====Let's encrypt====

====avec un script basique====
pour générer un certificat utiliser le script suivant (debian)

a utiliser de cette façon :
<code bash>
script.sh mondomain.com
</code>
<code bash>

wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py -O /usr/local/bin/acme_tiny.py
mkdir /etc/letsencrypt
chown root:ssl-cert /etc/letsencrypt
chmod 750 /etc/letsencrypt
openssl genrsa -out /etc/letsencrypt/letsencrypt.key 4096
mkdir /etc/letsencrypt/$1
cd /etc/letsencrypt/$1
mkdir -p /home/$1
mkdir -p /home/$1/challenges
openssl genrsa -out $1.key 4096
openssl req -new -sha256 -key $1.key -subj "/CN=$1" -out $1.csr
openssl req -new -sha256 -key $1.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$1")) > $1.csr
python /usr/local/bin/acme_tiny.py --account-key /etc/letsencrypt/letsencrypt.key --csr /etc/letsencrypt/$1/$1.csr --acme-dir /home/$1/challenges/ > /etc/letsencrypt/$1.crt

</code>


s'assurer que le DNS challenge est dispo 

Conf apache2
<code>
Alias /.well-known/acme-challenge /srv/www/acme-challenges
<Directory "/srv/www/acme-challenges">
    Options -Indexes
    AllowOverride all
    Require all granted
</Directory>
</code>


conf nginx
<code>
server {
    server_name www.sysnove.fr;
    …
    location /.well-known/acme-challenge {
        alias /srv/www/acme-challenges/;
        try_files $uri =404;
    }
}
</code>


Puis executer le script au debut de cet article tel que script.sh nom-de-domain
====avec certbot====

<code>
/root/certbot-auto certonly --webroot --email wleberre@exemple.com -d sso.exemple1.com -w /var/www/html/ -d domain.exemple1.com -d domaine2.exemple1.com -q --expand
</code>


====intégration dans :====
===apache===
<code>
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/cert.pem
        SSLCertificateChainFile /etc/letsencrypt/chain.pem
        SSLCertificateKeyFile /etc/letsencrypt/privkey.pem
          SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCompression off
    SSLOptions +StrictRequire
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</code>
===nginx===
<code>
             ↓
 listen 443 ssl;
                  ↓
 listen [::]:443 ssl;


        ssl_certificate     /etc/letsencrypt/live/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/privkey.pem;

</code>
{{tag> certificat letsencrypt ssl https  }}