LetsEncrypt » Historique » Version 5
Matthieu Herrb, 04/04/2017 10:05
| 1 | 1 | Laurent GUERBY | {{>toc}} |
|---|---|---|---|
| 2 | 1 | Laurent GUERBY | |
| 3 | 1 | Laurent GUERBY | h1. LetsEncrypt |
| 4 | 1 | Laurent GUERBY | |
| 5 | 1 | Laurent GUERBY | h2. Liens |
| 6 | 1 | Laurent GUERBY | |
| 7 | 1 | Laurent GUERBY | * https://letsencrypt.org/ |
| 8 | 1 | Laurent GUERBY | ** https://letsencrypt.readthedocs.org/en/latest/ |
| 9 | 1 | Laurent GUERBY | ** https://github.com/letsencrypt/letsencrypt |
| 10 | 2 | Laurent GUERBY | * http://www.silicon.fr/https-ovh-rapproche-lets-encrypt-134437.html |
| 11 | 1 | Laurent GUERBY | * https://www.ekito.fr/people/lets-encrypt-installation-et-renouvellement-automatique-des-certificats/ |
| 12 | 1 | Laurent GUERBY | * https://blog.imirhil.fr/2015/12/12/letsencrypt-joie-deception.html |
| 13 | 1 | Laurent GUERBY | * https://github.com/diafygi/acme-tiny |
| 14 | 1 | Laurent GUERBY | * http://www.ossir.org/resist/supports/cr/2015/2015-12-15/2015-12-15-LetsEncrypt.pdf |
| 15 | 1 | Laurent GUERBY | * https://www.metachris.com/2015/12/comparison-of-10-acme-lets-encrypt-clients/ |
| 16 | 3 | Laurent GUERBY | * http://www.nextinpact.com/news/97864-lets-encrypt-gandi-infomaniak-et-ovh-vont-integrer-certificats-a-leurs-offres.htm |
| 17 | 4 | Matthieu Herrb | |
| 18 | 4 | Matthieu Herrb | h2. Configuration avec acme-client |
| 19 | 4 | Matthieu Herrb | |
| 20 | 4 | Matthieu Herrb | https://kristaps.bsd.lv/acme-client/ client C orienté sécu développé par Kristaps Dzonsons |
| 21 | 4 | Matthieu Herrb | |
| 22 | 4 | Matthieu Herrb | h3. installation sur wheezy |
| 23 | 4 | Matthieu Herrb | |
| 24 | 4 | Matthieu Herrb | Dépendances: |
| 25 | 4 | Matthieu Herrb | * libbsd (@apt-get install libbsd-dev@) |
| 26 | 4 | Matthieu Herrb | * libressl |
| 27 | 4 | Matthieu Herrb | <pre> |
| 28 | 4 | Matthieu Herrb | $ git clone https://github.com/libressl-portable/portable.git libressl |
| 29 | 4 | Matthieu Herrb | $ cd libressl |
| 30 | 4 | Matthieu Herrb | $ ./autogen.sh |
| 31 | 4 | Matthieu Herrb | $ ./configure --prefix=/usr/local |
| 32 | 4 | Matthieu Herrb | $ make |
| 33 | 4 | Matthieu Herrb | $ sudo make install |
| 34 | 4 | Matthieu Herrb | </pre> |
| 35 | 4 | Matthieu Herrb | |
| 36 | 4 | Matthieu Herrb | acme-client: |
| 37 | 4 | Matthieu Herrb | <pre> |
| 38 | 4 | Matthieu Herrb | $ git clone https://github.com/kristapsdz/acme-client-portable |
| 39 | 4 | Matthieu Herrb | $ cd acme-client-portable |
| 40 | 4 | Matthieu Herrb | </pre> |
| 41 | 4 | Matthieu Herrb | |
| 42 | 4 | Matthieu Herrb | Appliquer ce patch pour que l'exécutable trouve libressl dans @/usr/local@: |
| 43 | 4 | Matthieu Herrb | <pre> |
| 44 | 4 | Matthieu Herrb | diff --git a/GNUmakefile b/GNUmakefile |
| 45 | 4 | Matthieu Herrb | index 9b0ed80..3c89b4f 100644 |
| 46 | 4 | Matthieu Herrb | --- a/GNUmakefile |
| 47 | 4 | Matthieu Herrb | +++ b/GNUmakefile |
| 48 | 4 | Matthieu Herrb | @@ -43,7 +43,7 @@ CFLAGS += -DMUSL_LIBC |
| 49 | 4 | Matthieu Herrb | endif |
| 50 | 4 | Matthieu Herrb | |
| 51 | 4 | Matthieu Herrb | CFLAGS += -I/usr/local/include/libressl |
| 52 | 4 | Matthieu Herrb | -LDFLAGS += -L/usr/local/lib |
| 53 | 4 | Matthieu Herrb | +LDFLAGS += -L/usr/local/lib -Wl,-rpath /usr/local/lib |
| 54 | 4 | Matthieu Herrb | OBJS += util-portable.o |
| 55 | 4 | Matthieu Herrb | |
| 56 | 4 | Matthieu Herrb | # Do we have libseccomp installed? |
| 57 | 4 | Matthieu Herrb | </pre> |
| 58 | 4 | Matthieu Herrb | |
| 59 | 4 | Matthieu Herrb | Puis continuer: |
| 60 | 4 | Matthieu Herrb | |
| 61 | 4 | Matthieu Herrb | <pre> |
| 62 | 4 | Matthieu Herrb | $ make |
| 63 | 4 | Matthieu Herrb | $ sudo make install |
| 64 | 4 | Matthieu Herrb | </pre> |
| 65 | 5 | Matthieu Herrb | |
| 66 | 5 | Matthieu Herrb | h3. Utilisation |
| 67 | 5 | Matthieu Herrb | |
| 68 | 5 | Matthieu Herrb | Exemple: certificat pour mastodon.tetaneutral.net avec nginx |
| 69 | 5 | Matthieu Herrb | |
| 70 | 5 | Matthieu Herrb | h4. Config nginx |
| 71 | 5 | Matthieu Herrb | |
| 72 | 5 | Matthieu Herrb | TBD |
| 73 | 5 | Matthieu Herrb | |
| 74 | 5 | Matthieu Herrb | h4. Preparatifs |
| 75 | 5 | Matthieu Herrb | |
| 76 | 5 | Matthieu Herrb | # récupérer un fichier @/etc/ssl/cert.pem@ pour libressl |
| 77 | 5 | Matthieu Herrb | <pre> |
| 78 | 5 | Matthieu Herrb | # cd /etc/ssl |
| 79 | 5 | Matthieu Herrb | # wget https://raw.githubusercontent.com/openbsd/src/master/lib/libcrypto/cert.pem |
| 80 | 5 | Matthieu Herrb | </pre> |
| 81 | 5 | Matthieu Herrb | # créer les dossiers |
| 82 | 5 | Matthieu Herrb | <pre> |
| 83 | 5 | Matthieu Herrb | # mkdir -p /etc/acme /etc/ssl/mastodon.tetaneutral.net/private /var/www/acme/.well-known/acme-challenge |
| 84 | 5 | Matthieu Herrb | # chmod 700 /etc/acme /etc/ssl/mastodon.tetaneutral/private |
| 85 | 5 | Matthieu Herrb | </pre> |
| 86 | 5 | Matthieu Herrb | # faire la demande initiale |
| 87 | 5 | Matthieu Herrb | <pre> |
| 88 | 5 | Matthieu Herrb | acme-client \ |
| 89 | 5 | Matthieu Herrb | -C /var/www/acme/.well-known/acme-challenge \ |
| 90 | 5 | Matthieu Herrb | -c /etc/ssl/mastodon.tetaneutral.net \ |
| 91 | 5 | Matthieu Herrb | -k /etc/ssl/matodon.tetaneutral.net/private/privkey.pem \ |
| 92 | 5 | Matthieu Herrb | -f /etc/acme/privkey.pem \ |
| 93 | 5 | Matthieu Herrb | mastodon.tetaneutral.net1 |
| 94 | 5 | Matthieu Herrb | </pre> |
| 95 | 5 | Matthieu Herrb | |
| 96 | 5 | Matthieu Herrb | Et hop on peut activer le vhost https |
| 97 | 5 | Matthieu Herrb | |
| 98 | 5 | Matthieu Herrb | h4. Renouvellement auto |
| 99 | 5 | Matthieu Herrb | |
| 100 | 5 | Matthieu Herrb | crontab: |
| 101 | 5 | Matthieu Herrb | <pre> |
| 102 | 5 | Matthieu Herrb | 26 2 * * * /usr/local/bin/acme-client -C /var/www/acme/.well-known/acme-challenge/ -c /etc/ssl/mastodon.tetaneutral.net -k /etc/ssl/mastodon.tetaneutral.net/private/privkey.pem mastodon.tetaneutral.net && systemctl reload nginx |
| 103 | 5 | Matthieu Herrb | </pre> |