LetsEncrypt: Difference between revisions

From MK Wiki EN
Jump to navigation Jump to search
m (Added new way (certbot))
mNo edit summary
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
This article describes installation and configuration of letsencrypt and its certificates using Debian Jessie. YMMV.
This article describes installation and configuration of letsencrypt and its certificates using Debian Jessie/Stretch/Buster/Bullseye/Bookworm. YMMV.


== Installing packages ==
== Installation of certbot ==
 
=== Manual installation using git ===
 
==== Installing prerequisite packages ====


Every package after "git" would be installed by the letsencrypt-auto script, but you might want to have the packages installed before.
Every package after "git" would be installed by the letsencrypt-auto script, but you might want to have the packages installed before.


  apt-get install -y git python python-dev python-virtualenv gcc dialog libssl-dev libffi-dev ca-certificates
  apt install -y git python python-dev python-virtualenv gcc dialog libssl-dev libffi-dev ca-certificates


== Fetching letsencrypt ==
==== Fetching letsencrypt ====


  git clone https://github.com/letsencrypt/letsencrypt
  git clone https://github.com/letsencrypt/letsencrypt
=== Installation using snap ===
apt install snapd
snap install core
snap install certbot --classic
=== Installation using Python infrastructure ===
Especially when snap cannot be used (message <code>error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount:</code> appears when "snap install" is run), certbot can be installed using pip:
apt install python3-pip python3-venv
python3 -m venv certbotenv
source certbotenv/bin/activate
pip3 install certbot ''certbot-nginx certbot-apache''
'''Hint:''' Depending on the webserver you use, install module certbot-nginx or certbot-apache.
==== After upgrading OS ====
Usually the previously created virtual environment does not work anymore, so a new environment must be created <ref>https://community.letsencrypt.org/t/no-module-named-certbot/199861/2</ref>.
rm -rf certbotenv/
python3 -m venv certbotenv
source certbotenv/bin/activate
pip3 install certbot ''certbot-nginx certbot-apache''


== Getting a certificate ==
== Getting a certificate ==
Line 53: Line 83:
     ssl_session_cache shared:SSL:5m;
     ssl_session_cache shared:SSL:5m;


     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_protocols TLSv1.2 TLSv1.3;


     ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
     ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
Line 115: Line 145:
</IfModule>
</IfModule>
</pre>
</pre>
== Scripts To Execute Upon Renewal ==
/etc/letsencrypt/renewal-hooks/deploy

Latest revision as of 15:11, 7 May 2025

This article describes installation and configuration of letsencrypt and its certificates using Debian Jessie/Stretch/Buster/Bullseye/Bookworm. YMMV.

Installation of certbot

Manual installation using git

Installing prerequisite packages

Every package after "git" would be installed by the letsencrypt-auto script, but you might want to have the packages installed before. 

apt install -y git python python-dev python-virtualenv gcc dialog libssl-dev libffi-dev ca-certificates

Fetching letsencrypt

git clone https://github.com/letsencrypt/letsencrypt

Installation using snap

apt install snapd
snap install core
snap install certbot --classic

Installation using Python infrastructure

Especially when snap cannot be used (message error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount: appears when "snap install" is run), certbot can be installed using pip: 

apt install python3-pip python3-venv
python3 -m venv certbotenv
source certbotenv/bin/activate
pip3 install certbot certbot-nginx certbot-apache

Hint: Depending on the webserver you use, install module certbot-nginx or certbot-apache.

After upgrading OS

Usually the previously created virtual environment does not work anymore, so a new environment must be created [1]. 

rm -rf certbotenv/
python3 -m venv certbotenv
source certbotenv/bin/activate
pip3 install certbot certbot-nginx certbot-apache

Getting a certificate

The Old Way Using Letsencrypt

cd letsencrypt
./letsencrypt-auto --test-cert certonly --webroot -w /var/www -d fully.qualified.domain

First, test with "--test-cert", if you're certain that everything works, just omit this parameter to get real certificates for production use.

When the script runs, it setups everything that's needed. It asks you for your e-mail address and that you agree to the terms of use. Once the operation is finished, all the files created by the script are located in /etc/letsencrypt/live/fully.qualified.domain/.

The New Way Using Certbot

certbot --nginx -d fully.qualified.domain

Configuring web server

nginx

It is wise to have a dhparam.pem file in /etc/nginx. It can be created using this command: 

openssl dhparam -out /etc/nginx/dhparam.pem 4096

Adjust the path and the size (4096) to your requirements. 4096 can take a pretty long time (half an hour wouldn't be a surprise). 

server {
    listen 443;
    server_name fully.qualified.domain;

    root /var/www;
    index index.html index.htm;

    error_page 404 /404.html;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/fully.qualified.domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/fully.qualified.domain/privkey.pem;

    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:5m;

    ssl_protocols TLSv1.2 TLSv1.3;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparam.pem;

    location / {
        try_files $uri $uri/ =404;
    	autoindex on;
    }
}

Apache

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@domain
        ServerName fully.qualified.domain

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/yourdomain_error.log

        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/yourdomain_access.log combined

        SSLEngine on

        SSLCertificateFile /etc/letsencrypt/live/fully.qualified.domain/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/fully.qualified.domain/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/fully.qualified.domain/chain.pem

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        # Logjam protection
        SSLProtocol             all -SSLv2 -SSLv3
        # http://serverfault.com/questions/693306/trying-to-mitigate-logjam-on-apache-2-2-16
        SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA

        SSLHonorCipherOrder     on
</VirtualHost>
</IfModule>

Scripts To Execute Upon Renewal

/etc/letsencrypt/renewal-hooks/deploy
  1. https://community.letsencrypt.org/t/no-module-named-certbot/199861/2
Retrieved from "https://wiki.mkcs.at/wikien/index.php?title=LetsEncrypt&oldid=465"