.

Utilisation de certbot pour obtenir un certificat HTTPS avec Let's Encrypt

Guide avec boisvert.info., plusieurs étapes

Commandes à faire sur un portable:

sebhtml@prometheus# xyz

Commandes à faire sur le serveur avec l'utilisateur root (dans mon cas, boisvert.info, un VPS (Virtual Private Server) chez OVH):

root@vps217173$ xyz

01. Vérifier que nginx roule

root@vps217173:~# systemctl|grep nginx
nginx.service                                                                               loaded active running   A high performance web server and a reverse proxy server         

02. Vérifier le système d'exploitation

root@vps217173:~# lsb_release -a 2>/dev/null|grep Desc
Description:	Debian GNU/Linux 9.9 (stretch)

03. Aller sur https://certbot.eff.org/

sebhtml@prometheus:~$ firefox https://certbot.eff.org/

et choisir I'm using “Nginx” on “Debian 9 (stretch)”

04. Ajouter stretch-backport

root@vps217173:~# echo "deb http://deb.debian.org/debian stretch-backports main" \
        > /etc/apt/sources.list.d/stretch-backports.list

Obtenir les clés de signature GPG de Debian (utile pour Yunohost entre autres)

root@vps217173:~# gpg --keyserver http://keys.gnupg.net --recv-key 7638D0442B90D010
root@vps217173:~# gpg -a --export 7638D0442B90D010 | sudo apt-key add -
root@vps217173:~# apt update -y

05. Installer les trucs recommendés de certbot

root@vps217173:~# apt-get install \
                certbot python-certbot-nginx -t stretch-backports

06. Installer le plugin certbot DNS

root@vps217173:~# apt install -y python3-certbot-dns-rfc2136 \
         -t stretch-backports 

07. Demander le certificat avec certbot

root@vps217173:~# certbot certonly \
       --preferred-challenges dns --manual -m seb@boisvert.info \
       --agree-tos --eff-email -d boisvert.info 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for boisvert.info
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

08. Configuration DNS

Après avoir dit Yes, il faut ajouter une entrée TXT dans la zone DNS:

root@vps217173:~# (suite de la commande certbot) 
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please deploy a DNS TXT record under the name
_acme-challenge.boisvert.info with the following value:

YuR89nq85hwQP-wynyhL1MFpZ6p1p8HOwfmzwYcgnqA

09. Déterminer qui a autorité sur le domaine

sebhtml@prometheus:~$ sudo apt install dnsutils 
sebhtml@prometheus:~$ dig boisvert.info SOA|grep -A1 "ANSWER SECTION" 
;; ANSWER SECTION:
boisvert.info.		3575	IN	SOA	ns39.domaincontrol.com. dns.jomax.net. 2019050104 28800 7200 604800 600

10. Sur GoDaddy (DNS), ajouter l'entrée DNS:

Pour mon DNS à moi chez GoDaddy (dans Firefox):

Type: TXT Host: _acme-challenge TXT Value: wtvvc_WqkbC04qzNvk0ofqYjHwGzoGa4j_cvjYig-7M TTL (Time to Live): 1 hour

11. Attendre 5 minutes et vérifier le DNS

Pour laisser l'information DNS se propager dans les tubes de l'Internet.

root@vps217173:~# sleep $((5 * 60))
sebhtml@prometheus:~$ dig _acme-challenge.boisvert.info TXT | grep -A1 "ANSWER SECTION"
;; ANSWER SECTION:
_acme-challenge.boisvert.info. 905 IN	TXT	"YuR89nq85hwQP-wynyhL1MFpZ6p1p8HOwfmzwYcgnqA"

12. Appuyer sur <ENTER>

root@vps217173:~# (suite de la commande certbot) 
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/boisvert.info/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/boisvert.info/privkey.pem
 Your cert will expire on 2019-08-02. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot
 again. To non-interactively renew *all* of your certificates, run
 "certbot renew"
 - If you like Certbot, please consider supporting our work by:

 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le

13. Énumérer les certificats Let's Encrypt

root@vps217173:~#  certbot certificates 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: boisvert.info
  Domains: boisvert.info
  Expiry Date: 2019-08-02 21:57:38+00:00 (VALID: 89 days)
  Certificate Path: /etc/letsencrypt/live/boisvert.info/fullchain.pem
  Private Key Path: /etc/letsencrypt/live/boisvert.info/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14. Ajouter la configuration du certificat dans nginx

Ajouter dans la section “server {” du fichier /etc/nginx/sites-available/default :

      # Let's Encrypt configuration
      listen 443 ssl default_server;
      ssl on;
      ssl_certificate /etc/letsencrypt/live/boisvert.info/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/boisvert.info/privkey.pem;

15. Redémarrer nginx (avec systemctl de systemd)

root@vps217173:~# systemctl restart nginx.service

16. Vérifier que le serveur écoute sur le port TCP/IP 443 (HTTPS)

sebhtml@prometheus:~$  sudo apt  install nmap 
sebhtml@prometheus:~$  nmap boisvert.info -p 443 
Starting Nmap 7.60 ( https://nmap.org ) at 2019-05-04 19:17 EDT
Nmap scan report for boisvert.info (144.217.240.68)
Host is up (0.019s latency).
Other addresses for boisvert.info (not scanned): 2607:5300:201:3100::1c3e
rDNS record for 144.217.240.68: 68.ip-144-217-240.net

PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

17. Vérifier le certificat SSL avec OpenSSL

sebhtml@prometheus:~$  echo | openssl s_client -showcerts \
           -servername boisvert.info -connect boisvert.info:443 \
             2>/dev/null | openssl x509 -inform pem -noout -text 
Certificate:
  Data:
      Version: 3 (0x2)
      Serial Number:
          03:e4:81:b7:de:61:95:f6:a4:cc:d3:46:cd:77:0c:f9:d6:3e
  Signature Algorithm: sha256WithRSAEncryption
      Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
      Validity
          Not Before: May  4 21:57:38 2019 GMT
          Not After : Aug  2 21:57:38 2019 GMT
      Subject: CN = boisvert.info
      Subject Public Key Info:
          Public Key Algorithm: rsaEncryption
              Public-Key: (2048 bit)
              Modulus:
                  00:bd:5e:e2:56:1d:76:17:46:34:9f:f4:13:f9:f4:
                  52:79:a8:4e:2c:36:2c:a4:55:29:f3:54:e5:de:c9:
                  ad:c5:bf:da:f9:34:e9:60:56:93:8a:3c:3d:42:a7:
                  62:bd:80:42:14:f0:08:0c:3c:70:e2:c0:af:50:38:
                  e3:d2:30:ec:5d:43:0e:4c:1a:34:78:cb:91:db:c6:
                  24:41:20:7e:c6:56:3f:e0:fa:7c:ff:39:60:8e:be:
                  3b:25:c0:97:49:79:d7:90:5a:9d:4a:c4:46:c2:53:
                  b4:f1:ab:42:02:26:ef:70:cd:62:c8:55:91:1f:e9:
                  0d:3f:3e:ab:88:87:50:d9:ad:d5:e6:f3:cc:18:91:
                  18:30:b2:b7:71:1d:d6:9f:23:65:02:f4:d2:46:b1:
                  f1:b8:c8:74:e7:64:a5:cc:03:33:0a:25:5c:19:35:
                  fc:b6:23:70:78:a7:2e:a5:c4:18:e8:a1:06:bb:31:
                  52:99:af:ea:b3:2b:e0:15:33:d0:6a:b7:72:57:e0:
                  16:64:3e:41:69:8c:12:fb:a3:a7:9d:f8:fd:f0:30:
                  a2:23:4f:e4:4a:74:5a:a9:43:8c:43:0c:5a:17:fc:
                  60:4e:a8:7b:21:f9:ea:64:af:f7:f6:83:e6:6a:75:
                  84:2f:76:85:8a:bf:5c:0d:5e:8c:ba:9a:04:16:2c:
                  c2:b1
              Exponent: 65537 (0x10001)
      X509v3 extensions:
          X509v3 Key Usage: critical
              Digital Signature, Key Encipherment
          X509v3 Extended Key Usage: 
              TLS Web Server Authentication, TLS Web Client Authentication
          X509v3 Basic Constraints: critical
              CA:FALSE
          X509v3 Subject Key Identifier: 
              2D:40:BA:62:94:5D:15:53:6C:38:99:64:A0:12:4E:C6:99:EB:85:40
          X509v3 Authority Key Identifier: 
              keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

          Authority Information Access: 
              OCSP - URI:http://ocsp.int-x3.letsencrypt.org
              CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

          X509v3 Subject Alternative Name: 
              DNS:boisvert.info
          X509v3 Certificate Policies: 
              Policy: 2.23.140.1.2.1
              Policy: 1.3.6.1.4.1.44947.1.1.1
                CPS: http://cps.letsencrypt.org

          CT Precertificate SCTs: 
              Signed Certificate Timestamp:
                  Version   : v1 (0x0)
                  Log ID    : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
                              3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
                  Timestamp : May  4 22:57:38.890 2019 GMT
                  Extensions: none
                  Signature : ecdsa-with-SHA256
                              30:45:02:20:3D:1C:FD:0F:56:E2:9B:64:F1:40:40:A4:
                              DE:73:18:70:B8:39:D3:CE:06:3C:04:47:29:93:7D:20:
                              F0:87:8B:1F:02:21:00:BD:17:EE:B4:0F:21:60:F6:9E:
                              BD:7F:54:5A:54:95:31:C3:2E:8D:00:11:F6:CB:3F:4C:
                              29:82:CB:88:04:A3:F8
              Signed Certificate Timestamp:
                  Version   : v1 (0x0)
                  Log ID    : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
                              A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
                  Timestamp : May  4 22:57:38.821 2019 GMT
                  Extensions: none
                  Signature : ecdsa-with-SHA256
                              30:45:02:21:00:88:18:40:79:FC:C0:D4:79:49:37:1B:
                              3C:2F:58:03:BF:20:3D:02:F4:9A:D4:5A:30:CD:B1:73:
                              1C:AC:92:11:5B:02:20:01:11:3A:B0:7B:D8:38:7F:C4:
                              6F:44:FB:46:AC:1C:5F:C2:B7:F3:D4:17:E9:A4:D1:62:
                              F6:6E:B1:35:8D:EA:08
  Signature Algorithm: sha256WithRSAEncryption
       29:9d:33:5f:3b:c4:98:2b:1b:fb:f7:f7:f2:01:2d:5a:c2:9b:
       d6:1e:2b:fa:10:e6:d1:81:50:9a:10:b2:7d:5f:54:75:97:58:
       2c:7a:5b:2c:ab:db:93:ac:e7:69:0e:52:17:d0:eb:3e:c2:1f:
       5b:fb:95:a3:ee:7f:1d:12:67:97:80:00:1b:a7:a3:f3:a5:5b:
       26:fd:f5:e5:4c:39:52:59:df:2e:a3:1b:a5:3e:87:38:1e:c2:
       a2:4c:3b:0e:67:79:a2:cf:7a:d3:be:e2:96:5a:ef:af:1b:0e:
       f0:6f:22:8c:cc:ce:09:63:37:0e:76:68:25:39:0f:e0:0b:5c:
       81:f9:90:86:39:4f:3e:40:17:a7:1e:53:e5:c0:7f:31:00:e2:
       20:cd:58:ec:04:e3:17:a0:4f:b4:06:9e:df:c3:0c:3f:d9:92:
       d1:56:b1:9c:3e:b5:87:05:5a:64:f0:74:ca:2a:48:00:a0:69:
       9c:c6:97:e6:31:83:05:ce:cf:cf:51:23:95:f5:7b:e9:59:a1:
       bf:9a:2d:2f:a0:2a:c1:7c:e1:33:16:91:ba:c6:a0:b2:f6:4f:
       80:6b:bf:09:72:a7:a8:bd:ab:53:e4:b4:99:00:d5:7f:f5:86:
       77:74:08:10:26:67:29:4a:2e:28:d8:b9:34:fd:20:ed:e6:36:
       3c:cb:e7:77
       

18. Tester la connection TCP/IP avec le protocole HTTPS sur le port 443

sebhtml@prometheus:~$ curl -I https://boisvert.info/
HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Sat, 04 May 2019 23:10:05 GMT
Content-Type: text/html
Content-Length: 5079
Last-Modified: Mon, 08 Apr 2019 00:30:31 GMT
Connection: keep-alive
ETag: "5caa9627-13d7"
Accept-Ranges: bytes

19. Fin :-)