Letsencrypt.org: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
K (l) |
K (renew) |
||
| (21 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
Let’s Encrypt is a free, automated, and open certificate authority | Let’s Encrypt is a free, automated, and open certificate authority | ||
https://letsencrypt.org/ | https://letsencrypt.org/ and https://letsencrypt.org/howitworks/ | ||
This setup is for multidomain setup. | |||
== Config == | == Config == | ||
| Zeile 12: | Zeile 14: | ||
email = xxx@yyy.com | email = xxx@yyy.com | ||
authenticator = | authenticator = webroot | ||
agree-tos = True | agree-tos = True | ||
renew-by-default = false | |||
# Uncomment to use a text interface instead of ncurses | |||
# text = True | |||
# Uncomment to use the standalone authenticator on port 443 | |||
# authenticator = standalone | |||
# standalone-supported-challenges = tls-sni-01 | |||
# Uncomment to use the webroot authenticator. Replace webroot-path with the | |||
# path to the public_html / webroot folder being served by your web server. | |||
# authenticator = webroot | |||
webroot-path = /srv/www/_webrootauth/ | |||
</syntaxhighlight> | </syntaxhighlight> | ||
== Apache config == | == Prerequisite: Apache config == | ||
<syntaxhighlight lang="apache"> | <syntaxhighlight lang="apache"> | ||
#/etc/apache2/conf.d/letsencrypt.conf | #/etc/apache2/conf.d/letsencrypt.conf | ||
#let's encrypt | #let's encrypt global dir | ||
<Directory "/srv/www/ | Alias /.well-known/acme-challenge/ /srv/www/_webrootauth/.well-known/acme-challenge/ | ||
<IfModule mod_headers.c> | |||
<LocationMatch "/.well-known/acme-challenge/*"> | |||
Header set Content-Type "text/plain" | |||
</LocationMatch> | |||
</IfModule> | |||
<Directory "/srv/www/_webrootauth/.well-known/"> | |||
Order allow,deny | Order allow,deny | ||
Allow from all | Allow from all | ||
</Directory> | </Directory> | ||
</syntaxhighlight> | |||
== Create certificate via webroot (recommended) == | |||
<syntaxhighlight lang="bash"> | |||
cd ~/letsencrypt | |||
./letsencrypt-auto certonly -d domain.tld -d www.domain.tld | |||
IMPORTANT NOTES: | |||
- Congratulations! Your certificate and chain have been saved at | |||
/etc/letsencrypt/live/domain.tld/fullchain.pem. Your cert will | |||
expire on 2016-02-17. To obtain a new version of the certificate in | |||
the future, simply run Let's Encrypt again. | |||
</syntaxhighlight> | |||
Add certificate to apache | |||
<syntaxhighlight lang="apache"> | |||
#/etc/apache2/sites-available/domain.tld | |||
... | |||
SSLCertificateFile /etc/letsencrypt/live/tld.com/fullchain.pem | |||
SSLCertificateKeyFile /etc/letsencrypt/live/tld.com/privkey.pem | |||
... | |||
</syntaxhighlight> | </syntaxhighlight> | ||
== Create certificate == | == Create certificate manuell == | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
cd ~/letsencrypt | cd ~/letsencrypt | ||
./letsencrypt-auto certonly -d tld | ./letsencrypt-auto certonly -a manual -d domain.tld -d www.domain.tld | ||
Make sure your web server displays the following content at | Make sure your web server displays the following content at | ||
http://www.tld | http://www.domain.tld/.well-known/acme-challenge/a9q3mxxxxxxxZqxPKlKKI8KY before continuing: | ||
a9q3mxxxxWo-W9ihRohAuoxxxxLeppj8qZj07JvRRAqRB4qSFg | a9q3mxxxxWo-W9ihRohAuoxxxxLeppj8qZj07JvRRAqRB4qSFg | ||
| Zeile 54: | Zeile 96: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== | == Automatic renew certificates == | ||
<syntaxhighlight lang=" | see http://letsencrypt.readthedocs.org/en/latest/using.html#renewal | ||
<syntaxhighlight lang="bash"> | |||
#renew letsencrypt | |||
2 2 * * * /root/letsencrypt/letsencrypt-auto renew -q >> /var/log/le-renew.log | |||
</syntaxhighlight> | </syntaxhighlight> | ||
to restart the services to load new certificates use renew_hook | |||
<syntaxhighlight lang="bash"> | |||
#/etc/letsencrypt/renewal/your.tld.conf | |||
... | |||
[renewalparams] | |||
... | |||
renew_hook = service postfix reload;service apache2 reload;service dovecot reload | |||
... | |||
</syntaxhighlight> | |||
== Links == | == Links == | ||
| Zeile 66: | Zeile 120: | ||
*https://community.letsencrypt.org/ | *https://community.letsencrypt.org/ | ||
*https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/38 | *https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/38 | ||
*https://eblog.damia.net/2015/12/03/lets-encrypt-automation-on-debian/ | |||
[[Kategorie:Security]] | [[Kategorie:Security]] | ||
[[Kategorie:WWW]] | [[Kategorie:WWW]] | ||
Aktuelle Version vom 25. August 2017, 01:13 Uhr
Let’s Encrypt is a free, automated, and open certificate authority https://letsencrypt.org/ and https://letsencrypt.org/howitworks/
This setup is for multidomain setup.
Config
/etc/letsencrypt/cli.ini
#use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = xxx@yyy.com
authenticator = webroot
agree-tos = True
renew-by-default = false
# Uncomment to use a text interface instead of ncurses
# text = True
# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
webroot-path = /srv/www/_webrootauth/
Prerequisite: Apache config
#/etc/apache2/conf.d/letsencrypt.conf
#let's encrypt global dir
Alias /.well-known/acme-challenge/ /srv/www/_webrootauth/.well-known/acme-challenge/
<IfModule mod_headers.c>
<LocationMatch "/.well-known/acme-challenge/*">
Header set Content-Type "text/plain"
</LocationMatch>
</IfModule>
<Directory "/srv/www/_webrootauth/.well-known/">
Order allow,deny
Allow from all
</Directory>
Create certificate via webroot (recommended)
cd ~/letsencrypt
./letsencrypt-auto certonly -d domain.tld -d www.domain.tld
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/domain.tld/fullchain.pem. Your cert will
expire on 2016-02-17. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
Add certificate to apache
#/etc/apache2/sites-available/domain.tld
...
SSLCertificateFile /etc/letsencrypt/live/tld.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/tld.com/privkey.pem
...
Create certificate manuell
cd ~/letsencrypt
./letsencrypt-auto certonly -a manual -d domain.tld -d www.domain.tld
Make sure your web server displays the following content at
http://www.domain.tld/.well-known/acme-challenge/a9q3mxxxxxxxZqxPKlKKI8KY before continuing:
a9q3mxxxxWo-W9ihRohAuoxxxxLeppj8qZj07JvRRAqRB4qSFg
with another shell under /srv/www/xxx/htdocs
umask 022
printf "%s" a9q3mxxxxWo-W9ihRohAuoxxxxLeppj8qZj07JvRRAqRB4qSFg > .well-known/acme-challenge/a9q3mxxxxxxxZqxPKlKKI8KY
Press ENTER to continue
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/tld.com/fullchain.pem. Your cert will
expire on 2016-02-05. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
Automatic renew certificates
see http://letsencrypt.readthedocs.org/en/latest/using.html#renewal
#renew letsencrypt
2 2 * * * /root/letsencrypt/letsencrypt-auto renew -q >> /var/log/le-renew.log
to restart the services to load new certificates use renew_hook
#/etc/letsencrypt/renewal/your.tld.conf
...
[renewalparams]
...
renew_hook = service postfix reload;service apache2 reload;service dovecot reload
...