let_s_encrypt
Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédenteDernière révisionLes deux révisions suivantes | ||
let_s_encrypt [2018/01/10 01:48] – simon | let_s_encrypt [2019/09/12 19:46] – simon | ||
---|---|---|---|
Ligne 3: | Ligne 3: | ||
===== Configuration des certificats Let's Encrypt ===== | ===== Configuration des certificats Let's Encrypt ===== | ||
- | J'ai configuré les certificats pour plusieurs noms de domaines et voici la procédure suivie, pour le domaine fictif " | + | === Acme.sh === |
- | + | [[https:// | |
- | J'ai utilisé l' | + | |
+ | La première chose est d' | ||
<code bash> | <code bash> | ||
- | # wget https:// | + | # apt install socat |
- | --2018-01-10 02: | + | # curl https://get.acme.sh | sh |
- | Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.120.133 | + | </code> |
- | Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.120.133|: | + | |
- | HTTP request sent, awaiting response... 200 OK | + | |
- | Length: 9179 (9.0K) [text/plain] | + | |
- | Saving to: ‘/ | + | |
- | /usr/local/bin/acme-tiny.py | + | Ensuite, il faut avoir un domaine déjà configuré en HTTP, avec un dossier accessible. Une fois que c'est fait, il n'y a plus qu'à suivre les [[https://github.com/Neilpang/acme.sh#2-just-issue-a-cert|exemples sur le github du projet]] : |
- | 2018-01-10 02:30:22 (51.4 MB/s) - ‘/usr/local/bin/ | + | <code bash> |
+ | # acme.sh | ||
</ | </ | ||
- | On crée un dossier pour Let's Encrypt, avec les bons droits | + | __**Bonus :**__ L'installation d' |
<code bash> | <code bash> | ||
- | # mkdir /etc/ | + | 4 0 * * * "/root/.acme.sh" |
- | # chown root: | + | |
- | # chmod 750 /etc/letsencrypt/ | + | |
</ | </ | ||
- | On se déplace dans le dossier qu'on vient de créer : | + | == Choisir une clé ECC et sa taille == |
<code bash> | <code bash> | ||
- | # cd /etc/letsencrypt/ | + | # acme.sh --issue -d plouf.com -d www.plouf.com -w /var/www/plouf/ --keylength ec-384 |
</ | </ | ||
- | Et on lance la génération d'une clé privée : | + | == Wildcard == |
<code bash> | <code bash> | ||
+ | $ acme.sh --issue -d artanux.be -d ' | ||
</ | </ | ||
+ | Détails sur la page [[acme.sh]]. | ||
+ | == Arrêter le renouvellement d'un certificat == | ||
+ | Les explications sont sur [[https:// | ||
+ | <code bash> | ||
+ | # rm -r ~/ | ||
+ | </ | ||
+ | |||
+ | === Certbot === | ||
+ | <WRAP center round important 60%> | ||
+ | Cette partie est un peu ancienne et plus forcément pertinente... | ||
+ | </ | ||
+ | |||
+ | J'ai configuré les certificats pour plusieurs noms de domaines et voici la procédure suivie, pour le domaine fictif " | ||
- | NOUVELLE SOLUTION : | + | On commence par activer les backports (sous Stretch) afin de bénéficier de la version de [[certbot]] la plus récente. |
<code bash> | <code bash> | ||
- | # apt install python-certbot-apache | + | # vim /etc/apt/ |
+ | # | ||
+ | # Backports repository | ||
+ | deb http:// | ||
</ | </ | ||
- | <hidden> | + | |
+ | Dans mon cas, après installation sans les backports, certbot était en version 0.10 alors qu' | ||
+ | |||
+ | <code bash> | ||
+ | # apt-get -t stretch-backports install python-certbot-apache | ||
+ | </ | ||
<code bash> | <code bash> | ||
- | Reading package lists... Done | + | # certbot --version |
- | Building dependency tree | + | certbot |
- | Reading state information... Done | + | |
- | The following additional packages will be installed: | + | |
- | augeas-lenses | + | |
- | | + | |
- | python-rfc3339 python-tz python-urllib3 python-zope.component python-zope.event python-zope.hookable python-zope.interface | + | |
- | Suggested packages: | + | |
- | augeas-doc python-certbot-doc augeas-tools python-acme-doc python-certbot-apache-doc python-configobj-doc python-funcsigs-doc | + | |
- | python-mock-doc python-openssl-doc python-openssl-dbg python-psutil-doc python-socks python-ntlm | + | |
- | The following NEW packages will be installed: | + | |
- | augeas-lenses certbot libaugeas0 python-acme python-augeas python-certbot python-certbot-apache python-chardet python-configargparse | + | |
- | python-configobj python-dnspython python-funcsigs python-mock python-openssl python-parsedatetime python-pbr python-psutil python-pyicu | + | |
- | python-requests python-rfc3339 python-tz python-urllib3 python-zope.component python-zope.event python-zope.hookable | + | |
- | python-zope.interface | + | |
- | 0 upgraded, 26 newly installed, 0 to remove and 0 not upgraded. | + | |
- | Need to get 2,133 kB of archives. | + | |
- | After this operation, 9,863 kB of additional disk space will be used. | + | |
- | Do you want to continue? [Y/n] | + | |
- | (...) | + | |
</ | </ | ||
+ | |||
+ | <WRAP center round alert 60%> | ||
+ | Sur une installation plus récente, j'ai du passer par [[pip]] pour installer certbot 0.21. L' | ||
+ | </ | ||
Ligne 72: | Ligne 76: | ||
# certbot --apache | # certbot --apache | ||
Saving debug log to / | Saving debug log to / | ||
+ | Plugins selected: Authenticator apache, Installer apache | ||
Which names would you like to activate HTTPS for? | Which names would you like to activate HTTPS for? | ||
------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | ||
1: plouf.com | 1: plouf.com | ||
- | 2: sous.plouf.com | + | 2: chat.plouf.com |
- | 3: piscine.plouf.com | + | 3: wiki.plouf.com |
------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | ||
Select the appropriate numbers separated by commas and/or spaces, or leave input | Select the appropriate numbers separated by commas and/or spaces, or leave input | ||
- | blank to select all options shown (Enter ' | + | blank to select all options shown (Enter ' |
- | Enter email address (used for urgent renewal and security notices) (Enter ' | + | |
- | cancel): | + | |
- | + | ||
- | ------------------------------------------------------------------------------- | + | |
- | Please read the Terms of Service at | + | |
- | https:// | + | |
- | agree in order to register with the ACME server at | + | |
- | https:// | + | |
- | ------------------------------------------------------------------------------- | + | |
- | (A)gree/ | + | |
Obtaining a new certificate | Obtaining a new certificate | ||
Performing the following challenges: | Performing the following challenges: | ||
- | tls-sni-01 challenge for plouf.com | + | tls-sni-01 challenge for caliban.be |
- | tls-sni-01 challenge for sous.plouf.com | + | |
- | tls-sni-01 challenge for piscine.plouf.com | + | |
Enabled Apache socache_shmcb module | Enabled Apache socache_shmcb module | ||
Enabled Apache ssl module | Enabled Apache ssl module | ||
Waiting for verification... | Waiting for verification... | ||
Cleaning up challenges | Cleaning up challenges | ||
- | Generating key (2048 bits): / | + | Created an SSL vhost at / |
- | Creating CSR: / | + | |
- | Created an SSL vhost at / | + | |
Enabled Apache socache_shmcb module | Enabled Apache socache_shmcb module | ||
Enabled Apache ssl module | Enabled Apache ssl module | ||
- | Deploying Certificate to VirtualHost / | + | Deploying Certificate |
- | Enabling available site: / | + | Enabling available site: / |
- | An unexpected error occurred: | + | |
- | StopIteration | + | |
- | Please see the logfiles in / | + | |
- | IMPORTANT NOTES: | + | Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. |
- | - Unable | + | ------------------------------------------------------------------------------- |
- | - Congratulations! Your certificate and chain have been saved at | + | 1: No redirect - Make no further changes to the webserver configuration. |
- | / | + | 2: Redirect |
- | expire on 2018-04-10. To obtain a new or tweaked version of this | + | new sites, or if you're confident |
- | certificate in the future, simply run certbot again with the | + | change by editing your web server' |
- | " | + | ------------------------------------------------------------------------------- |
- | certificates, run " | + | Select the appropriate number [1-2] then [enter] (press ' |
- | - If you lose your account credentials, | + | Redirecting vhost in /etc/apache2/ |
- | e-mails sent to moi@simonlefort.be. | + | |
- | | + | |
- | configuration directory at /etc/letsencrypt. You should make a | + | |
- | | + | |
- | also contain certificates and private keys obtained by Certbot so | + | |
- | | + | |
- | </code> | + | |
- | <code bash> | + | ------------------------------------------------------------------------------- |
- | </code> | + | Congratulations! You have successfully enabled https://plouf.com |
- | <code bash> | + | You should test your configuration at: |
- | </code> | + | https:// |
+ | ------------------------------------------------------------------------------- | ||
- | <code bash> | + | IMPORTANT NOTES: |
- | </code> | + | - Congratulations! Your certificate and chain have been saved at: |
+ | /etc/ | ||
+ | Your key file has been saved at: | ||
+ | / | ||
+ | Your cert will expire on 2018-04-10. To obtain a new or tweaked | ||
+ | | ||
+ | with the " | ||
+ | your certificates, | ||
+ | - If you like Certbot, please consider supporting our work by: | ||
- | <code bash> | + | |
+ | | ||
</ | </ | ||
+ | On peut tester un renouvellement des certificats avec la commande suivante : | ||
<code bash> | <code bash> | ||
+ | # certbot renew --dry-run | ||
</ | </ | ||
- | <code bash> | + | Actuellement, |
- | </ | + | |
+ | ==== Clés plus longues ==== | ||
<code bash> | <code bash> | ||
+ | # certbot certonly -a webroot --rsa-key-size 4096 --webroot-path=/ | ||
</ | </ | ||
- | |||
- | <code bash> | ||
- | </ | ||
- | |||
- | <code bash> | ||
- | </ | ||
- | |||
- | <code bash> | ||
- | </ | ||
- | |||
===== Sources ===== | ===== Sources ===== | ||
* [[https:// | * [[https:// |