Benutzer-Werkzeuge

Webseiten-Werkzeuge


freebsd:letsencrypt

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

freebsd:letsencrypt [2016/02/03 12:21] (aktuell)
Zeile 1: Zeile 1:
 +====== Letsencrypt ======
  
 +We would like to use letsencrypt to get signed certificates for all our domains.
 +===== Approach with websites offline =====
 +
 +I did this all from a virtual machine, as I do not want to let the client running with root permissions on my real server.
 +
 +Everything was executed from an ubuntu machine running in a virtual machine.
 +Create two shell scripts to get the certificate request simply created for several ALT entries:
 +<code bash create-crt-for-idefix.fechner.net.sh>​
 +openssl req -new -sha256 -key domain.key -subj "/"​ -reqexts SAN -config <(cat /​etc/​ssl/​openssl.cnf <(printf "​[SAN]\nsubjectAltName=DNS:​abook.fechner.net,​DNS:​amp.fechner.net,​DNS:​atlantis.fechner.net,​DNS:​caldav.fechner.net,​DNS:​carddav.fechner.net,​DNS:​git.fechner.net,​DNS:​gogs.fechner.net,​DNS:​idefix.fechner.net,​DNS:​idisk.fechner.net,​DNS:​imap.fechner.net,​DNS:​jenkins.fechner.net,​DNS:​knx.fechner.net,​DNS:​mail.fechner.net,​DNS:​moviesync.fechner.net,​DNS:​owncloud.fechner.net,​DNS:​pkg.fechner.net,​DNS:​safe.fechner.net,​DNS:​smtp.fechner.net,​DNS:​video.fechner.net,​DNS:​webcal.fechner.net,​DNS:​webmail.fechner.net,​DNS:​wiki.idefix.fechner.net,​DNS:​vmail.fechner.net,​DNS:​zpush.fechner.net"​)) > domain.csr
 +</​code>​
 +<code bash create-crt-for-fechner.net.sh>​
 +openssl req -new -sha256 -key domain.key -subj "/"​ -reqexts SAN -config <(cat /​etc/​ssl/​openssl.cnf <(printf "​[SAN]\nsubjectAltName=DNS:​fechner.net,​DNS:​www.fechner.net,​DNS:​wirkstoffreich.de,​DNS:​www.wirkstoffreich.de,​DNS:​vmail.lostinspace.de,​DNS:​lostinspace.de,​DNS:​admin.lostinspace.de,​DNS:​stats.wirkstoffreich.de,​DNS:​stats.fechner.net"​)) > domain.csr
 +</​code>​
 +
 +To sign the certificates I did the following:
 +<code console>
 +git clone https://​github.com/​diafygi/​letsencrypt-nosudo.git
 +cd letsencrypt-nosudo/​
 +openssl genrsa 4096 > user.key
 +openssl rsa -in user.key -pubout > user.pub
 +openssl genrsa 4096 > domain.key
 +
 +python sign_csr.py --public-key user.pub domain.csr > signed.crt
 +</​code>​
 +Execute on the second terminal the commands the client asks you in the same directory.
 +
 +
 +You have to start a small python based webserver on the domain for each domain to verify you are the owner.
 +Do this as the script is requesting it.
 +
 +Now we install the certificate and key on our server.
 +Copy the file domain.key and signed.crt to you server and execute the following:
 +<code console>
 +cd /​etc/​mail/​certs
 +wget https://​letsencrypt.org/​certs/​lets-encrypt-x1-cross-signed.pem
 +cat signed.crt lets-encrypt-x1-cross-signed.pem > chained.pem
 +</​code>​
 +
 +Edit you apache config to have:
 +<code yaml /​usr/​local/​etc/​apache24/​ssl/​ssl-template.conf>​
 +SSLCertificateChainFile /​etc/​mail/​certs/​chained.pem
 +SSLCertificateFile /​etc/​mail/​certs/​signed.crt
 +SSLCertificateKeyFile /​etc/​mail/​certs/​domain.key
 +</​code>​
 +
 +===== Approach to authenticate domains while websites are online =====
 +We want to use the existing webserver to not make websites offline while authenticate the domains.
 +
 +<code yaml /​usr/​local/​etc/​apache24/​ssl/​letsencrypt.conf>​
 +Alias /​.well-known/​acme-challenge /​usr/​local/​www/​letsencrypt/​.well-known/​acme-challenge
 +<​Directory /​usr/​local/​www/​letsencrypt>​
 +        Require all granted
 +</​Directory>​
 +ProxyPass /​.well-known/​acme-challenge !
 +</​code>​
 +<note important>​Make sure you include this config file before you define other ProxyPass definitions.</​note>​
 +
 +Create the directory:
 +<code console>
 +mkdir -p /​usr/​local/​www/​letsencrypt
 +</​code>​
 +
 +Install the client:
 +<code console>
 +pkg install security/​py-letsencrypt
 +</​code>​
 +
 +Create a script:
 +<code bash create-csr-idefix.fechner.net.sh>​
 +#​OPTIONS="​--webroot --webroot-path=/​usr/​local/​www/​letsencrypt/​ --renew-by-default --agree-tos"​
 +OPTIONS="​--webroot --webroot-path=/​usr/​local/​www/​letsencrypt/​ --renew-by-default --agree-tos --server https://​acme-staging.api.letsencrypt.org/​directory"​
 +sudo letsencrypt certonly ${OPTIONS} --email spam@fechner.net -d webmail.fechner.net -d idefix.fechner.net -d wiki.idefix.fechner.net -d pkg.fechner.net -d owncloud.fechner.net -d knx.fechner.net -d jenkins.fechner.net -d gogs.fechner.net -d git.fechner.net -d drupal8.fechner.net -d drupal7.fechner.net -d atlantis.fechner.net -d amp.fechner.net -d admin.fechner.net -d abook.fechner.net
 +</​code>​
 +<note tip>
 +Remove the --server directive from the OPTIONS after you have verified the run is successfull.
 +</​note>​
 +<note warning>
 +As letsencrypt has currently a heavy rate limit I recommend to request all sub domains with one certificate. This is not good for security but protects you from the problem that you cannot renew your certificate anymore and this is very bad if you use HSTS.
 +</​note>​
 +
 +<code yaml /​usr/​local/​etc/​apache24/​ssl/​ssl-template.conf>​
 +SSLEngine on
 +<​IfModule http2_module>​
 +    Protocols h2 http/1.1
 +</​IfModule>​
 +
 +SSLCertificateFile /​usr/​local/​etc/​letsencrypt/​live/​${SSLCertDomain}/​fullchain.pem
 +SSLCertificateKeyFile /​usr/​local/​etc/​letsencrypt/​live/​${SSLCertDomain}/​privkey.pem
 +
 +<Files ~ "​\.(cgi|shtml|phtml|php3?​)$">​
 +    SSLOptions +StdEnvVars
 +</​Files>​
 +<​Directory "/​usr/​local/​www/​cgi-bin">​
 +    SSLOptions +StdEnvVars
 +</​Directory>​
 +
 +SetEnvIf User-Agent "​.*MSIE.*"​ \
 +         ​nokeepalive ssl-unclean-shutdown \
 +         ​downgrade-1.0 force-response-1.0
 +</​code>​
 +
 +<code yaml /​usr/​local/​etc/​apache24/​Includes/​mydomain.de.conf>​
 +Define SSLCertDomain mydomain.de
 +Include etc/​apache24/​ssl/​letsencrypt.conf
 +Include etc/​apache24/​ssl/​ssl-template.conf
 +</​code>​
 +<note tip>
 +Make sure you define the SSLCertDomain for the master domain you requested the certificate (it is normally the first domain you run the letsencrypt script).
 +</​note>​
freebsd/letsencrypt.txt · Zuletzt geändert: 2016/02/03 12:21 (Externe Bearbeitung)