Letsencrypt.org: Unterschied zwischen den Versionen

Aus crazylinux.de
Zur Navigation springen Zur Suche springen
K (renew)
 
(20 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
Let’s Encrypt is a free, automated, and open certificate authority
Let’s Encrypt is a free, automated, and open certificate authority
https://letsencrypt.org/
https://letsencrypt.org/ and https://letsencrypt.org/howitworks/
 
This setup is for multidomain setup.


== Config ==
== Config ==
Zeile 12: Zeile 14:
email = xxx@yyy.com
email = xxx@yyy.com


authenticator = manual
authenticator = webroot


agree-dev-preview = True
agree-tos = True
agree-tos = True
renew-by-default = false
# Uncomment to use a text interface instead of ncurses
# text = True
# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
webroot-path = /srv/www/_webrootauth/
</syntaxhighlight>
</syntaxhighlight>


== Apache config ==
== Prerequisite: Apache config ==
<syntaxhighlight lang="apache">
<syntaxhighlight lang="apache">
#/etc/apache2/conf.d/letsencrypt.conf
#/etc/apache2/conf.d/letsencrypt.conf
         #let's encrypt
         #let's encrypt global dir
         Alias /.well-known/acme-challenge/ /srv/www/xxx.de/htdocs/.well-known/acme-challenge/
 
         Alias /.well-known/acme-challenge/ /srv/www/_webrootauth/.well-known/acme-challenge/
 
        <IfModule mod_headers.c>
          <LocationMatch "/.well-known/acme-challenge/*">
              Header set Content-Type "text/plain"
          </LocationMatch>
        </IfModule>


         <Directory "/srv/www/xxx.de/htdocs/.well-known">
         <Directory "/srv/www/_webrootauth/.well-known/">
                 Order allow,deny
                 Order allow,deny
                 Allow from all
                 Allow from all
         </Directory>
         </Directory>
</syntaxhighlight>
== Create certificate via webroot (recommended) ==
<syntaxhighlight lang="bash">
cd ~/letsencrypt
./letsencrypt-auto certonly -d domain.tld -d www.domain.tld


IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/domain.tld/fullchain.pem. Your cert will
  expire on 2016-02-17. To obtain a new version of the certificate in
  the future, simply run Let's Encrypt again.
</syntaxhighlight>
</syntaxhighlight>


== Create certificate ==
Add certificate to apache
<syntaxhighlight lang="apache">
#/etc/apache2/sites-available/domain.tld
...
SSLCertificateFile /etc/letsencrypt/live/tld.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/tld.com/privkey.pem
...
</syntaxhighlight>
 
== Create certificate manuell ==
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cd ~/letsencrypt
cd ~/letsencrypt
./letsencrypt-auto certonly -d tld.com -d www.tld.com
./letsencrypt-auto certonly -a manual -d domain.tld -d www.domain.tld


Make sure your web server displays the following content at
Make sure your web server displays the following content at
http://www.tld.com/.well-known/acme-challenge/a9q3mxxxxxxxZqxPKlKKI8KY before continuing:
http://www.domain.tld/.well-known/acme-challenge/a9q3mxxxxxxxZqxPKlKKI8KY before continuing:
a9q3mxxxxWo-W9ihRohAuoxxxxLeppj8qZj07JvRRAqRB4qSFg
a9q3mxxxxWo-W9ihRohAuoxxxxLeppj8qZj07JvRRAqRB4qSFg


Zeile 54: Zeile 96:
</syntaxhighlight>
</syntaxhighlight>


== Apache ssl ==
== Automatic renew certificates ==
<syntaxhighlight lang="apache">
see http://letsencrypt.readthedocs.org/en/latest/using.html#renewal
SSLCertificateFile /etc/letsencrypt/live/tld.com/cert.pem
 
SSLCertificateChainFile /etc/letsencrypt/live/tld.com/chain.pem
<syntaxhighlight lang="bash">
SSLCertificateKeyFile /etc/letsencrypt/live/tld.com/privkey.pem
#renew letsencrypt
2 2 * * *              /root/letsencrypt/letsencrypt-auto  renew -q >> /var/log/le-renew.log
</syntaxhighlight>
 
to restart the services to load new certificates use renew_hook
 
 
<syntaxhighlight lang="bash">
#/etc/letsencrypt/renewal/your.tld.conf
...
[renewalparams]
...
renew_hook = service postfix reload;service apache2 reload;service dovecot reload
...
</syntaxhighlight>
</syntaxhighlight>


Zeile 65: Zeile 120:
*https://community.letsencrypt.org/
*https://community.letsencrypt.org/
*https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/38
*https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/38
*https://eblog.damia.net/2015/12/03/lets-encrypt-automation-on-debian/


[[Kategorie:Security]]
[[Kategorie:Security]]
[[Kategorie:WWW]]
[[Kategorie:WWW]]

Aktuelle Version vom 25. August 2017, 00:13 Uhr

Let’s Encrypt is a free, automated, and open certificate authority https://letsencrypt.org/ and https://letsencrypt.org/howitworks/

This setup is for multidomain setup.

Config

/etc/letsencrypt/cli.ini

#use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

server = https://acme-v01.api.letsencrypt.org/directory

email = xxx@yyy.com

authenticator = webroot 

agree-tos = True

renew-by-default = false

# Uncomment to use a text interface instead of ncurses
# text = True

# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01

# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
webroot-path = /srv/www/_webrootauth/

Prerequisite: Apache config

#/etc/apache2/conf.d/letsencrypt.conf
        #let's encrypt global dir

        Alias /.well-known/acme-challenge/ /srv/www/_webrootauth/.well-known/acme-challenge/

        <IfModule mod_headers.c>
          <LocationMatch "/.well-known/acme-challenge/*">
              Header set Content-Type "text/plain"
          </LocationMatch>
         </IfModule>

        <Directory "/srv/www/_webrootauth/.well-known/">
                Order allow,deny
                Allow from all
        </Directory>

Create certificate via webroot (recommended)

cd ~/letsencrypt
./letsencrypt-auto certonly -d domain.tld -d www.domain.tld

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/domain.tld/fullchain.pem. Your cert will
   expire on 2016-02-17. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.

Add certificate to apache

#/etc/apache2/sites-available/domain.tld
...
SSLCertificateFile /etc/letsencrypt/live/tld.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/tld.com/privkey.pem
...

Create certificate manuell

cd ~/letsencrypt
./letsencrypt-auto certonly -a manual -d domain.tld -d www.domain.tld

Make sure your web server displays the following content at
http://www.domain.tld/.well-known/acme-challenge/a9q3mxxxxxxxZqxPKlKKI8KY before continuing:
a9q3mxxxxWo-W9ihRohAuoxxxxLeppj8qZj07JvRRAqRB4qSFg

with another shell under /srv/www/xxx/htdocs
umask 022
printf "%s" a9q3mxxxxWo-W9ihRohAuoxxxxLeppj8qZj07JvRRAqRB4qSFg > .well-known/acme-challenge/a9q3mxxxxxxxZqxPKlKKI8KY

Press ENTER to continue

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/tld.com/fullchain.pem. Your cert will
   expire on 2016-02-05. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.

Automatic renew certificates

see http://letsencrypt.readthedocs.org/en/latest/using.html#renewal

#renew letsencrypt
2 2 * * *               /root/letsencrypt/letsencrypt-auto  renew -q >> /var/log/le-renew.log

to restart the services to load new certificates use renew_hook


#/etc/letsencrypt/renewal/your.tld.conf
...
[renewalparams]
...
 renew_hook = service postfix reload;service apache2 reload;service dovecot reload
...

Links