We would like to use letsencrypt to get signed certificates for all our domains.
I did this all from a virtual machine, as I do not want to let the client running with root permissions on my real server.
Everything was executed from an ubuntu machine running in a virtual machine. Create two shell scripts to get the certificate request simply created for several ALT entries:
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:abook.fechner.net,DNS:amp.fechner.net,DNS:atlantis.fechner.net,DNS:caldav.fechner.net,DNS:carddav.fechner.net,DNS:git.fechner.net,DNS:gogs.fechner.net,DNS:idefix.fechner.net,DNS:idisk.fechner.net,DNS:imap.fechner.net,DNS:jenkins.fechner.net,DNS:knx.fechner.net,DNS:mail.fechner.net,DNS:moviesync.fechner.net,DNS:owncloud.fechner.net,DNS:pkg.fechner.net,DNS:safe.fechner.net,DNS:smtp.fechner.net,DNS:video.fechner.net,DNS:webcal.fechner.net,DNS:webmail.fechner.net,DNS:wiki.idefix.fechner.net,DNS:vmail.fechner.net,DNS:zpush.fechner.net")) > domain.csr
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:fechner.net,DNS:www.fechner.net,DNS:wirkstoffreich.de,DNS:www.wirkstoffreich.de,DNS:vmail.lostinspace.de,DNS:lostinspace.de,DNS:admin.lostinspace.de,DNS:stats.wirkstoffreich.de,DNS:stats.fechner.net")) > domain.csr
To sign the certificates I did the following:
git clone https://github.com/diafygi/letsencrypt-nosudo.git cd letsencrypt-nosudo/ openssl genrsa 4096 > user.key openssl rsa -in user.key -pubout > user.pub openssl genrsa 4096 > domain.key python sign_csr.py --public-key user.pub domain.csr > signed.crt
Execute on the second terminal the commands the client asks you in the same directory.
You have to start a small python based webserver on the domain for each domain to verify you are the owner. Do this as the script is requesting it.
Now we install the certificate and key on our server. Copy the file domain.key and signed.crt to you server and execute the following:
cd /etc/mail/certs wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem cat signed.crt lets-encrypt-x1-cross-signed.pem > chained.pem
Edit you apache config to have:
SSLCertificateChainFile /etc/mail/certs/chained.pem SSLCertificateFile /etc/mail/certs/signed.crt SSLCertificateKeyFile /etc/mail/certs/domain.key
We want to use the existing webserver to not make websites offline while authenticate the domains.
Alias /.well-known/acme-challenge /usr/local/www/letsencrypt/.well-known/acme-challenge <Directory /usr/local/www/letsencrypt> Require all granted </Directory> ProxyPass /.well-known/acme-challenge !
Create the directory:
mkdir -p /usr/local/www/letsencrypt
Install the client:
pkg install security/py-letsencrypt
Create a script:
#OPTIONS="--webroot --webroot-path=/usr/local/www/letsencrypt/ --renew-by-default --agree-tos" OPTIONS="--webroot --webroot-path=/usr/local/www/letsencrypt/ --renew-by-default --agree-tos --server https://acme-staging.api.letsencrypt.org/directory" sudo letsencrypt certonly ${OPTIONS} --email spam@fechner.net -d webmail.fechner.net -d idefix.fechner.net -d wiki.idefix.fechner.net -d pkg.fechner.net -d owncloud.fechner.net -d knx.fechner.net -d jenkins.fechner.net -d gogs.fechner.net -d git.fechner.net -d drupal8.fechner.net -d drupal7.fechner.net -d atlantis.fechner.net -d amp.fechner.net -d admin.fechner.net -d abook.fechner.net
SSLEngine on <IfModule http2_module> Protocols h2 http/1.1 </IfModule> SSLCertificateFile /usr/local/etc/letsencrypt/live/${SSLCertDomain}/fullchain.pem SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/${SSLCertDomain}/privkey.pem <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/usr/local/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0
Define SSLCertDomain mydomain.de Include etc/apache24/ssl/letsencrypt.conf Include etc/apache24/ssl/ssl-template.conf