LetsEncrypt: Difference between revisions
Jump to navigation
Jump to search
(Installation) |
|||
| Line 1: | Line 1: | ||
This article describes installation and configuration of letsencrypt and its certificates using Debian Jessie. YMMV. | This article describes installation and configuration of letsencrypt and its certificates using Debian Jessie. YMMV. | ||
== Installing packages == | == Installation of certbot == | ||
=== Manual installation using git === | |||
==== Installing prerequisite packages ==== | |||
Every package after "git" would be installed by the letsencrypt-auto script, but you might want to have the packages installed before. | Every package after "git" would be installed by the letsencrypt-auto script, but you might want to have the packages installed before. | ||
| Line 7: | Line 11: | ||
apt install -y git python python-dev python-virtualenv gcc dialog libssl-dev libffi-dev ca-certificates | apt install -y git python python-dev python-virtualenv gcc dialog libssl-dev libffi-dev ca-certificates | ||
== Fetching letsencrypt == | ==== Fetching letsencrypt ==== | ||
git clone https://github.com/letsencrypt/letsencrypt | git clone https://github.com/letsencrypt/letsencrypt | ||
=== Installation using snap === | |||
apt install snapd | |||
snap install core | |||
snap install certbot --classic | |||
== Getting a certificate == | == Getting a certificate == | ||
Revision as of 19:09, 3 June 2022
This article describes installation and configuration of letsencrypt and its certificates using Debian Jessie. YMMV.
Installation of certbot
Manual installation using git
Installing prerequisite packages
Every package after "git" would be installed by the letsencrypt-auto script, but you might want to have the packages installed before.
apt install -y git python python-dev python-virtualenv gcc dialog libssl-dev libffi-dev ca-certificates
Fetching letsencrypt
git clone https://github.com/letsencrypt/letsencrypt
Installation using snap
apt install snapd snap install core snap install certbot --classic
Getting a certificate
The Old Way Using Letsencrypt
cd letsencrypt ./letsencrypt-auto --test-cert certonly --webroot -w /var/www -d fully.qualified.domain
First, test with "--test-cert", if you're certain that everything works, just omit this parameter to get real certificates for production use.
When the script runs, it setups everything that's needed. It asks you for your e-mail address and that you agree to the terms of use. Once the operation is finished, all the files created by the script are located in /etc/letsencrypt/live/fully.qualified.domain/.
The New Way Using Certbot
certbot --nginx -d fully.qualified.domain
Configuring web server
nginx
It is wise to have a dhparam.pem file in /etc/nginx. It can be created using this command:
openssl dhparam -out /etc/nginx/dhparam.pem 4096
Adjust the path and the size (4096) to your requirements. 4096 can take a pretty long time (half an hour wouldn't be a surprise).
server {
listen 443;
server_name fully.qualified.domain;
root /var/www;
index index.html index.htm;
error_page 404 /404.html;
ssl on;
ssl_certificate /etc/letsencrypt/live/fully.qualified.domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/fully.qualified.domain/privkey.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
location / {
try_files $uri $uri/ =404;
autoindex on;
}
}
Apache
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@domain
ServerName fully.qualified.domain
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
ErrorLog ${APACHE_LOG_DIR}/yourdomain_error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/yourdomain_access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/fully.qualified.domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/fully.qualified.domain/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/fully.qualified.domain/chain.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
# Logjam protection
SSLProtocol all -SSLv2 -SSLv3
# http://serverfault.com/questions/693306/trying-to-mitigate-logjam-on-apache-2-2-16
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA
SSLHonorCipherOrder on
</VirtualHost>
</IfModule>