Let's encrypt installation - renouvellement de multiple domaine - HTTPS Nginx Or Apache
1. Installation du client Let's encrypt
apt-get update
apt-get -y install git bc
git clone https://github.com/certbot/certbot /opt/certbot
Let's encrypt est désormais installé dans /opt/letsencrypt
2. Création fichier de config
mkdir /usr/local/etc/letsencrypt
vi /usr/local/etc/letsencrypt/example.com.ini
/usr/local/etc/letsencrypt/example.com.ini
# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
email = yourcontact@gmail.com
domains = example.com,www.example.com
webroot-path = /var/www/example-webroot
3. Obtention du certificat
cd /opt/certbot
./certbot-auto certonly --config /usr/local/etc/letsencrypt/example.com.ini --webroot
ls /etc/letsencrypt/live/example.com
4. Configuration serveur Nginx
vi /etc/nginx/sites-available/example
server {
server_name www.example.com example.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
root /var/www/example;
index index.php index.html index.htm;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# pass the PHP scripts to FastCGI server listening on the php-fpm socket
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 80;
#Redirect all request from 80 port to https
server_name example.com, www.example.com;
return 301 https://$host$request_uri;
}
Sauvegarder et quitter, redémarrer Nginx
service nginx restart
Désormais, on peut tester si l'url example.com est bien en HTTPS.
4.Bis Configuration serveur Apache
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
ServerName example.com
DocumentRoot /var/www
<Directory /var/www/>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile "/etc/letsencrypt/live/example.com/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/example.com/chain.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
<VirtualHost *:80>
#Redirect all traffic on 80 port to https
ServerName example.com
RedirectMatch permanent ^(.*)$ https://example.com$1
</VirtualHost>
Activer SSL sur apache
a2enmod ssl
5. Mise en place du renouvellement automatique
Les certificats let's encrypt sont valident 90 jours, nous devons donc les renouveller avant cela. Pas question de renouveller à la main.
apt-get install curl
curl -L -o /usr/local/sbin/le-renew-webroot https://gist.githubusercontent.com/spiderneo/3f4b66c4282809e228f2/raw/e62f6f63e52cf3814c790b72c453a575add29b04/le-renew-webroot chmod +x /usr/local/sbin/le-renew-webroot
Test le script
le-renew-webroot
output
Checking expiration date for example.com...
The certificate is up to date, no need for renewal (89 days left).
On ajoute une ligne au crontab
crontab -e
30 2 * * 1 /usr/local/sbin/le-renew-webroot >> /var/log/le-renewal.log
6. Options - Force rechargement d'un domaine
cd /opt/certbot
./certbot-auto certonly -a webroot --renew-by-default --config /usr/local/etc/letsencrypt/example.com.ini
Redémarrer Nginx
service nginx restart
7. Problème création acme-challenge 403 ou 404 sur apache
Impossible de valider le lien sur apache avec ma config (allez savoir pourquoi). A chaque fois ->W erreur 403 le dossier .well-know était innacessible.
Pour palier à celà, on va rediriger les utilisateur vers un sous dossier sans le .
mkdir -p /srv/www/acme-challenges/
vi /etc/apache2/conf-enabled/acme-challenges.conf
Coller cette conf afind e rediriger les utilsateur qui ouvrent /.well-known/acme-challenge vers /srv/www/acme-challenges
Alias /.well-known/acme-challenge /srv/www/acme-challenges
<Directory "/srv/www/acme-challenges">
Options -Indexes
AllowOverride all
Require all granted
</Directory>
Création du lien symbolique qui permet à Certbot de savoir que well-know/acme-challenge a change de répertoire.
cd /var/www/example.com/.well-known/
ln -s /srv/www/acme-challenges/ acme-challenge
Relancer votre certbot-auto et Voilà
Wildcard
apt-get install certbot python-certbot-apache apt-get install python3-certbot-dns-ovh