~~NOTOC~~.
===== Utilisation de certbot pour obtenir un certificat HTTPS avec Let's Encrypt =====
Guide avec boisvert.info., plusieurs étapes
Commandes à faire sur un portable:
sebhtml@prometheus# xyz
Commandes à faire sur le serveur avec l'utilisateur root (dans mon cas, boisvert.info, un VPS (Virtual Private Server) chez OVH):
root@vps217173$ xyz
==== 01. Vérifier que nginx roule ====
root@vps217173:~# systemctl|grep nginx
nginx.service loaded active running A high performance web server and a reverse proxy server
==== 02. Vérifier le système d'exploitation ====
root@vps217173:~# lsb_release -a 2>/dev/null|grep Desc
Description: Debian GNU/Linux 9.9 (stretch)
==== 03. Aller sur https://certbot.eff.org/ ====
sebhtml@prometheus:~$ firefox https://certbot.eff.org/
et choisir I'm using "Nginx" on "Debian 9 (stretch)"
==== 04. Ajouter stretch-backport ====
root@vps217173:~# echo "deb http://deb.debian.org/debian stretch-backports main" \
> /etc/apt/sources.list.d/stretch-backports.list
Obtenir les clés de signature GPG de Debian (utile pour Yunohost entre autres)
root@vps217173:~# gpg --keyserver http://keys.gnupg.net --recv-key 7638D0442B90D010
root@vps217173:~# gpg -a --export 7638D0442B90D010 | sudo apt-key add -
root@vps217173:~# apt update -y
==== 05. Installer les trucs recommendés de certbot ====
root@vps217173:~# apt-get install \
certbot python-certbot-nginx -t stretch-backports
==== 06. Installer le plugin certbot DNS ====
root@vps217173:~# apt install -y python3-certbot-dns-rfc2136 \
-t stretch-backports
==== 07. Demander le certificat avec certbot ====
root@vps217173:~# certbot certonly \
--preferred-challenges dns --manual -m seb@boisvert.info \
--agree-tos --eff-email -d boisvert.info
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for boisvert.info
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
==== 08. Configuration DNS ====
Après avoir dit Yes, il faut ajouter une entrée TXT dans la zone DNS:
root@vps217173:~# (suite de la commande certbot)
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.boisvert.info with the following value:
YuR89nq85hwQP-wynyhL1MFpZ6p1p8HOwfmzwYcgnqA
==== 09. Déterminer qui a autorité sur le domaine ====
sebhtml@prometheus:~$ sudo apt install dnsutils
sebhtml@prometheus:~$ dig boisvert.info SOA|grep -A1 "ANSWER SECTION"
;; ANSWER SECTION:
boisvert.info. 3575 IN SOA ns39.domaincontrol.com. dns.jomax.net. 2019050104 28800 7200 604800 600
==== 10. Sur GoDaddy (DNS), ajouter l'entrée DNS: ====
Pour mon DNS à moi chez GoDaddy (dans Firefox):
Type: TXT
Host: _acme-challenge
TXT Value: wtvvc_WqkbC04qzNvk0ofqYjHwGzoGa4j_cvjYig-7M
TTL (Time to Live): 1 hour
==== 11. Attendre 5 minutes et vérifier le DNS ====
Pour laisser l'information DNS se propager dans les tubes de l'Internet.
root@vps217173:~# sleep $((5 * 60))
sebhtml@prometheus:~$ dig _acme-challenge.boisvert.info TXT | grep -A1 "ANSWER SECTION"
;; ANSWER SECTION:
_acme-challenge.boisvert.info. 905 IN TXT "YuR89nq85hwQP-wynyhL1MFpZ6p1p8HOwfmzwYcgnqA"
==== 12. Appuyer sur ====
root@vps217173:~# (suite de la commande certbot)
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/boisvert.info/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/boisvert.info/privkey.pem
Your cert will expire on 2019-08-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
==== 13. Énumérer les certificats Let's Encrypt ====
root@vps217173:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: boisvert.info
Domains: boisvert.info
Expiry Date: 2019-08-02 21:57:38+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/boisvert.info/fullchain.pem
Private Key Path: /etc/letsencrypt/live/boisvert.info/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
==== 14. Ajouter la configuration du certificat dans nginx ====
Ajouter dans la section "server {" du fichier /etc/nginx/sites-available/default :
# Let's Encrypt configuration
listen 443 ssl default_server;
ssl on;
ssl_certificate /etc/letsencrypt/live/boisvert.info/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/boisvert.info/privkey.pem;
==== 15. Redémarrer nginx (avec systemctl de systemd)====
root@vps217173:~# systemctl restart nginx.service
==== 16. Vérifier que le serveur écoute sur le port TCP/IP 443 (HTTPS) ====
sebhtml@prometheus:~$ sudo apt install nmap
sebhtml@prometheus:~$ nmap boisvert.info -p 443
Starting Nmap 7.60 ( https://nmap.org ) at 2019-05-04 19:17 EDT
Nmap scan report for boisvert.info (144.217.240.68)
Host is up (0.019s latency).
Other addresses for boisvert.info (not scanned): 2607:5300:201:3100::1c3e
rDNS record for 144.217.240.68: 68.ip-144-217-240.net
PORT STATE SERVICE
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
==== 17. Vérifier le certificat SSL avec OpenSSL ====
sebhtml@prometheus:~$ echo | openssl s_client -showcerts \
-servername boisvert.info -connect boisvert.info:443 \
2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:e4:81:b7:de:61:95:f6:a4:cc:d3:46:cd:77:0c:f9:d6:3e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: May 4 21:57:38 2019 GMT
Not After : Aug 2 21:57:38 2019 GMT
Subject: CN = boisvert.info
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:5e:e2:56:1d:76:17:46:34:9f:f4:13:f9:f4:
52:79:a8:4e:2c:36:2c:a4:55:29:f3:54:e5:de:c9:
ad:c5:bf:da:f9:34:e9:60:56:93:8a:3c:3d:42:a7:
62:bd:80:42:14:f0:08:0c:3c:70:e2:c0:af:50:38:
e3:d2:30:ec:5d:43:0e:4c:1a:34:78:cb:91:db:c6:
24:41:20:7e:c6:56:3f:e0:fa:7c:ff:39:60:8e:be:
3b:25:c0:97:49:79:d7:90:5a:9d:4a:c4:46:c2:53:
b4:f1:ab:42:02:26:ef:70:cd:62:c8:55:91:1f:e9:
0d:3f:3e:ab:88:87:50:d9:ad:d5:e6:f3:cc:18:91:
18:30:b2:b7:71:1d:d6:9f:23:65:02:f4:d2:46:b1:
f1:b8:c8:74:e7:64:a5:cc:03:33:0a:25:5c:19:35:
fc:b6:23:70:78:a7:2e:a5:c4:18:e8:a1:06:bb:31:
52:99:af:ea:b3:2b:e0:15:33:d0:6a:b7:72:57:e0:
16:64:3e:41:69:8c:12:fb:a3:a7:9d:f8:fd:f0:30:
a2:23:4f:e4:4a:74:5a:a9:43:8c:43:0c:5a:17:fc:
60:4e:a8:7b:21:f9:ea:64:af:f7:f6:83:e6:6a:75:
84:2f:76:85:8a:bf:5c:0d:5e:8c:ba:9a:04:16:2c:
c2:b1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
2D:40:BA:62:94:5D:15:53:6C:38:99:64:A0:12:4E:C6:99:EB:85:40
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:boisvert.info
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
Timestamp : May 4 22:57:38.890 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:3D:1C:FD:0F:56:E2:9B:64:F1:40:40:A4:
DE:73:18:70:B8:39:D3:CE:06:3C:04:47:29:93:7D:20:
F0:87:8B:1F:02:21:00:BD:17:EE:B4:0F:21:60:F6:9E:
BD:7F:54:5A:54:95:31:C3:2E:8D:00:11:F6:CB:3F:4C:
29:82:CB:88:04:A3:F8
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
Timestamp : May 4 22:57:38.821 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:88:18:40:79:FC:C0:D4:79:49:37:1B:
3C:2F:58:03:BF:20:3D:02:F4:9A:D4:5A:30:CD:B1:73:
1C:AC:92:11:5B:02:20:01:11:3A:B0:7B:D8:38:7F:C4:
6F:44:FB:46:AC:1C:5F:C2:B7:F3:D4:17:E9:A4:D1:62:
F6:6E:B1:35:8D:EA:08
Signature Algorithm: sha256WithRSAEncryption
29:9d:33:5f:3b:c4:98:2b:1b:fb:f7:f7:f2:01:2d:5a:c2:9b:
d6:1e:2b:fa:10:e6:d1:81:50:9a:10:b2:7d:5f:54:75:97:58:
2c:7a:5b:2c:ab:db:93:ac:e7:69:0e:52:17:d0:eb:3e:c2:1f:
5b:fb:95:a3:ee:7f:1d:12:67:97:80:00:1b:a7:a3:f3:a5:5b:
26:fd:f5:e5:4c:39:52:59:df:2e:a3:1b:a5:3e:87:38:1e:c2:
a2:4c:3b:0e:67:79:a2:cf:7a:d3:be:e2:96:5a:ef:af:1b:0e:
f0:6f:22:8c:cc:ce:09:63:37:0e:76:68:25:39:0f:e0:0b:5c:
81:f9:90:86:39:4f:3e:40:17:a7:1e:53:e5:c0:7f:31:00:e2:
20:cd:58:ec:04:e3:17:a0:4f:b4:06:9e:df:c3:0c:3f:d9:92:
d1:56:b1:9c:3e:b5:87:05:5a:64:f0:74:ca:2a:48:00:a0:69:
9c:c6:97:e6:31:83:05:ce:cf:cf:51:23:95:f5:7b:e9:59:a1:
bf:9a:2d:2f:a0:2a:c1:7c:e1:33:16:91:ba:c6:a0:b2:f6:4f:
80:6b:bf:09:72:a7:a8:bd:ab:53:e4:b4:99:00:d5:7f:f5:86:
77:74:08:10:26:67:29:4a:2e:28:d8:b9:34:fd:20:ed:e6:36:
3c:cb:e7:77
==== 18. Tester la connection TCP/IP avec le protocole HTTPS sur le port 443 ====
sebhtml@prometheus:~$ curl -I https://boisvert.info/
HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Sat, 04 May 2019 23:10:05 GMT
Content-Type: text/html
Content-Length: 5079
Last-Modified: Mon, 08 Apr 2019 00:30:31 GMT
Connection: keep-alive
ETag: "5caa9627-13d7"
Accept-Ranges: bytes
==== 19. Fin :-) ====