LetsEncrypt » Historique » Version 9
Matthieu Herrb, 04/04/2017 15:28
| 1 | 1 | Laurent GUERBY | {{>toc}} |
|---|---|---|---|
| 2 | 1 | Laurent GUERBY | |
| 3 | 1 | Laurent GUERBY | h1. LetsEncrypt |
| 4 | 1 | Laurent GUERBY | |
| 5 | 1 | Laurent GUERBY | h2. Liens |
| 6 | 1 | Laurent GUERBY | |
| 7 | 1 | Laurent GUERBY | * https://letsencrypt.org/ |
| 8 | 1 | Laurent GUERBY | ** https://letsencrypt.readthedocs.org/en/latest/ |
| 9 | 1 | Laurent GUERBY | ** https://github.com/letsencrypt/letsencrypt |
| 10 | 2 | Laurent GUERBY | * http://www.silicon.fr/https-ovh-rapproche-lets-encrypt-134437.html |
| 11 | 1 | Laurent GUERBY | * https://www.ekito.fr/people/lets-encrypt-installation-et-renouvellement-automatique-des-certificats/ |
| 12 | 1 | Laurent GUERBY | * https://blog.imirhil.fr/2015/12/12/letsencrypt-joie-deception.html |
| 13 | 1 | Laurent GUERBY | * https://github.com/diafygi/acme-tiny |
| 14 | 1 | Laurent GUERBY | * http://www.ossir.org/resist/supports/cr/2015/2015-12-15/2015-12-15-LetsEncrypt.pdf |
| 15 | 1 | Laurent GUERBY | * https://www.metachris.com/2015/12/comparison-of-10-acme-lets-encrypt-clients/ |
| 16 | 3 | Laurent GUERBY | * http://www.nextinpact.com/news/97864-lets-encrypt-gandi-infomaniak-et-ovh-vont-integrer-certificats-a-leurs-offres.htm |
| 17 | 4 | Matthieu Herrb | |
| 18 | 4 | Matthieu Herrb | h2. Configuration avec acme-client |
| 19 | 4 | Matthieu Herrb | |
| 20 | 4 | Matthieu Herrb | https://kristaps.bsd.lv/acme-client/ client C orienté sécu développé par Kristaps Dzonsons |
| 21 | 4 | Matthieu Herrb | |
| 22 | 6 | Matthieu Herrb | h3. installation sur jessie |
| 23 | 4 | Matthieu Herrb | |
| 24 | 4 | Matthieu Herrb | Dépendances: |
| 25 | 4 | Matthieu Herrb | * libbsd (@apt-get install libbsd-dev@) |
| 26 | 4 | Matthieu Herrb | * libressl |
| 27 | 4 | Matthieu Herrb | <pre> |
| 28 | 4 | Matthieu Herrb | $ git clone https://github.com/libressl-portable/portable.git libressl |
| 29 | 4 | Matthieu Herrb | $ cd libressl |
| 30 | 4 | Matthieu Herrb | $ ./autogen.sh |
| 31 | 4 | Matthieu Herrb | $ ./configure --prefix=/usr/local |
| 32 | 4 | Matthieu Herrb | $ make |
| 33 | 4 | Matthieu Herrb | $ sudo make install |
| 34 | 4 | Matthieu Herrb | </pre> |
| 35 | 4 | Matthieu Herrb | |
| 36 | 4 | Matthieu Herrb | acme-client: |
| 37 | 4 | Matthieu Herrb | <pre> |
| 38 | 4 | Matthieu Herrb | $ git clone https://github.com/kristapsdz/acme-client-portable |
| 39 | 4 | Matthieu Herrb | $ cd acme-client-portable |
| 40 | 4 | Matthieu Herrb | </pre> |
| 41 | 4 | Matthieu Herrb | |
| 42 | 4 | Matthieu Herrb | Appliquer ce patch pour que l'exécutable trouve libressl dans @/usr/local@: |
| 43 | 4 | Matthieu Herrb | <pre> |
| 44 | 4 | Matthieu Herrb | diff --git a/GNUmakefile b/GNUmakefile |
| 45 | 4 | Matthieu Herrb | index 9b0ed80..3c89b4f 100644 |
| 46 | 4 | Matthieu Herrb | --- a/GNUmakefile |
| 47 | 4 | Matthieu Herrb | +++ b/GNUmakefile |
| 48 | 4 | Matthieu Herrb | @@ -43,7 +43,7 @@ CFLAGS += -DMUSL_LIBC |
| 49 | 4 | Matthieu Herrb | endif |
| 50 | 4 | Matthieu Herrb | |
| 51 | 4 | Matthieu Herrb | CFLAGS += -I/usr/local/include/libressl |
| 52 | 4 | Matthieu Herrb | -LDFLAGS += -L/usr/local/lib |
| 53 | 4 | Matthieu Herrb | +LDFLAGS += -L/usr/local/lib -Wl,-rpath /usr/local/lib |
| 54 | 4 | Matthieu Herrb | OBJS += util-portable.o |
| 55 | 4 | Matthieu Herrb | |
| 56 | 4 | Matthieu Herrb | # Do we have libseccomp installed? |
| 57 | 4 | Matthieu Herrb | </pre> |
| 58 | 4 | Matthieu Herrb | |
| 59 | 4 | Matthieu Herrb | Puis continuer: |
| 60 | 4 | Matthieu Herrb | |
| 61 | 4 | Matthieu Herrb | <pre> |
| 62 | 4 | Matthieu Herrb | $ make |
| 63 | 4 | Matthieu Herrb | $ sudo make install |
| 64 | 4 | Matthieu Herrb | </pre> |
| 65 | 5 | Matthieu Herrb | |
| 66 | 5 | Matthieu Herrb | h3. Utilisation |
| 67 | 5 | Matthieu Herrb | |
| 68 | 5 | Matthieu Herrb | Exemple: certificat pour mastodon.tetaneutral.net avec nginx |
| 69 | 5 | Matthieu Herrb | |
| 70 | 5 | Matthieu Herrb | h4. Config nginx |
| 71 | 5 | Matthieu Herrb | |
| 72 | 7 | Matthieu Herrb | <pre> |
| 73 | 7 | Matthieu Herrb | # apt-get install nginx |
| 74 | 7 | Matthieu Herrb | </pre> |
| 75 | 7 | Matthieu Herrb | |
| 76 | 7 | Matthieu Herrb | À la mode Debian: |
| 77 | 7 | Matthieu Herrb | |
| 78 | 7 | Matthieu Herrb | # @/etc/nginx/sites-available/default@: |
| 79 | 7 | Matthieu Herrb | Ajouter, pour le bootstrap du challenge sur le port 80: |
| 80 | 7 | Matthieu Herrb | <pre> |
| 81 | 7 | Matthieu Herrb | location ^~ /.well-known/acme-challenge { |
| 82 | 7 | Matthieu Herrb | default_type "text/plain"; |
| 83 | 7 | Matthieu Herrb | root /var/www/acme; |
| 84 | 7 | Matthieu Herrb | } |
| 85 | 7 | Matthieu Herrb | </pre> |
| 86 | 9 | Matthieu Herrb | # @/etc/nginx/sites/available/mastodon.conf@: |
| 87 | 9 | Matthieu Herrb | Préparer la config HTTPS (utilisée lors du renouvellement): |
| 88 | 7 | Matthieu Herrb | <pre> |
| 89 | 7 | Matthieu Herrb | map $http_upgrade $connection_upgrade { |
| 90 | 7 | Matthieu Herrb | default upgrade; |
| 91 | 7 | Matthieu Herrb | '' close; |
| 92 | 7 | Matthieu Herrb | } |
| 93 | 7 | Matthieu Herrb | |
| 94 | 7 | Matthieu Herrb | server { |
| 95 | 7 | Matthieu Herrb | listen 443 ssl; |
| 96 | 7 | Matthieu Herrb | listen [::]:443 ssl; |
| 97 | 7 | Matthieu Herrb | server_name mastodon.tetaneutral.net; |
| 98 | 7 | Matthieu Herrb | |
| 99 | 7 | Matthieu Herrb | ssl_certificate /etc/ssl/mastodon.tetaneutral.net/fullchain.pem; |
| 100 | 7 | Matthieu Herrb | ssl_certificate_key /etc/ssl/mastodon.tetaneutral.net/private/privkey.pem; |
| 101 | 7 | Matthieu Herrb | |
| 102 | 7 | Matthieu Herrb | .... |
| 103 | 7 | Matthieu Herrb | |
| 104 | 7 | Matthieu Herrb | location ^~ /.well-known/acme-challenge { |
| 105 | 7 | Matthieu Herrb | default_type "text/plain"; |
| 106 | 7 | Matthieu Herrb | root /var/www/acme; |
| 107 | 7 | Matthieu Herrb | } |
| 108 | 7 | Matthieu Herrb | .... |
| 109 | 7 | Matthieu Herrb | } |
| 110 | 7 | Matthieu Herrb | </pre> |
| 111 | 7 | Matthieu Herrb | |
| 112 | 5 | Matthieu Herrb | h4. Preparatifs |
| 113 | 5 | Matthieu Herrb | |
| 114 | 5 | Matthieu Herrb | # récupérer un fichier @/etc/ssl/cert.pem@ pour libressl |
| 115 | 5 | Matthieu Herrb | <pre> |
| 116 | 5 | Matthieu Herrb | # cd /etc/ssl |
| 117 | 5 | Matthieu Herrb | # wget https://raw.githubusercontent.com/openbsd/src/master/lib/libcrypto/cert.pem |
| 118 | 5 | Matthieu Herrb | </pre> |
| 119 | 5 | Matthieu Herrb | # créer les dossiers |
| 120 | 5 | Matthieu Herrb | <pre> |
| 121 | 5 | Matthieu Herrb | # mkdir -p /etc/acme /etc/ssl/mastodon.tetaneutral.net/private /var/www/acme/.well-known/acme-challenge |
| 122 | 5 | Matthieu Herrb | # chmod 700 /etc/acme /etc/ssl/mastodon.tetaneutral/private |
| 123 | 5 | Matthieu Herrb | </pre> |
| 124 | 5 | Matthieu Herrb | # faire la demande initiale |
| 125 | 5 | Matthieu Herrb | <pre> |
| 126 | 5 | Matthieu Herrb | acme-client \ |
| 127 | 5 | Matthieu Herrb | -C /var/www/acme/.well-known/acme-challenge \ |
| 128 | 5 | Matthieu Herrb | -c /etc/ssl/mastodon.tetaneutral.net \ |
| 129 | 5 | Matthieu Herrb | -k /etc/ssl/matodon.tetaneutral.net/private/privkey.pem \ |
| 130 | 5 | Matthieu Herrb | -f /etc/acme/privkey.pem \ |
| 131 | 5 | Matthieu Herrb | mastodon.tetaneutral.net1 |
| 132 | 5 | Matthieu Herrb | </pre> |
| 133 | 5 | Matthieu Herrb | |
| 134 | 1 | Laurent GUERBY | Et hop on peut activer le vhost https |
| 135 | 8 | Matthieu Herrb | <pre> |
| 136 | 8 | Matthieu Herrb | # cd /etc/nginx/sites-enabled |
| 137 | 8 | Matthieu Herrb | # ln -s /etc/nginx/sites/available/mastodon.conf |
| 138 | 8 | Matthieu Herrb | # systemctl reload nginx |
| 139 | 8 | Matthieu Herrb | </pre> |
| 140 | 8 | Matthieu Herrb | |
| 141 | 5 | Matthieu Herrb | |
| 142 | 5 | Matthieu Herrb | h4. Renouvellement auto |
| 143 | 5 | Matthieu Herrb | |
| 144 | 5 | Matthieu Herrb | crontab: |
| 145 | 5 | Matthieu Herrb | <pre> |
| 146 | 5 | Matthieu Herrb | 26 2 * * * /usr/local/bin/acme-client -C /var/www/acme/.well-known/acme-challenge/ -c /etc/ssl/mastodon.tetaneutral.net -k /etc/ssl/mastodon.tetaneutral.net/private/privkey.pem mastodon.tetaneutral.net && systemctl reload nginx |
| 147 | 5 | Matthieu Herrb | </pre> |