LetsEncrypt

From MK Wiki EN
Revision as of 20:16, 30 December 2021 by MkWikiEnSysOp (talk | contribs) (Added new way (certbot))
Jump to navigation Jump to search

This article describes installation and configuration of letsencrypt and its certificates using Debian Jessie. YMMV.

Installing packages

Every package after "git" would be installed by the letsencrypt-auto script, but you might want to have the packages installed before. 

apt-get install -y git python python-dev python-virtualenv gcc dialog libssl-dev libffi-dev ca-certificates

Fetching letsencrypt

git clone https://github.com/letsencrypt/letsencrypt

Getting a certificate

The Old Way Using Letsencrypt

cd letsencrypt
./letsencrypt-auto --test-cert certonly --webroot -w /var/www -d fully.qualified.domain

First, test with "--test-cert", if you're certain that everything works, just omit this parameter to get real certificates for production use.

When the script runs, it setups everything that's needed. It asks you for your e-mail address and that you agree to the terms of use. Once the operation is finished, all the files created by the script are located in /etc/letsencrypt/live/fully.qualified.domain/.

The New Way Using Certbot

certbot --nginx -d fully.qualified.domain

Configuring web server

nginx

It is wise to have a dhparam.pem file in /etc/nginx. It can be created using this command: 

openssl dhparam -out /etc/nginx/dhparam.pem 4096

Adjust the path and the size (4096) to your requirements. 4096 can take a pretty long time (half an hour wouldn't be a surprise). 

server {
    listen 443;
    server_name fully.qualified.domain;

    root /var/www;
    index index.html index.htm;

    error_page 404 /404.html;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/fully.qualified.domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/fully.qualified.domain/privkey.pem;

    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparam.pem;

    location / {
        try_files $uri $uri/ =404;
    	autoindex on;
    }
}

Apache

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@domain
        ServerName fully.qualified.domain

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/yourdomain_error.log

        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/yourdomain_access.log combined

        SSLEngine on

        SSLCertificateFile /etc/letsencrypt/live/fully.qualified.domain/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/fully.qualified.domain/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/fully.qualified.domain/chain.pem

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        # Logjam protection
        SSLProtocol             all -SSLv2 -SSLv3
        # http://serverfault.com/questions/693306/trying-to-mitigate-logjam-on-apache-2-2-16
        SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA

        SSLHonorCipherOrder     on
</VirtualHost>
</IfModule>
Retrieved from "https://wiki.mkcs.at/wikien/index.php?title=LetsEncrypt&oldid=333"