LetsEncrypt » Historique » Version 9
Version 8 (Matthieu Herrb, 04/04/2017 15:28) → Version 9/11 (Matthieu Herrb, 04/04/2017 15:28)
{{>toc}}
h1. LetsEncrypt
h2. Liens
* https://letsencrypt.org/
** https://letsencrypt.readthedocs.org/en/latest/
** https://github.com/letsencrypt/letsencrypt
* http://www.silicon.fr/https-ovh-rapproche-lets-encrypt-134437.html
* https://www.ekito.fr/people/lets-encrypt-installation-et-renouvellement-automatique-des-certificats/
* https://blog.imirhil.fr/2015/12/12/letsencrypt-joie-deception.html
* https://github.com/diafygi/acme-tiny
* http://www.ossir.org/resist/supports/cr/2015/2015-12-15/2015-12-15-LetsEncrypt.pdf
* https://www.metachris.com/2015/12/comparison-of-10-acme-lets-encrypt-clients/
* http://www.nextinpact.com/news/97864-lets-encrypt-gandi-infomaniak-et-ovh-vont-integrer-certificats-a-leurs-offres.htm
h2. Configuration avec acme-client
https://kristaps.bsd.lv/acme-client/ client C orienté sécu développé par Kristaps Dzonsons
h3. installation sur jessie
Dépendances:
* libbsd (@apt-get install libbsd-dev@)
* libressl
<pre>
$ git clone https://github.com/libressl-portable/portable.git libressl
$ cd libressl
$ ./autogen.sh
$ ./configure --prefix=/usr/local
$ make
$ sudo make install
</pre>
acme-client:
<pre>
$ git clone https://github.com/kristapsdz/acme-client-portable
$ cd acme-client-portable
</pre>
Appliquer ce patch pour que l'exécutable trouve libressl dans @/usr/local@:
<pre>
diff --git a/GNUmakefile b/GNUmakefile
index 9b0ed80..3c89b4f 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -43,7 +43,7 @@ CFLAGS += -DMUSL_LIBC
endif
CFLAGS += -I/usr/local/include/libressl
-LDFLAGS += -L/usr/local/lib
+LDFLAGS += -L/usr/local/lib -Wl,-rpath /usr/local/lib
OBJS += util-portable.o
# Do we have libseccomp installed?
</pre>
Puis continuer:
<pre>
$ make
$ sudo make install
</pre>
h3. Utilisation
Exemple: certificat pour mastodon.tetaneutral.net avec nginx
h4. Config nginx
<pre>
# apt-get install nginx
</pre>
À la mode Debian:
# @/etc/nginx/sites-available/default@:
Ajouter, pour le bootstrap du challenge sur le port 80:
<pre>
location ^~ /.well-known/acme-challenge {
default_type "text/plain";
root /var/www/acme;
}
</pre>
# @/etc/nginx/sites/available/mastodon.conf@: @/etc/nginx/sites/available/mastodon.tetaneutral.net@:
Préparer la config HTTPS (utilisée lors du renouvellement): HTTPS:
<pre>
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name mastodon.tetaneutral.net;
ssl_certificate /etc/ssl/mastodon.tetaneutral.net/fullchain.pem;
ssl_certificate_key /etc/ssl/mastodon.tetaneutral.net/private/privkey.pem;
....
location ^~ /.well-known/acme-challenge {
default_type "text/plain";
root /var/www/acme;
}
....
}
</pre>
h4. Preparatifs
# récupérer un fichier @/etc/ssl/cert.pem@ pour libressl
<pre>
# cd /etc/ssl
# wget https://raw.githubusercontent.com/openbsd/src/master/lib/libcrypto/cert.pem
</pre>
# créer les dossiers
<pre>
# mkdir -p /etc/acme /etc/ssl/mastodon.tetaneutral.net/private /var/www/acme/.well-known/acme-challenge
# chmod 700 /etc/acme /etc/ssl/mastodon.tetaneutral/private
</pre>
# faire la demande initiale
<pre>
acme-client \
-C /var/www/acme/.well-known/acme-challenge \
-c /etc/ssl/mastodon.tetaneutral.net \
-k /etc/ssl/matodon.tetaneutral.net/private/privkey.pem \
-f /etc/acme/privkey.pem \
mastodon.tetaneutral.net1
</pre>
Et hop on peut activer le vhost https
<pre>
# cd /etc/nginx/sites-enabled
# ln -s /etc/nginx/sites/available/mastodon.conf
# systemctl reload nginx
</pre>
h4. Renouvellement auto
crontab:
<pre>
26 2 * * * /usr/local/bin/acme-client -C /var/www/acme/.well-known/acme-challenge/ -c /etc/ssl/mastodon.tetaneutral.net -k /etc/ssl/mastodon.tetaneutral.net/private/privkey.pem mastodon.tetaneutral.net && systemctl reload nginx
</pre>
h1. LetsEncrypt
h2. Liens
* https://letsencrypt.org/
** https://letsencrypt.readthedocs.org/en/latest/
** https://github.com/letsencrypt/letsencrypt
* http://www.silicon.fr/https-ovh-rapproche-lets-encrypt-134437.html
* https://www.ekito.fr/people/lets-encrypt-installation-et-renouvellement-automatique-des-certificats/
* https://blog.imirhil.fr/2015/12/12/letsencrypt-joie-deception.html
* https://github.com/diafygi/acme-tiny
* http://www.ossir.org/resist/supports/cr/2015/2015-12-15/2015-12-15-LetsEncrypt.pdf
* https://www.metachris.com/2015/12/comparison-of-10-acme-lets-encrypt-clients/
* http://www.nextinpact.com/news/97864-lets-encrypt-gandi-infomaniak-et-ovh-vont-integrer-certificats-a-leurs-offres.htm
h2. Configuration avec acme-client
https://kristaps.bsd.lv/acme-client/ client C orienté sécu développé par Kristaps Dzonsons
h3. installation sur jessie
Dépendances:
* libbsd (@apt-get install libbsd-dev@)
* libressl
<pre>
$ git clone https://github.com/libressl-portable/portable.git libressl
$ cd libressl
$ ./autogen.sh
$ ./configure --prefix=/usr/local
$ make
$ sudo make install
</pre>
acme-client:
<pre>
$ git clone https://github.com/kristapsdz/acme-client-portable
$ cd acme-client-portable
</pre>
Appliquer ce patch pour que l'exécutable trouve libressl dans @/usr/local@:
<pre>
diff --git a/GNUmakefile b/GNUmakefile
index 9b0ed80..3c89b4f 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -43,7 +43,7 @@ CFLAGS += -DMUSL_LIBC
endif
CFLAGS += -I/usr/local/include/libressl
-LDFLAGS += -L/usr/local/lib
+LDFLAGS += -L/usr/local/lib -Wl,-rpath /usr/local/lib
OBJS += util-portable.o
# Do we have libseccomp installed?
</pre>
Puis continuer:
<pre>
$ make
$ sudo make install
</pre>
h3. Utilisation
Exemple: certificat pour mastodon.tetaneutral.net avec nginx
h4. Config nginx
<pre>
# apt-get install nginx
</pre>
À la mode Debian:
# @/etc/nginx/sites-available/default@:
Ajouter, pour le bootstrap du challenge sur le port 80:
<pre>
location ^~ /.well-known/acme-challenge {
default_type "text/plain";
root /var/www/acme;
}
</pre>
# @/etc/nginx/sites/available/mastodon.conf@: @/etc/nginx/sites/available/mastodon.tetaneutral.net@:
Préparer la config HTTPS (utilisée lors du renouvellement): HTTPS:
<pre>
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name mastodon.tetaneutral.net;
ssl_certificate /etc/ssl/mastodon.tetaneutral.net/fullchain.pem;
ssl_certificate_key /etc/ssl/mastodon.tetaneutral.net/private/privkey.pem;
....
location ^~ /.well-known/acme-challenge {
default_type "text/plain";
root /var/www/acme;
}
....
}
</pre>
h4. Preparatifs
# récupérer un fichier @/etc/ssl/cert.pem@ pour libressl
<pre>
# cd /etc/ssl
# wget https://raw.githubusercontent.com/openbsd/src/master/lib/libcrypto/cert.pem
</pre>
# créer les dossiers
<pre>
# mkdir -p /etc/acme /etc/ssl/mastodon.tetaneutral.net/private /var/www/acme/.well-known/acme-challenge
# chmod 700 /etc/acme /etc/ssl/mastodon.tetaneutral/private
</pre>
# faire la demande initiale
<pre>
acme-client \
-C /var/www/acme/.well-known/acme-challenge \
-c /etc/ssl/mastodon.tetaneutral.net \
-k /etc/ssl/matodon.tetaneutral.net/private/privkey.pem \
-f /etc/acme/privkey.pem \
mastodon.tetaneutral.net1
</pre>
Et hop on peut activer le vhost https
<pre>
# cd /etc/nginx/sites-enabled
# ln -s /etc/nginx/sites/available/mastodon.conf
# systemctl reload nginx
</pre>
h4. Renouvellement auto
crontab:
<pre>
26 2 * * * /usr/local/bin/acme-client -C /var/www/acme/.well-known/acme-challenge/ -c /etc/ssl/mastodon.tetaneutral.net -k /etc/ssl/mastodon.tetaneutral.net/private/privkey.pem mastodon.tetaneutral.net && systemctl reload nginx
</pre>