LetsEncrypt

From MK Wiki EN
Revision as of 17:48, 1 October 2023 by MkWikiEnSysOp (talk | contribs) (→‎Installation of certbot: Added Installation using Python infrastructure)
Jump to navigation Jump to search

This article describes installation and configuration of letsencrypt and its certificates using Debian Jessie. YMMV.

Installation of certbot

Manual installation using git

Installing prerequisite packages

Every package after "git" would be installed by the letsencrypt-auto script, but you might want to have the packages installed before. 

apt install -y git python python-dev python-virtualenv gcc dialog libssl-dev libffi-dev ca-certificates

Fetching letsencrypt

git clone https://github.com/letsencrypt/letsencrypt

Installation using snap

apt install snapd
snap install core
snap install certbot --classic

Installation using Python infrastructure

Especially when snap cannot be used (message error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount: appears when "snap install" is run), certbot can be installed using pip: 

apt install python3-pip python3-venv
python3 -m venv certbotenv
source certbotenv/bin/activate
pip3 install certbot

Getting a certificate

The Old Way Using Letsencrypt

cd letsencrypt
./letsencrypt-auto --test-cert certonly --webroot -w /var/www -d fully.qualified.domain

First, test with "--test-cert", if you're certain that everything works, just omit this parameter to get real certificates for production use.

When the script runs, it setups everything that's needed. It asks you for your e-mail address and that you agree to the terms of use. Once the operation is finished, all the files created by the script are located in /etc/letsencrypt/live/fully.qualified.domain/.

The New Way Using Certbot

certbot --nginx -d fully.qualified.domain

Configuring web server

nginx

It is wise to have a dhparam.pem file in /etc/nginx. It can be created using this command: 

openssl dhparam -out /etc/nginx/dhparam.pem 4096

Adjust the path and the size (4096) to your requirements. 4096 can take a pretty long time (half an hour wouldn't be a surprise). 

server {
    listen 443;
    server_name fully.qualified.domain;

    root /var/www;
    index index.html index.htm;

    error_page 404 /404.html;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/fully.qualified.domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/fully.qualified.domain/privkey.pem;

    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparam.pem;

    location / {
        try_files $uri $uri/ =404;
    	autoindex on;
    }
}

Apache

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@domain
        ServerName fully.qualified.domain

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/yourdomain_error.log

        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/yourdomain_access.log combined

        SSLEngine on

        SSLCertificateFile /etc/letsencrypt/live/fully.qualified.domain/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/fully.qualified.domain/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/fully.qualified.domain/chain.pem

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        # Logjam protection
        SSLProtocol             all -SSLv2 -SSLv3
        # http://serverfault.com/questions/693306/trying-to-mitigate-logjam-on-apache-2-2-16
        SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA

        SSLHonorCipherOrder     on
</VirtualHost>
</IfModule>
Retrieved from "https://wiki.mkcs.at/wikien/index.php?title=LetsEncrypt&oldid=437"