LetsEncrypt: Difference between revisions

From MK Wiki EN
Jump to navigation Jump to search
(→‎Installation of certbot: Added Installation using Python infrastructure)
mNo edit summary
 
(3 intermediate revisions by the same user not shown)
Line 28: Line 28:
  python3 -m venv certbotenv
  python3 -m venv certbotenv
  source certbotenv/bin/activate
  source certbotenv/bin/activate
  pip3 install certbot
  pip3 install certbot ''certbot-nginx certbot-apache''
 
'''Hint:''' Depending on the webserver you use, install module certbot-nginx or certbot-apache.


== Getting a certificate ==
== Getting a certificate ==
Line 72: Line 74:
     ssl_session_cache shared:SSL:5m;
     ssl_session_cache shared:SSL:5m;


     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_protocols TLSv1.2 TLSv1.3;


     ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
     ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
Line 134: Line 136:
</IfModule>
</IfModule>
</pre>
</pre>
== Scripts To Execute Upon Renewal ==
/etc/letsencrypt/renewal-hooks/deploy

Latest revision as of 15:09, 3 February 2025

This article describes installation and configuration of letsencrypt and its certificates using Debian Jessie. YMMV.

Installation of certbot

Manual installation using git

Installing prerequisite packages

Every package after "git" would be installed by the letsencrypt-auto script, but you might want to have the packages installed before. 

apt install -y git python python-dev python-virtualenv gcc dialog libssl-dev libffi-dev ca-certificates

Fetching letsencrypt

git clone https://github.com/letsencrypt/letsencrypt

Installation using snap

apt install snapd
snap install core
snap install certbot --classic

Installation using Python infrastructure

Especially when snap cannot be used (message error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount: appears when "snap install" is run), certbot can be installed using pip: 

apt install python3-pip python3-venv
python3 -m venv certbotenv
source certbotenv/bin/activate
pip3 install certbot certbot-nginx certbot-apache

Hint: Depending on the webserver you use, install module certbot-nginx or certbot-apache.

Getting a certificate

The Old Way Using Letsencrypt

cd letsencrypt
./letsencrypt-auto --test-cert certonly --webroot -w /var/www -d fully.qualified.domain

First, test with "--test-cert", if you're certain that everything works, just omit this parameter to get real certificates for production use.

When the script runs, it setups everything that's needed. It asks you for your e-mail address and that you agree to the terms of use. Once the operation is finished, all the files created by the script are located in /etc/letsencrypt/live/fully.qualified.domain/.

The New Way Using Certbot

certbot --nginx -d fully.qualified.domain

Configuring web server

nginx

It is wise to have a dhparam.pem file in /etc/nginx. It can be created using this command: 

openssl dhparam -out /etc/nginx/dhparam.pem 4096

Adjust the path and the size (4096) to your requirements. 4096 can take a pretty long time (half an hour wouldn't be a surprise). 

server {
    listen 443;
    server_name fully.qualified.domain;

    root /var/www;
    index index.html index.htm;

    error_page 404 /404.html;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/fully.qualified.domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/fully.qualified.domain/privkey.pem;

    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:5m;

    ssl_protocols TLSv1.2 TLSv1.3;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparam.pem;

    location / {
        try_files $uri $uri/ =404;
    	autoindex on;
    }
}

Apache

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@domain
        ServerName fully.qualified.domain

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/yourdomain_error.log

        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/yourdomain_access.log combined

        SSLEngine on

        SSLCertificateFile /etc/letsencrypt/live/fully.qualified.domain/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/fully.qualified.domain/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/fully.qualified.domain/chain.pem

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        # Logjam protection
        SSLProtocol             all -SSLv2 -SSLv3
        # http://serverfault.com/questions/693306/trying-to-mitigate-logjam-on-apache-2-2-16
        SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA

        SSLHonorCipherOrder     on
</VirtualHost>
</IfModule>

Scripts To Execute Upon Renewal

/etc/letsencrypt/renewal-hooks/deploy
Retrieved from "https://wiki.mkcs.at/wikien/index.php?title=LetsEncrypt&oldid=463"