Outils pour utilisateurs

Outils du site


auto-heber:certbot

Différences

Ci-dessous, les différences entre deux révisions de la page.


auto-heber:certbot [2024/01/28 23:48] (Version actuelle) – créée - modification externe 127.0.0.1
Ligne 1: Ligne 1:
 + ~~NOTOC~~.
  
 +
 +===== Utilisation de certbot pour obtenir un certificat HTTPS avec Let's Encrypt =====
 +
 +Guide avec boisvert.info., plusieurs étapes
 +
 +Commandes à faire sur un portable:
 +<code bash>sebhtml@prometheus# xyz</code>
 +
 +Commandes à faire sur le serveur avec l'utilisateur root (dans mon cas, boisvert.info, un VPS (Virtual Private Server) chez OVH):
 +<code bash>root@vps217173$ xyz</code>
 +
 +==== 01. Vérifier que nginx roule ====
 +
 +<code bash>root@vps217173:~# systemctl|grep nginx</code>
 +  nginx.service                                                                               loaded active running   A high performance web server and a reverse proxy server         
 +==== 02. Vérifier le système d'exploitation ====
 +
 +<code bash>root@vps217173:~# lsb_release -a 2>/dev/null|grep Desc</code>
 +  Description: Debian GNU/Linux 9.9 (stretch)
 +
 +
 +==== 03. Aller sur https://certbot.eff.org/ ====
 +
 +<code bash>sebhtml@prometheus:~$ firefox https://certbot.eff.org/</code>
 +
 +et choisir I'm using "Nginx" on "Debian 9 (stretch)"
 +
 +==== 04. Ajouter stretch-backport ====
 +
 +<code bash>root@vps217173:~# echo "deb http://deb.debian.org/debian stretch-backports main" \
 +        > /etc/apt/sources.list.d/stretch-backports.list</code>
 +
 +Obtenir les clés de signature GPG de Debian (utile pour Yunohost entre autres)
 +
 +<code bash>
 +root@vps217173:~# gpg --keyserver http://keys.gnupg.net --recv-key 7638D0442B90D010
 +root@vps217173:~# gpg -a --export 7638D0442B90D010 | sudo apt-key add -
 +</code>
 +        
 +<code bash>root@vps217173:~# apt update -y</code>
 +
 +==== 05. Installer les trucs recommendés de certbot ====
 +
 +<code bash>root@vps217173:~# apt-get install \
 +                certbot python-certbot-nginx -t stretch-backports</code>
 +
 +
 +==== 06. Installer le plugin certbot DNS ====
 +
 +<code bash>root@vps217173:~# apt install -y python3-certbot-dns-rfc2136 \
 +         -t stretch-backports </code>
 +
 +
 +==== 07. Demander le certificat avec certbot ====
 +
 +<code bash>root@vps217173:~# certbot certonly \
 +       --preferred-challenges dns --manual -m seb@boisvert.info \
 +       --agree-tos --eff-email -d boisvert.info </code>
 +  
 +  Saving debug log to /var/log/letsencrypt/letsencrypt.log
 +  Plugins selected: Authenticator manual, Installer None
 +  Obtaining a new certificate
 +  Performing the following challenges:
 +  dns-01 challenge for boisvert.info
 +  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +
 +
 +==== 08. Configuration DNS ====
 +
 +Après avoir dit Yes, il faut ajouter une entrée TXT dans la zone DNS:
 +
 +<code bash>root@vps217173:~# (suite de la commande certbot) </code>
 +
 +  NOTE: The IP of this machine will be publicly logged as having requested this
 +  certificate. If you're running certbot in manual mode on a machine that is not
 +  your server, please ensure you're okay with that.
 +  
 +  Are you OK with your IP being logged?
 +  
 +  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +  
 +  (Y)es/(N)o: Y
 +  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +  
 +  Please deploy a DNS TXT record under the name
 +  _acme-challenge.boisvert.info with the following value:
 +  
 +  YuR89nq85hwQP-wynyhL1MFpZ6p1p8HOwfmzwYcgnqA
 +
 +
 +==== 09. Déterminer qui a autorité sur le domaine ====
 +
 +<code bash>sebhtml@prometheus:~$ sudo apt install dnsutils </code>
 +
 +<code bash>sebhtml@prometheus:~$ dig boisvert.info SOA|grep -A1 "ANSWER SECTION" </code>
 +  ;; ANSWER SECTION:
 +  boisvert.info. 3575 IN SOA ns39.domaincontrol.com. dns.jomax.net. 2019050104 28800 7200 604800 600
 +
 +
 +==== 10. Sur GoDaddy (DNS), ajouter l'entrée DNS: ====
 +
 +Pour mon DNS à moi chez GoDaddy (dans Firefox):
 +
 +Type: TXT
 +Host: _acme-challenge
 +TXT Value: wtvvc_WqkbC04qzNvk0ofqYjHwGzoGa4j_cvjYig-7M
 +TTL (Time to Live): 1 hour
 +
 +
 +==== 11. Attendre 5 minutes et vérifier le DNS ====
 +
 +Pour laisser l'information DNS se propager dans les tubes de l'Internet.
 +
 +<code bash>root@vps217173:~# sleep $((5 * 60))</code>
 +
 +<code bash>sebhtml@prometheus:~$ dig _acme-challenge.boisvert.info TXT | grep -A1 "ANSWER SECTION"</code>
 +  ;; ANSWER SECTION:
 +  _acme-challenge.boisvert.info. 905 IN TXT "YuR89nq85hwQP-wynyhL1MFpZ6p1p8HOwfmzwYcgnqA"
 +
 +
 +==== 12. Appuyer sur <ENTER> ====
 +
 +<code bash>root@vps217173:~# (suite de la commande certbot) </code>
 +  Before continuing, verify the record is deployed.
 +  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +  
 +  Press Enter to Continue
 +  Waiting for verification...
 +  Cleaning up challenges
 +  
 +  IMPORTANT NOTES:
 +   - Congratulations! Your certificate and chain have been saved at:
 +   /etc/letsencrypt/live/boisvert.info/fullchain.pem
 +   Your key file has been saved at:
 +   /etc/letsencrypt/live/boisvert.info/privkey.pem
 +   Your cert will expire on 2019-08-02. To obtain a new or tweaked
 +   version of this certificate in the future, simply run certbot
 +   again. To non-interactively renew *all* of your certificates, run
 +   "certbot renew"
 +   - If you like Certbot, please consider supporting our work by:
 +  
 +   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 +   Donating to EFF:                    https://eff.org/donate-le
 +
 +==== 13. Énumérer les certificats Let's Encrypt ====
 +
 +<code bash>root@vps217173:~#  certbot certificates </code>
 +  Saving debug log to /var/log/letsencrypt/letsencrypt.log
 +  
 +  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +  Found the following certs:
 +  Certificate Name: boisvert.info
 +    Domains: boisvert.info
 +    Expiry Date: 2019-08-02 21:57:38+00:00 (VALID: 89 days)
 +    Certificate Path: /etc/letsencrypt/live/boisvert.info/fullchain.pem
 +    Private Key Path: /etc/letsencrypt/live/boisvert.info/privkey.pem
 +  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +  
 +==== 14. Ajouter la configuration du certificat dans nginx ====
 +
 +Ajouter dans la section "server {" du fichier /etc/nginx/sites-available/default :
 +
 +        # Let's Encrypt configuration
 +        listen 443 ssl default_server;
 +        ssl on;
 +        ssl_certificate /etc/letsencrypt/live/boisvert.info/fullchain.pem;
 +        ssl_certificate_key /etc/letsencrypt/live/boisvert.info/privkey.pem;
 +
 +==== 15. Redémarrer nginx (avec systemctl de systemd)====
 +
 +<code bash>root@vps217173:~# systemctl restart nginx.service</code>
 +
 +==== 16. Vérifier que le serveur écoute sur le port TCP/IP 443 (HTTPS) ====
 +
 +<code bash>sebhtml@prometheus:~$  sudo apt  install nmap </code>
 +
 +<code bash>sebhtml@prometheus:~$  nmap boisvert.info -p 443 </code>
 +  
 +  Starting Nmap 7.60 ( https://nmap.org ) at 2019-05-04 19:17 EDT
 +  Nmap scan report for boisvert.info (144.217.240.68)
 +  Host is up (0.019s latency).
 +  Other addresses for boisvert.info (not scanned): 2607:5300:201:3100::1c3e
 +  rDNS record for 144.217.240.68: 68.ip-144-217-240.net
 +  
 +  PORT    STATE SERVICE
 +  443/tcp open  https
 +  
 +  Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
 +
 +
 +==== 17. Vérifier le certificat SSL avec OpenSSL ====
 +
 +<code bash>sebhtml@prometheus:~$  echo | openssl s_client -showcerts \
 +           -servername boisvert.info -connect boisvert.info:443 \
 +             2>/dev/null | openssl x509 -inform pem -noout -text </code>
 +  Certificate:
 +    Data:
 +        Version: 3 (0x2)
 +        Serial Number:
 +            03:e4:81:b7:de:61:95:f6:a4:cc:d3:46:cd:77:0c:f9:d6:3e
 +    Signature Algorithm: sha256WithRSAEncryption
 +        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 +        Validity
 +            Not Before: May  4 21:57:38 2019 GMT
 +            Not After : Aug  2 21:57:38 2019 GMT
 +        Subject: CN = boisvert.info
 +        Subject Public Key Info:
 +            Public Key Algorithm: rsaEncryption
 +                Public-Key: (2048 bit)
 +                Modulus:
 +                    00:bd:5e:e2:56:1d:76:17:46:34:9f:f4:13:f9:f4:
 +                    52:79:a8:4e:2c:36:2c:a4:55:29:f3:54:e5:de:c9:
 +                    ad:c5:bf:da:f9:34:e9:60:56:93:8a:3c:3d:42:a7:
 +                    62:bd:80:42:14:f0:08:0c:3c:70:e2:c0:af:50:38:
 +                    e3:d2:30:ec:5d:43:0e:4c:1a:34:78:cb:91:db:c6:
 +                    24:41:20:7e:c6:56:3f:e0:fa:7c:ff:39:60:8e:be:
 +                    3b:25:c0:97:49:79:d7:90:5a:9d:4a:c4:46:c2:53:
 +                    b4:f1:ab:42:02:26:ef:70:cd:62:c8:55:91:1f:e9:
 +                    0d:3f:3e:ab:88:87:50:d9:ad:d5:e6:f3:cc:18:91:
 +                    18:30:b2:b7:71:1d:d6:9f:23:65:02:f4:d2:46:b1:
 +                    f1:b8:c8:74:e7:64:a5:cc:03:33:0a:25:5c:19:35:
 +                    fc:b6:23:70:78:a7:2e:a5:c4:18:e8:a1:06:bb:31:
 +                    52:99:af:ea:b3:2b:e0:15:33:d0:6a:b7:72:57:e0:
 +                    16:64:3e:41:69:8c:12:fb:a3:a7:9d:f8:fd:f0:30:
 +                    a2:23:4f:e4:4a:74:5a:a9:43:8c:43:0c:5a:17:fc:
 +                    60:4e:a8:7b:21:f9:ea:64:af:f7:f6:83:e6:6a:75:
 +                    84:2f:76:85:8a:bf:5c:0d:5e:8c:ba:9a:04:16:2c:
 +                    c2:b1
 +                Exponent: 65537 (0x10001)
 +        X509v3 extensions:
 +            X509v3 Key Usage: critical
 +                Digital Signature, Key Encipherment
 +            X509v3 Extended Key Usage: 
 +                TLS Web Server Authentication, TLS Web Client Authentication
 +            X509v3 Basic Constraints: critical
 +                CA:FALSE
 +            X509v3 Subject Key Identifier: 
 +                2D:40:BA:62:94:5D:15:53:6C:38:99:64:A0:12:4E:C6:99:EB:85:40
 +            X509v3 Authority Key Identifier: 
 +                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
 +  
 +            Authority Information Access: 
 +                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
 +                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
 +  
 +            X509v3 Subject Alternative Name: 
 +                DNS:boisvert.info
 +            X509v3 Certificate Policies: 
 +                Policy: 2.23.140.1.2.1
 +                Policy: 1.3.6.1.4.1.44947.1.1.1
 +                  CPS: http://cps.letsencrypt.org
 +  
 +            CT Precertificate SCTs: 
 +                Signed Certificate Timestamp:
 +                    Version   : v1 (0x0)
 +                    Log ID    : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
 +                                3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
 +                    Timestamp : May  4 22:57:38.890 2019 GMT
 +                    Extensions: none
 +                    Signature : ecdsa-with-SHA256
 +                                30:45:02:20:3D:1C:FD:0F:56:E2:9B:64:F1:40:40:A4:
 +                                DE:73:18:70:B8:39:D3:CE:06:3C:04:47:29:93:7D:20:
 +                                F0:87:8B:1F:02:21:00:BD:17:EE:B4:0F:21:60:F6:9E:
 +                                BD:7F:54:5A:54:95:31:C3:2E:8D:00:11:F6:CB:3F:4C:
 +                                29:82:CB:88:04:A3:F8
 +                Signed Certificate Timestamp:
 +                    Version   : v1 (0x0)
 +                    Log ID    : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
 +                                A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
 +                    Timestamp : May  4 22:57:38.821 2019 GMT
 +                    Extensions: none
 +                    Signature : ecdsa-with-SHA256
 +                                30:45:02:21:00:88:18:40:79:FC:C0:D4:79:49:37:1B:
 +                                3C:2F:58:03:BF:20:3D:02:F4:9A:D4:5A:30:CD:B1:73:
 +                                1C:AC:92:11:5B:02:20:01:11:3A:B0:7B:D8:38:7F:C4:
 +                                6F:44:FB:46:AC:1C:5F:C2:B7:F3:D4:17:E9:A4:D1:62:
 +                                F6:6E:B1:35:8D:EA:08
 +    Signature Algorithm: sha256WithRSAEncryption
 +         29:9d:33:5f:3b:c4:98:2b:1b:fb:f7:f7:f2:01:2d:5a:c2:9b:
 +         d6:1e:2b:fa:10:e6:d1:81:50:9a:10:b2:7d:5f:54:75:97:58:
 +         2c:7a:5b:2c:ab:db:93:ac:e7:69:0e:52:17:d0:eb:3e:c2:1f:
 +         5b:fb:95:a3:ee:7f:1d:12:67:97:80:00:1b:a7:a3:f3:a5:5b:
 +         26:fd:f5:e5:4c:39:52:59:df:2e:a3:1b:a5:3e:87:38:1e:c2:
 +         a2:4c:3b:0e:67:79:a2:cf:7a:d3:be:e2:96:5a:ef:af:1b:0e:
 +         f0:6f:22:8c:cc:ce:09:63:37:0e:76:68:25:39:0f:e0:0b:5c:
 +         81:f9:90:86:39:4f:3e:40:17:a7:1e:53:e5:c0:7f:31:00:e2:
 +         20:cd:58:ec:04:e3:17:a0:4f:b4:06:9e:df:c3:0c:3f:d9:92:
 +         d1:56:b1:9c:3e:b5:87:05:5a:64:f0:74:ca:2a:48:00:a0:69:
 +         9c:c6:97:e6:31:83:05:ce:cf:cf:51:23:95:f5:7b:e9:59:a1:
 +         bf:9a:2d:2f:a0:2a:c1:7c:e1:33:16:91:ba:c6:a0:b2:f6:4f:
 +         80:6b:bf:09:72:a7:a8:bd:ab:53:e4:b4:99:00:d5:7f:f5:86:
 +         77:74:08:10:26:67:29:4a:2e:28:d8:b9:34:fd:20:ed:e6:36:
 +         3c:cb:e7:77
 +         
 +==== 18. Tester la connection TCP/IP avec le protocole HTTPS sur le port 443 ====
 +
 +<code bash>sebhtml@prometheus:~$ curl -I https://boisvert.info/</code>
 +  HTTP/1.1 200 OK
 +  Server: nginx/1.10.3
 +  Date: Sat, 04 May 2019 23:10:05 GMT
 +  Content-Type: text/html
 +  Content-Length: 5079
 +  Last-Modified: Mon, 08 Apr 2019 00:30:31 GMT
 +  Connection: keep-alive
 +  ETag: "5caa9627-13d7"
 +  Accept-Ranges: bytes
 +
 +==== 19. Fin :-) ====
auto-heber/certbot.txt · Dernière modification : 2024/01/28 23:48 de 127.0.0.1