LetsEncrypt: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
|||
| (5 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
This article describes installation and configuration of letsencrypt and its certificates using Debian Jessie. YMMV. | This article describes installation and configuration of letsencrypt and its certificates using Debian Jessie. YMMV. | ||
== Installing packages == | == Installation of certbot == | ||
=== Manual installation using git === | |||
==== Installing prerequisite packages ==== | |||
Every package after "git" would be installed by the letsencrypt-auto script, but you might want to have the packages installed before. | Every package after "git" would be installed by the letsencrypt-auto script, but you might want to have the packages installed before. | ||
| Line 7: | Line 11: | ||
apt install -y git python python-dev python-virtualenv gcc dialog libssl-dev libffi-dev ca-certificates | apt install -y git python python-dev python-virtualenv gcc dialog libssl-dev libffi-dev ca-certificates | ||
== Fetching letsencrypt == | ==== Fetching letsencrypt ==== | ||
git clone https://github.com/letsencrypt/letsencrypt | git clone https://github.com/letsencrypt/letsencrypt | ||
=== Installation using snap === | |||
apt install snapd | |||
snap install core | |||
snap install certbot --classic | |||
=== Installation using Python infrastructure === | |||
Especially when snap cannot be used (message <code>error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount:</code> appears when "snap install" is run), certbot can be installed using pip: | |||
apt install python3-pip python3-venv | |||
python3 -m venv certbotenv | |||
source certbotenv/bin/activate | |||
pip3 install certbot ''certbot-nginx certbot-apache'' | |||
'''Hint:''' Depending on the webserver you use, install module certbot-nginx or certbot-apache. | |||
== Getting a certificate == | == Getting a certificate == | ||
| Line 53: | Line 74: | ||
ssl_session_cache shared:SSL:5m; | ssl_session_cache shared:SSL:5m; | ||
ssl_protocols | ssl_protocols TLSv1.2 TLSv1.3; | ||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; | ||
| Line 115: | Line 136: | ||
</IfModule> | </IfModule> | ||
</pre> | </pre> | ||
== Scripts To Execute Upon Renewal == | |||
/etc/letsencrypt/renewal-hooks/deploy | |||
Latest revision as of 15:09, 3 February 2025
This article describes installation and configuration of letsencrypt and its certificates using Debian Jessie. YMMV.
Installation of certbot
Manual installation using git
Installing prerequisite packages
Every package after "git" would be installed by the letsencrypt-auto script, but you might want to have the packages installed before.
apt install -y git python python-dev python-virtualenv gcc dialog libssl-dev libffi-dev ca-certificates
Fetching letsencrypt
git clone https://github.com/letsencrypt/letsencrypt
Installation using snap
apt install snapd snap install core snap install certbot --classic
Installation using Python infrastructure
Especially when snap cannot be used (message error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount: appears when "snap install" is run), certbot can be installed using pip:
apt install python3-pip python3-venv python3 -m venv certbotenv source certbotenv/bin/activate pip3 install certbot certbot-nginx certbot-apache
Hint: Depending on the webserver you use, install module certbot-nginx or certbot-apache.
Getting a certificate
The Old Way Using Letsencrypt
cd letsencrypt ./letsencrypt-auto --test-cert certonly --webroot -w /var/www -d fully.qualified.domain
First, test with "--test-cert", if you're certain that everything works, just omit this parameter to get real certificates for production use.
When the script runs, it setups everything that's needed. It asks you for your e-mail address and that you agree to the terms of use. Once the operation is finished, all the files created by the script are located in /etc/letsencrypt/live/fully.qualified.domain/.
The New Way Using Certbot
certbot --nginx -d fully.qualified.domain
Configuring web server
nginx
It is wise to have a dhparam.pem file in /etc/nginx. It can be created using this command:
openssl dhparam -out /etc/nginx/dhparam.pem 4096
Adjust the path and the size (4096) to your requirements. 4096 can take a pretty long time (half an hour wouldn't be a surprise).
server {
listen 443;
server_name fully.qualified.domain;
root /var/www;
index index.html index.htm;
error_page 404 /404.html;
ssl on;
ssl_certificate /etc/letsencrypt/live/fully.qualified.domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/fully.qualified.domain/privkey.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
location / {
try_files $uri $uri/ =404;
autoindex on;
}
}
Apache
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@domain
ServerName fully.qualified.domain
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
ErrorLog ${APACHE_LOG_DIR}/yourdomain_error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/yourdomain_access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/fully.qualified.domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/fully.qualified.domain/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/fully.qualified.domain/chain.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
# Logjam protection
SSLProtocol all -SSLv2 -SSLv3
# http://serverfault.com/questions/693306/trying-to-mitigate-logjam-on-apache-2-2-16
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA
SSLHonorCipherOrder on
</VirtualHost>
</IfModule>
Scripts To Execute Upon Renewal
/etc/letsencrypt/renewal-hooks/deploy