let_s_encrypt
Ceci est une ancienne révision du document !
Table des matières
Let's Encrypt
Let's Encrypt est un projet soutenu par Internet Security Research Group (ISRG). L'objectif est de permettre à tous et gratuitement de pouvoir mettre en place des certificats SSL pour sécuriser les connexions.
Configuration des certificats Let's Encrypt
J'ai configuré les certificats pour plusieurs noms de domaines et voici la procédure suivie, pour le domaine fictif “plouf.com”.
J'ai utilisé l'outil acme-tiny, on commence par le télécharger et l'installer.
# wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py -O /usr/local/bin/acme-tiny.py --2018-01-10 02:30:22-- https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.120.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.120.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 9179 (9.0K) [text/plain] Saving to: ‘/usr/local/bin/acme-tiny.py’ /usr/local/bin/acme-tiny.py 100%[================================================================>] 8.96K --.-KB/s in 0s 2018-01-10 02:30:22 (51.4 MB/s) - ‘/usr/local/bin/acme-tiny.py’ saved [9179/9179]
On crée un dossier pour Let's Encrypt, avec les bons droits :
# mkdir /etc/letsencrypt # chown root:ssl-cert /etc/letsencrypt/ # chmod 750 /etc/letsencrypt/
On se déplace dans le dossier qu'on vient de créer :
# cd /etc/letsencrypt/
Et on lance la génération d'une clé privée :
NOUVELLE SOLUTION :
# apt install python-certbot-apache
<hidden>
Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: augeas-lenses certbot libaugeas0 python-acme python-augeas python-certbot python-chardet python-configargparse python-configobj python-dnspython python-funcsigs python-mock python-openssl python-parsedatetime python-pbr python-psutil python-pyicu python-requests python-rfc3339 python-tz python-urllib3 python-zope.component python-zope.event python-zope.hookable python-zope.interface Suggested packages: augeas-doc python-certbot-doc augeas-tools python-acme-doc python-certbot-apache-doc python-configobj-doc python-funcsigs-doc python-mock-doc python-openssl-doc python-openssl-dbg python-psutil-doc python-socks python-ntlm The following NEW packages will be installed: augeas-lenses certbot libaugeas0 python-acme python-augeas python-certbot python-certbot-apache python-chardet python-configargparse python-configobj python-dnspython python-funcsigs python-mock python-openssl python-parsedatetime python-pbr python-psutil python-pyicu python-requests python-rfc3339 python-tz python-urllib3 python-zope.component python-zope.event python-zope.hookable python-zope.interface 0 upgraded, 26 newly installed, 0 to remove and 0 not upgraded. Need to get 2,133 kB of archives. After this operation, 9,863 kB of additional disk space will be used. Do you want to continue? [Y/n] (...)
# certbot --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Which names would you like to activate HTTPS for? ------------------------------------------------------------------------------- 1: plouf.com 2: sous.plouf.com 3: piscine.plouf.com ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):1,2,3 Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):mon@mail.com ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for plouf.com tls-sni-01 challenge for sous.plouf.com tls-sni-01 challenge for piscine.plouf.com Enabled Apache socache_shmcb module Enabled Apache ssl module Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem Created an SSL vhost at /etc/apache2/sites-available/vps89550.ovh.net-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/vps89550.ovh.net-le-ssl.conf Enabling available site: /etc/apache2/sites-available/vps89550.ovh.net-le-ssl.conf An unexpected error occurred: StopIteration Please see the logfiles in /var/log/letsencrypt for more details. IMPORTANT NOTES: - Unable to install the certificate - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/caliban.be/fullchain.pem. Your cert will expire on 2018-04-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you lose your account credentials, you can recover through e-mails sent to moi@simonlefort.be. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
Sources
let_s_encrypt.1515548913.txt.gz · Dernière modification : 2020/08/09 12:59 (modification externe)