~~NOTOC~~. ===== Utilisation de certbot pour obtenir un certificat HTTPS avec Let's Encrypt ===== Guide avec boisvert.info., plusieurs étapes Commandes à faire sur un portable: sebhtml@prometheus# xyz Commandes à faire sur le serveur avec l'utilisateur root (dans mon cas, boisvert.info, un VPS (Virtual Private Server) chez OVH): root@vps217173$ xyz ==== 01. Vérifier que nginx roule ==== root@vps217173:~# systemctl|grep nginx nginx.service loaded active running A high performance web server and a reverse proxy server ==== 02. Vérifier le système d'exploitation ==== root@vps217173:~# lsb_release -a 2>/dev/null|grep Desc Description: Debian GNU/Linux 9.9 (stretch) ==== 03. Aller sur https://certbot.eff.org/ ==== sebhtml@prometheus:~$ firefox https://certbot.eff.org/ et choisir I'm using "Nginx" on "Debian 9 (stretch)" ==== 04. Ajouter stretch-backport ==== root@vps217173:~# echo "deb http://deb.debian.org/debian stretch-backports main" \ > /etc/apt/sources.list.d/stretch-backports.list Obtenir les clés de signature GPG de Debian (utile pour Yunohost entre autres) root@vps217173:~# gpg --keyserver http://keys.gnupg.net --recv-key 7638D0442B90D010 root@vps217173:~# gpg -a --export 7638D0442B90D010 | sudo apt-key add - root@vps217173:~# apt update -y ==== 05. Installer les trucs recommendés de certbot ==== root@vps217173:~# apt-get install \ certbot python-certbot-nginx -t stretch-backports ==== 06. Installer le plugin certbot DNS ==== root@vps217173:~# apt install -y python3-certbot-dns-rfc2136 \ -t stretch-backports ==== 07. Demander le certificat avec certbot ==== root@vps217173:~# certbot certonly \ --preferred-challenges dns --manual -m seb@boisvert.info \ --agree-tos --eff-email -d boisvert.info Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for boisvert.info - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ==== 08. Configuration DNS ==== Après avoir dit Yes, il faut ajouter une entrée TXT dans la zone DNS: root@vps217173:~# (suite de la commande certbot) NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.boisvert.info with the following value: YuR89nq85hwQP-wynyhL1MFpZ6p1p8HOwfmzwYcgnqA ==== 09. Déterminer qui a autorité sur le domaine ==== sebhtml@prometheus:~$ sudo apt install dnsutils sebhtml@prometheus:~$ dig boisvert.info SOA|grep -A1 "ANSWER SECTION" ;; ANSWER SECTION: boisvert.info. 3575 IN SOA ns39.domaincontrol.com. dns.jomax.net. 2019050104 28800 7200 604800 600 ==== 10. Sur GoDaddy (DNS), ajouter l'entrée DNS: ==== Pour mon DNS à moi chez GoDaddy (dans Firefox): Type: TXT Host: _acme-challenge TXT Value: wtvvc_WqkbC04qzNvk0ofqYjHwGzoGa4j_cvjYig-7M TTL (Time to Live): 1 hour ==== 11. Attendre 5 minutes et vérifier le DNS ==== Pour laisser l'information DNS se propager dans les tubes de l'Internet. root@vps217173:~# sleep $((5 * 60)) sebhtml@prometheus:~$ dig _acme-challenge.boisvert.info TXT | grep -A1 "ANSWER SECTION" ;; ANSWER SECTION: _acme-challenge.boisvert.info. 905 IN TXT "YuR89nq85hwQP-wynyhL1MFpZ6p1p8HOwfmzwYcgnqA" ==== 12. Appuyer sur ==== root@vps217173:~# (suite de la commande certbot) Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/boisvert.info/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/boisvert.info/privkey.pem Your cert will expire on 2019-08-02. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le ==== 13. Énumérer les certificats Let's Encrypt ==== root@vps217173:~# certbot certificates Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Found the following certs: Certificate Name: boisvert.info Domains: boisvert.info Expiry Date: 2019-08-02 21:57:38+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/boisvert.info/fullchain.pem Private Key Path: /etc/letsencrypt/live/boisvert.info/privkey.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ==== 14. Ajouter la configuration du certificat dans nginx ==== Ajouter dans la section "server {" du fichier /etc/nginx/sites-available/default : # Let's Encrypt configuration listen 443 ssl default_server; ssl on; ssl_certificate /etc/letsencrypt/live/boisvert.info/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/boisvert.info/privkey.pem; ==== 15. Redémarrer nginx (avec systemctl de systemd)==== root@vps217173:~# systemctl restart nginx.service ==== 16. Vérifier que le serveur écoute sur le port TCP/IP 443 (HTTPS) ==== sebhtml@prometheus:~$ sudo apt install nmap sebhtml@prometheus:~$ nmap boisvert.info -p 443 Starting Nmap 7.60 ( https://nmap.org ) at 2019-05-04 19:17 EDT Nmap scan report for boisvert.info (144.217.240.68) Host is up (0.019s latency). Other addresses for boisvert.info (not scanned): 2607:5300:201:3100::1c3e rDNS record for 144.217.240.68: 68.ip-144-217-240.net PORT STATE SERVICE 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds ==== 17. Vérifier le certificat SSL avec OpenSSL ==== sebhtml@prometheus:~$ echo | openssl s_client -showcerts \ -servername boisvert.info -connect boisvert.info:443 \ 2>/dev/null | openssl x509 -inform pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 03:e4:81:b7:de:61:95:f6:a4:cc:d3:46:cd:77:0c:f9:d6:3e Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Validity Not Before: May 4 21:57:38 2019 GMT Not After : Aug 2 21:57:38 2019 GMT Subject: CN = boisvert.info Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bd:5e:e2:56:1d:76:17:46:34:9f:f4:13:f9:f4: 52:79:a8:4e:2c:36:2c:a4:55:29:f3:54:e5:de:c9: ad:c5:bf:da:f9:34:e9:60:56:93:8a:3c:3d:42:a7: 62:bd:80:42:14:f0:08:0c:3c:70:e2:c0:af:50:38: e3:d2:30:ec:5d:43:0e:4c:1a:34:78:cb:91:db:c6: 24:41:20:7e:c6:56:3f:e0:fa:7c:ff:39:60:8e:be: 3b:25:c0:97:49:79:d7:90:5a:9d:4a:c4:46:c2:53: b4:f1:ab:42:02:26:ef:70:cd:62:c8:55:91:1f:e9: 0d:3f:3e:ab:88:87:50:d9:ad:d5:e6:f3:cc:18:91: 18:30:b2:b7:71:1d:d6:9f:23:65:02:f4:d2:46:b1: f1:b8:c8:74:e7:64:a5:cc:03:33:0a:25:5c:19:35: fc:b6:23:70:78:a7:2e:a5:c4:18:e8:a1:06:bb:31: 52:99:af:ea:b3:2b:e0:15:33:d0:6a:b7:72:57:e0: 16:64:3e:41:69:8c:12:fb:a3:a7:9d:f8:fd:f0:30: a2:23:4f:e4:4a:74:5a:a9:43:8c:43:0c:5a:17:fc: 60:4e:a8:7b:21:f9:ea:64:af:f7:f6:83:e6:6a:75: 84:2f:76:85:8a:bf:5c:0d:5e:8c:ba:9a:04:16:2c: c2:b1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 2D:40:BA:62:94:5D:15:53:6C:38:99:64:A0:12:4E:C6:99:EB:85:40 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:boisvert.info X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4: 3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE Timestamp : May 4 22:57:38.890 2019 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:3D:1C:FD:0F:56:E2:9B:64:F1:40:40:A4: DE:73:18:70:B8:39:D3:CE:06:3C:04:47:29:93:7D:20: F0:87:8B:1F:02:21:00:BD:17:EE:B4:0F:21:60:F6:9E: BD:7F:54:5A:54:95:31:C3:2E:8D:00:11:F6:CB:3F:4C: 29:82:CB:88:04:A3:F8 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33: A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D Timestamp : May 4 22:57:38.821 2019 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:88:18:40:79:FC:C0:D4:79:49:37:1B: 3C:2F:58:03:BF:20:3D:02:F4:9A:D4:5A:30:CD:B1:73: 1C:AC:92:11:5B:02:20:01:11:3A:B0:7B:D8:38:7F:C4: 6F:44:FB:46:AC:1C:5F:C2:B7:F3:D4:17:E9:A4:D1:62: F6:6E:B1:35:8D:EA:08 Signature Algorithm: sha256WithRSAEncryption 29:9d:33:5f:3b:c4:98:2b:1b:fb:f7:f7:f2:01:2d:5a:c2:9b: d6:1e:2b:fa:10:e6:d1:81:50:9a:10:b2:7d:5f:54:75:97:58: 2c:7a:5b:2c:ab:db:93:ac:e7:69:0e:52:17:d0:eb:3e:c2:1f: 5b:fb:95:a3:ee:7f:1d:12:67:97:80:00:1b:a7:a3:f3:a5:5b: 26:fd:f5:e5:4c:39:52:59:df:2e:a3:1b:a5:3e:87:38:1e:c2: a2:4c:3b:0e:67:79:a2:cf:7a:d3:be:e2:96:5a:ef:af:1b:0e: f0:6f:22:8c:cc:ce:09:63:37:0e:76:68:25:39:0f:e0:0b:5c: 81:f9:90:86:39:4f:3e:40:17:a7:1e:53:e5:c0:7f:31:00:e2: 20:cd:58:ec:04:e3:17:a0:4f:b4:06:9e:df:c3:0c:3f:d9:92: d1:56:b1:9c:3e:b5:87:05:5a:64:f0:74:ca:2a:48:00:a0:69: 9c:c6:97:e6:31:83:05:ce:cf:cf:51:23:95:f5:7b:e9:59:a1: bf:9a:2d:2f:a0:2a:c1:7c:e1:33:16:91:ba:c6:a0:b2:f6:4f: 80:6b:bf:09:72:a7:a8:bd:ab:53:e4:b4:99:00:d5:7f:f5:86: 77:74:08:10:26:67:29:4a:2e:28:d8:b9:34:fd:20:ed:e6:36: 3c:cb:e7:77 ==== 18. Tester la connection TCP/IP avec le protocole HTTPS sur le port 443 ==== sebhtml@prometheus:~$ curl -I https://boisvert.info/ HTTP/1.1 200 OK Server: nginx/1.10.3 Date: Sat, 04 May 2019 23:10:05 GMT Content-Type: text/html Content-Length: 5079 Last-Modified: Mon, 08 Apr 2019 00:30:31 GMT Connection: keep-alive ETag: "5caa9627-13d7" Accept-Ranges: bytes ==== 19. Fin :-) ====