+   Donating to EFF:                    https://eff.org/donate-le
 </code>
+On peut tester un renouvellement des certificats avec la commande suivante :
 <code bash>
+# certbot renew --dry-run
 </code>
-<code bash>
+Actuellement, ça foire chez moi... Pas encore compris pourquoi.
-</code>
+==== Clés plus longues ====
 <code bash>
+# certbot certonly -a webroot --rsa-key-size 4096 --webroot-path=/var/www/plouf.com -d plouf.com -d www.plouf.com
 </code>
-<code bash>
-</code>
-<code bash>
-</code>
-<code bash>
-</code>
 ===== Sources =====
   * [[https://www.sysnove.fr/blog/2016/03/utilisation-pratique-letsencrypt-acme-tiny.html|Sysnove.fr]]