Benutzer-Werkzeuge
freebsd:letsencrypt
Inhaltsverzeichnis
Letsencrypt
We would like to use letsencrypt to get signed certificates for all our domains.
Approach with websites offline
I did this all from a virtual machine, as I do not want to let the client running with root permissions on my real server.
Everything was executed from an ubuntu machine running in a virtual machine. Create two shell scripts to get the certificate request simply created for several ALT entries:
- create-crt-for-idefix.fechner.net.sh
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:abook.fechner.net,DNS:amp.fechner.net,DNS:atlantis.fechner.net,DNS:caldav.fechner.net,DNS:carddav.fechner.net,DNS:git.fechner.net,DNS:gogs.fechner.net,DNS:idefix.fechner.net,DNS:idisk.fechner.net,DNS:imap.fechner.net,DNS:jenkins.fechner.net,DNS:knx.fechner.net,DNS:mail.fechner.net,DNS:moviesync.fechner.net,DNS:owncloud.fechner.net,DNS:pkg.fechner.net,DNS:safe.fechner.net,DNS:smtp.fechner.net,DNS:video.fechner.net,DNS:webcal.fechner.net,DNS:webmail.fechner.net,DNS:wiki.idefix.fechner.net,DNS:vmail.fechner.net,DNS:zpush.fechner.net")) > domain.csr
- create-crt-for-fechner.net.sh
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:fechner.net,DNS:www.fechner.net,DNS:wirkstoffreich.de,DNS:www.wirkstoffreich.de,DNS:vmail.lostinspace.de,DNS:lostinspace.de,DNS:admin.lostinspace.de,DNS:stats.wirkstoffreich.de,DNS:stats.fechner.net")) > domain.csr
To sign the certificates I did the following:
git clone https://github.com/diafygi/letsencrypt-nosudo.git cd letsencrypt-nosudo/ openssl genrsa 4096 > user.key openssl rsa -in user.key -pubout > user.pub openssl genrsa 4096 > domain.key python sign_csr.py --public-key user.pub domain.csr > signed.crt
Execute on the second terminal the commands the client asks you in the same directory.
You have to start a small python based webserver on the domain for each domain to verify you are the owner. Do this as the script is requesting it.
Now we install the certificate and key on our server. Copy the file domain.key and signed.crt to you server and execute the following:
cd /etc/mail/certs wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem cat signed.crt lets-encrypt-x1-cross-signed.pem > chained.pem
Edit you apache config to have:
- /usr/local/etc/apache24/ssl/ssl-template.conf
SSLCertificateChainFile /etc/mail/certs/chained.pem SSLCertificateFile /etc/mail/certs/signed.crt SSLCertificateKeyFile /etc/mail/certs/domain.key
Approach to authenticate domains while websites are online
We want to use the existing webserver to not make websites offline while authenticate the domains.
- /usr/local/etc/apache24/ssl/letsencrypt.conf
Alias /.well-known/acme-challenge /usr/local/www/letsencrypt/.well-known/acme-challenge <Directory /usr/local/www/letsencrypt> Require all granted </Directory> ProxyPass /.well-known/acme-challenge !
Make sure you include this config file before you define other ProxyPass definitions.
Create the directory:
mkdir -p /usr/local/www/letsencrypt
Install the client:
pkg install security/py-letsencrypt
Create a script:
- create-csr-idefix.fechner.net.sh
#OPTIONS="--webroot --webroot-path=/usr/local/www/letsencrypt/ --renew-by-default --agree-tos" OPTIONS="--webroot --webroot-path=/usr/local/www/letsencrypt/ --renew-by-default --agree-tos --server https://acme-staging.api.letsencrypt.org/directory" sudo letsencrypt certonly ${OPTIONS} --email spam@fechner.net -d webmail.fechner.net -d idefix.fechner.net -d wiki.idefix.fechner.net -d pkg.fechner.net -d owncloud.fechner.net -d knx.fechner.net -d jenkins.fechner.net -d gogs.fechner.net -d git.fechner.net -d drupal8.fechner.net -d drupal7.fechner.net -d atlantis.fechner.net -d amp.fechner.net -d admin.fechner.net -d abook.fechner.net
Remove the –server directive from the OPTIONS after you have verified the run is successfull.
As letsencrypt has currently a heavy rate limit I recommend to request all sub domains with one certificate. This is not good for security but protects you from the problem that you cannot renew your certificate anymore and this is very bad if you use HSTS.
- /usr/local/etc/apache24/ssl/ssl-template.conf
SSLEngine on <IfModule http2_module> Protocols h2 http/1.1 </IfModule> SSLCertificateFile /usr/local/etc/letsencrypt/live/${SSLCertDomain}/fullchain.pem SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/${SSLCertDomain}/privkey.pem <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/usr/local/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0
- /usr/local/etc/apache24/Includes/mydomain.de.conf
Define SSLCertDomain mydomain.de Include etc/apache24/ssl/letsencrypt.conf Include etc/apache24/ssl/ssl-template.conf
Make sure you define the SSLCertDomain for the master domain you requested the certificate (it is normally the first domain you run the letsencrypt script).
freebsd/letsencrypt.txt · Zuletzt geändert: 2016/02/03 12:21 (Externe Bearbeitung)
Seiten-Werkzeuge
Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-Noncommercial 4.0 International
