LetsEncrypt: Difference between revisions

From MK Wiki EN
Jump to navigation Jump to search
m (6 revisions imported)
 
m (Added new way (certbot))
Line 12: Line 12:


== Getting a certificate ==
== Getting a certificate ==
=== The Old Way Using Letsencrypt ===


  cd letsencrypt
  cd letsencrypt
Line 19: Line 21:


When the script runs, it setups everything that's needed. It asks you for your e-mail address and that you agree to the terms of use. Once the operation is finished, all the files created by the script are located in /etc/letsencrypt/live/fully.qualified.domain/.
When the script runs, it setups everything that's needed. It asks you for your e-mail address and that you agree to the terms of use. Once the operation is finished, all the files created by the script are located in /etc/letsencrypt/live/fully.qualified.domain/.
=== The New Way Using Certbot ===
certbot --nginx -d ''fully.qualified.domain''


== Configuring web server ==
== Configuring web server ==

Revision as of 20:16, 30 December 2021

This article describes installation and configuration of letsencrypt and its certificates using Debian Jessie. YMMV.

Installing packages

Every package after "git" would be installed by the letsencrypt-auto script, but you might want to have the packages installed before. 

apt-get install -y git python python-dev python-virtualenv gcc dialog libssl-dev libffi-dev ca-certificates

Fetching letsencrypt

git clone https://github.com/letsencrypt/letsencrypt

Getting a certificate

The Old Way Using Letsencrypt

cd letsencrypt
./letsencrypt-auto --test-cert certonly --webroot -w /var/www -d fully.qualified.domain

First, test with "--test-cert", if you're certain that everything works, just omit this parameter to get real certificates for production use.

When the script runs, it setups everything that's needed. It asks you for your e-mail address and that you agree to the terms of use. Once the operation is finished, all the files created by the script are located in /etc/letsencrypt/live/fully.qualified.domain/.

The New Way Using Certbot

certbot --nginx -d fully.qualified.domain

Configuring web server

nginx

It is wise to have a dhparam.pem file in /etc/nginx. It can be created using this command: 

openssl dhparam -out /etc/nginx/dhparam.pem 4096

Adjust the path and the size (4096) to your requirements. 4096 can take a pretty long time (half an hour wouldn't be a surprise). 

server {
    listen 443;
    server_name fully.qualified.domain;

    root /var/www;
    index index.html index.htm;

    error_page 404 /404.html;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/fully.qualified.domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/fully.qualified.domain/privkey.pem;

    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparam.pem;

    location / {
        try_files $uri $uri/ =404;
    	autoindex on;
    }
}

Apache

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@domain
        ServerName fully.qualified.domain

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/yourdomain_error.log

        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/yourdomain_access.log combined

        SSLEngine on

        SSLCertificateFile /etc/letsencrypt/live/fully.qualified.domain/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/fully.qualified.domain/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/fully.qualified.domain/chain.pem

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        # Logjam protection
        SSLProtocol             all -SSLv2 -SSLv3
        # http://serverfault.com/questions/693306/trying-to-mitigate-logjam-on-apache-2-2-16
        SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA

        SSLHonorCipherOrder     on
</VirtualHost>
</IfModule>
Retrieved from "https://wiki.mkcs.at/wikien/index.php?title=LetsEncrypt&oldid=333"