auto-heber:certbot
Différences
Ci-dessous, les différences entre deux révisions de la page.
— | auto-heber:certbot [2024/01/28 23:48] (Version actuelle) – créée - modification externe 127.0.0.1 | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
+ | | ||
+ | |||
+ | ===== Utilisation de certbot pour obtenir un certificat HTTPS avec Let's Encrypt ===== | ||
+ | |||
+ | Guide avec boisvert.info., | ||
+ | |||
+ | Commandes à faire sur un portable: | ||
+ | <code bash> | ||
+ | |||
+ | Commandes à faire sur le serveur avec l' | ||
+ | <code bash> | ||
+ | |||
+ | ==== 01. Vérifier que nginx roule ==== | ||
+ | |||
+ | <code bash> | ||
+ | nginx.service | ||
+ | ==== 02. Vérifier le système d' | ||
+ | |||
+ | <code bash> | ||
+ | Description: | ||
+ | |||
+ | |||
+ | ==== 03. Aller sur https:// | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | et choisir I'm using " | ||
+ | |||
+ | ==== 04. Ajouter stretch-backport ==== | ||
+ | |||
+ | <code bash> | ||
+ | > / | ||
+ | |||
+ | Obtenir les clés de signature GPG de Debian (utile pour Yunohost entre autres) | ||
+ | |||
+ | <code bash> | ||
+ | root@vps217173: | ||
+ | root@vps217173: | ||
+ | </ | ||
+ | | ||
+ | <code bash> | ||
+ | |||
+ | ==== 05. Installer les trucs recommendés de certbot ==== | ||
+ | |||
+ | <code bash> | ||
+ | certbot python-certbot-nginx -t stretch-backports</ | ||
+ | |||
+ | |||
+ | ==== 06. Installer le plugin certbot DNS ==== | ||
+ | |||
+ | <code bash> | ||
+ | -t stretch-backports </ | ||
+ | |||
+ | |||
+ | ==== 07. Demander le certificat avec certbot ==== | ||
+ | |||
+ | <code bash> | ||
+ | | ||
+ | | ||
+ | | ||
+ | Saving debug log to / | ||
+ | Plugins selected: Authenticator manual, Installer None | ||
+ | Obtaining a new certificate | ||
+ | Performing the following challenges: | ||
+ | dns-01 challenge for boisvert.info | ||
+ | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | |||
+ | |||
+ | ==== 08. Configuration DNS ==== | ||
+ | |||
+ | Après avoir dit Yes, il faut ajouter une entrée TXT dans la zone DNS: | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | NOTE: The IP of this machine will be publicly logged as having requested this | ||
+ | certificate. If you're running certbot in manual mode on a machine that is not | ||
+ | your server, please ensure you're okay with that. | ||
+ | | ||
+ | Are you OK with your IP being logged? | ||
+ | | ||
+ | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | | ||
+ | (Y)es/(N)o: Y | ||
+ | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | | ||
+ | Please deploy a DNS TXT record under the name | ||
+ | _acme-challenge.boisvert.info with the following value: | ||
+ | | ||
+ | YuR89nq85hwQP-wynyhL1MFpZ6p1p8HOwfmzwYcgnqA | ||
+ | |||
+ | |||
+ | ==== 09. Déterminer qui a autorité sur le domaine ==== | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | <code bash> | ||
+ | ;; ANSWER SECTION: | ||
+ | boisvert.info. 3575 IN SOA ns39.domaincontrol.com. dns.jomax.net. 2019050104 28800 7200 604800 600 | ||
+ | |||
+ | |||
+ | ==== 10. Sur GoDaddy (DNS), ajouter l' | ||
+ | |||
+ | Pour mon DNS à moi chez GoDaddy (dans Firefox): | ||
+ | |||
+ | Type: TXT | ||
+ | Host: _acme-challenge | ||
+ | TXT Value: wtvvc_WqkbC04qzNvk0ofqYjHwGzoGa4j_cvjYig-7M | ||
+ | TTL (Time to Live): 1 hour | ||
+ | |||
+ | |||
+ | ==== 11. Attendre 5 minutes et vérifier le DNS ==== | ||
+ | |||
+ | Pour laisser l' | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | <code bash> | ||
+ | ;; ANSWER SECTION: | ||
+ | _acme-challenge.boisvert.info. 905 IN TXT " | ||
+ | |||
+ | |||
+ | ==== 12. Appuyer sur < | ||
+ | |||
+ | <code bash> | ||
+ | Before continuing, verify the record is deployed. | ||
+ | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | | ||
+ | Press Enter to Continue | ||
+ | Waiting for verification... | ||
+ | Cleaning up challenges | ||
+ | | ||
+ | IMPORTANT NOTES: | ||
+ | - Congratulations! Your certificate and chain have been saved at: | ||
+ | / | ||
+ | Your key file has been saved at: | ||
+ | / | ||
+ | Your cert will expire on 2019-08-02. To obtain a new or tweaked | ||
+ | | ||
+ | | ||
+ | " | ||
+ | - If you like Certbot, please consider supporting our work by: | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | ==== 13. Énumérer les certificats Let's Encrypt ==== | ||
+ | |||
+ | <code bash> | ||
+ | Saving debug log to / | ||
+ | | ||
+ | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | Found the following certs: | ||
+ | Certificate Name: boisvert.info | ||
+ | Domains: boisvert.info | ||
+ | Expiry Date: 2019-08-02 21: | ||
+ | Certificate Path: / | ||
+ | Private Key Path: / | ||
+ | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | | ||
+ | ==== 14. Ajouter la configuration du certificat dans nginx ==== | ||
+ | |||
+ | Ajouter dans la section " | ||
+ | |||
+ | # Let's Encrypt configuration | ||
+ | listen 443 ssl default_server; | ||
+ | ssl on; | ||
+ | ssl_certificate / | ||
+ | ssl_certificate_key / | ||
+ | |||
+ | ==== 15. Redémarrer nginx (avec systemctl de systemd)==== | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | ==== 16. Vérifier que le serveur écoute sur le port TCP/IP 443 (HTTPS) ==== | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | <code bash> | ||
+ | | ||
+ | Starting Nmap 7.60 ( https:// | ||
+ | Nmap scan report for boisvert.info (144.217.240.68) | ||
+ | Host is up (0.019s latency). | ||
+ | Other addresses for boisvert.info (not scanned): 2607: | ||
+ | rDNS record for 144.217.240.68: | ||
+ | | ||
+ | PORT STATE SERVICE | ||
+ | 443/tcp open https | ||
+ | | ||
+ | Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds | ||
+ | |||
+ | |||
+ | ==== 17. Vérifier le certificat SSL avec OpenSSL ==== | ||
+ | |||
+ | <code bash> | ||
+ | | ||
+ | | ||
+ | Certificate: | ||
+ | Data: | ||
+ | Version: 3 (0x2) | ||
+ | Serial Number: | ||
+ | 03: | ||
+ | Signature Algorithm: sha256WithRSAEncryption | ||
+ | Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 | ||
+ | Validity | ||
+ | Not Before: May 4 21:57:38 2019 GMT | ||
+ | Not After : Aug 2 21:57:38 2019 GMT | ||
+ | Subject: CN = boisvert.info | ||
+ | Subject Public Key Info: | ||
+ | Public Key Algorithm: rsaEncryption | ||
+ | Public-Key: (2048 bit) | ||
+ | Modulus: | ||
+ | 00: | ||
+ | 52: | ||
+ | ad: | ||
+ | 62: | ||
+ | e3: | ||
+ | 24: | ||
+ | 3b: | ||
+ | b4: | ||
+ | 0d: | ||
+ | 18: | ||
+ | f1: | ||
+ | fc: | ||
+ | 52: | ||
+ | 16: | ||
+ | a2: | ||
+ | 60: | ||
+ | 84: | ||
+ | c2:b1 | ||
+ | Exponent: 65537 (0x10001) | ||
+ | X509v3 extensions: | ||
+ | X509v3 Key Usage: critical | ||
+ | Digital Signature, Key Encipherment | ||
+ | X509v3 Extended Key Usage: | ||
+ | TLS Web Server Authentication, | ||
+ | X509v3 Basic Constraints: | ||
+ | CA:FALSE | ||
+ | X509v3 Subject Key Identifier: | ||
+ | 2D: | ||
+ | X509v3 Authority Key Identifier: | ||
+ | keyid: | ||
+ | | ||
+ | Authority Information Access: | ||
+ | OCSP - URI: | ||
+ | CA Issuers - URI: | ||
+ | | ||
+ | X509v3 Subject Alternative Name: | ||
+ | DNS: | ||
+ | X509v3 Certificate Policies: | ||
+ | Policy: 2.23.140.1.2.1 | ||
+ | Policy: 1.3.6.1.4.1.44947.1.1.1 | ||
+ | CPS: http:// | ||
+ | | ||
+ | CT Precertificate SCTs: | ||
+ | Signed Certificate Timestamp: | ||
+ | Version | ||
+ | Log ID : E2: | ||
+ | 3E: | ||
+ | Timestamp : May 4 22: | ||
+ | Extensions: none | ||
+ | Signature : ecdsa-with-SHA256 | ||
+ | 30: | ||
+ | DE: | ||
+ | F0: | ||
+ | BD: | ||
+ | 29: | ||
+ | Signed Certificate Timestamp: | ||
+ | Version | ||
+ | Log ID : 63: | ||
+ | A4: | ||
+ | Timestamp : May 4 22: | ||
+ | Extensions: none | ||
+ | Signature : ecdsa-with-SHA256 | ||
+ | 30: | ||
+ | 3C: | ||
+ | 1C: | ||
+ | 6F: | ||
+ | F6: | ||
+ | Signature Algorithm: sha256WithRSAEncryption | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | ==== 18. Tester la connection TCP/IP avec le protocole HTTPS sur le port 443 ==== | ||
+ | |||
+ | <code bash> | ||
+ | HTTP/1.1 200 OK | ||
+ | Server: nginx/ | ||
+ | Date: Sat, 04 May 2019 23:10:05 GMT | ||
+ | Content-Type: | ||
+ | Content-Length: | ||
+ | Last-Modified: | ||
+ | Connection: keep-alive | ||
+ | ETag: " | ||
+ | Accept-Ranges: | ||
+ | |||
+ | ==== 19. Fin :-) ==== |
auto-heber/certbot.txt · Dernière modification : 2024/01/28 23:48 de 127.0.0.1