====Let's encrypt====
====avec un script basique====
pour générer un certificat utiliser le script suivant (debian)
a utiliser de cette façon :
script.sh mondomain.com
wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py -O /usr/local/bin/acme_tiny.py
mkdir /etc/letsencrypt
chown root:ssl-cert /etc/letsencrypt
chmod 750 /etc/letsencrypt
openssl genrsa -out /etc/letsencrypt/letsencrypt.key 4096
mkdir /etc/letsencrypt/$1
cd /etc/letsencrypt/$1
mkdir -p /home/$1
mkdir -p /home/$1/challenges
openssl genrsa -out $1.key 4096
openssl req -new -sha256 -key $1.key -subj "/CN=$1" -out $1.csr
openssl req -new -sha256 -key $1.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$1")) > $1.csr
python /usr/local/bin/acme_tiny.py --account-key /etc/letsencrypt/letsencrypt.key --csr /etc/letsencrypt/$1/$1.csr --acme-dir /home/$1/challenges/ > /etc/letsencrypt/$1.crt
s'assurer que le DNS challenge est dispo
Conf apache2
Alias /.well-known/acme-challenge /srv/www/acme-challenges
Options -Indexes
AllowOverride all
Require all granted
conf nginx
server {
server_name www.sysnove.fr;
…
location /.well-known/acme-challenge {
alias /srv/www/acme-challenges/;
try_files $uri =404;
}
}
Puis executer le script au debut de cet article tel que script.sh nom-de-domain
====avec certbot====
/root/certbot-auto certonly --webroot --email wleberre@exemple.com -d sso.exemple1.com -w /var/www/html/ -d domain.exemple1.com -d domaine2.exemple1.com -q --expand
====intégration dans :====
===apache===
SSLEngine on
SSLCertificateFile /etc/letsencrypt/cert.pem
SSLCertificateChainFile /etc/letsencrypt/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/privkey.pem
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
===nginx===
↓
listen 443 ssl;
↓
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/privkey.pem;
{{tag> certificat letsencrypt ssl https }}