Letsencrypt Cheat Sheet: Difference between revisions

From Coolscript
Jump to navigation Jump to search
(Created page with "Test Setup using Certificates from Letsencrypt.org, we use the HitchHiker Home Page for this. <br> '''Alternate installation methods''' *https://certbot.eff.org/docs/install...")
 
No edit summary
 
Line 1: Line 1:
Test Setup using Certificates from Letsencrypt.org, we use the HitchHiker Home Page for this. <br>
Test Setup using Certificates from Letsencrypt.org, we use the domain Home Page for this. <br>




Line 26: Line 26:


Create the ssl certificate manual:
Create the ssl certificate manual:
  root@vm-web02:~/.local/share/letsencrypt/bin# ./letsencrypt certonly --domain www.hitchhiker.net
  root@vm-web02:~/.local/share/letsencrypt/bin# ./letsencrypt certonly --domain www.domain.net


The reposne should look like:
The reposne should look like:
  IMPORTANT NOTES:
  IMPORTANT NOTES:
  - Congratulations! Your certificate and chain have been saved at
  - Congratulations! Your certificate and chain have been saved at
   '''/etc/letsencrypt/live/www.hitchhiker.net/fullchain.pem.''' Your cert
   '''/etc/letsencrypt/live/www.domain.net/fullchain.pem.''' Your cert
   will expire on 2016-03-09. To obtain a new version of the
   will expire on 2016-03-09. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
   certificate in the future, simply run Let's Encrypt again.
Line 40: Line 40:


List the certificates:
List the certificates:
  root@vm-web02:~/.local/share/letsencrypt/bin# ls /etc/letsencrypt/live/www.hitchhiker.net/ -all
  root@vm-web02:~/.local/share/letsencrypt/bin# ls /etc/letsencrypt/live/www.domain.net/ -all
  total 8
  total 8
  drwxr-xr-x 2 root root 4096 Dec 10 14:18 .
  drwxr-xr-x 2 root root 4096 Dec 10 14:18 .
  drwx------ 3 root root 4096 Dec 10 14:18 ..
  drwx------ 3 root root 4096 Dec 10 14:18 ..
  lrwxrwxrwx 1 root root  42 Dec 10 14:18 cert.pem -> ../../archive/www.hitchhiker.net/cert1.pem
  lrwxrwxrwx 1 root root  42 Dec 10 14:18 cert.pem -> ../../archive/www.domain.net/cert1.pem
  lrwxrwxrwx 1 root root  43 Dec 10 14:18 chain.pem -> ../../archive/www.hitchhiker.net/chain1.pem
  lrwxrwxrwx 1 root root  43 Dec 10 14:18 chain.pem -> ../../archive/www.domain.net/chain1.pem
  lrwxrwxrwx 1 root root  47 Dec 10 14:18 fullchain.pem -> ../../archive/www.hitchhiker.net/fullchain1.pem
  lrwxrwxrwx 1 root root  47 Dec 10 14:18 fullchain.pem -> ../../archive/www.domain.net/fullchain1.pem
  lrwxrwxrwx 1 root root  45 Dec 10 14:18 privkey.pem -> ../../archive/www.hitchhiker.net/privkey1.pem
  lrwxrwxrwx 1 root root  45 Dec 10 14:18 privkey.pem -> ../../archive/www.domain.net/privkey1.pem




Line 85: Line 85:
   
   
  <Virtualhost *:443>
  <Virtualhost *:443>
   ServerAdmin mis@hitchhiker.net
   ServerAdmin mis@domain.net
   ServerName www.hitchhiker.net
   ServerName www.domain.net
   DocumentRoot /usr/local/www/wordpress
   DocumentRoot /usr/local/www/wordpress
   ErrorLog /var/log/apache2/www.hitchhiker.net.error
   ErrorLog /var/log/apache2/www.domain.net.error
   LogLevel info
   LogLevel info
   CustomLog /var/log/apache2/www.hitchhiker.net.access combined
   CustomLog /var/log/apache2/www.domain.net.access combined
   '''SSLCertificateFile /etc/letsencrypt/live/www.hitchhiker.net/fullchain.pem'''
   '''SSLCertificateFile /etc/letsencrypt/live/www.domain.net/fullchain.pem'''
   '''SSLCertificateKeyFile /etc/letsencrypt/live/www.hitchhiker.net/privkey.pem'''
   '''SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.net/privkey.pem'''
   '''Include /etc/letsencrypt/options-ssl-apache.conf'''
   '''Include /etc/letsencrypt/options-ssl-apache.conf'''
  </Virtualhost>
  </Virtualhost>
Line 98: Line 98:


Renew the certificate (via cron)
Renew the certificate (via cron)
  root@vm-web02:~/.local/share/letsencrypt/bin# ./letsencrypt certonly --domain www.hitchhiker.net --renew-by-default
  root@vm-web02:~/.local/share/letsencrypt/bin# ./letsencrypt certonly --domain www.domain.net --renew-by-default


Testing the certificate:  
Testing the certificate:  
  magrathea:~# openssl s_client -connect www.hitchhiker.net:443
  magrathea:~# openssl s_client -connect www.domain.net:443
   
   
   
   
  ---
  ---
  Certificate chain
  Certificate chain
  0 s:/CN=www.hitchhiker.net
  0 s:/CN=www.domain.net
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
   
   
   
   
  subject=/CN=www.hitchhiker.net
  subject=/CN=www.domain.net
  issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
  issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1


Latest revision as of 15:30, 10 December 2021

Test Setup using Certificates from Letsencrypt.org, we use the domain Home Page for this.


Alternate installation methods 

user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto
user@webserver:~$ ./certbot-auto --help

Installation:

  • Get git
root@vm-web02:/opt# apt-get install git
  • Clone the project:
root@vm-web02:/opt# git clone https://github.com/letsencrypt/letsencrypt
  • Create the virtual environment:
root@vm-web02:/opt/letsencrypt# ./letsencrypt-auto

Note: Usually you would be able to use the Apache Plugin to create the Certificates for each Web automatically but the distribution is too old as it would support this.
Instead we install the Certificate manually.
The command to do this is ./letsencrypt-auto --apache

Change to the virtual environment: 

root@vm-web02:/opt# cd /root/.local/share/letsencrypt/bin/

You need to stop apache before creating the certificate: 

root@vm-web02:/# service apache2 stop

Create the ssl certificate manual: 

root@vm-web02:~/.local/share/letsencrypt/bin# ./letsencrypt certonly --domain www.domain.net

The reposne should look like: 

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/www.domain.net/fullchain.pem. Your cert
  will expire on 2016-03-09. To obtain a new version of the
  certificate in the future, simply run Let's Encrypt again.
- If like Let's Encrypt, please consider supporting our work by:

Don't forget: 

root@vm-web02:/# service apache2 start

List the certificates: 

root@vm-web02:~/.local/share/letsencrypt/bin# ls /etc/letsencrypt/live/www.domain.net/ -all
total 8
drwxr-xr-x 2 root root 4096 Dec 10 14:18 .
drwx------ 3 root root 4096 Dec 10 14:18 ..
lrwxrwxrwx 1 root root   42 Dec 10 14:18 cert.pem -> ../../archive/www.domain.net/cert1.pem
lrwxrwxrwx 1 root root   43 Dec 10 14:18 chain.pem -> ../../archive/www.domain.net/chain1.pem
lrwxrwxrwx 1 root root   47 Dec 10 14:18 fullchain.pem -> ../../archive/www.domain.net/fullchain1.pem
lrwxrwxrwx 1 root root   45 Dec 10 14:18 privkey.pem -> ../../archive/www.domain.net/privkey1.pem


Next, create an option file for apaches which is used by Letsencrypt: 

mcedit /etc/letsencrypt/options-ssl-apache.conf
# Baseline setting to Include for SSL sites

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-   GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256- SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

CustomLog /var/log/apache2/access.log vhost_combined
LogLevel warn
ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"


Create site configuration: 

<Directory "/usr/local/www/wordpress/">
 Options Indexes MultiViews FollowSymLinks
 Order allow,deny
 Allow from all
</Directory>

<Virtualhost *:443>
 ServerAdmin mis@domain.net
 ServerName www.domain.net
 DocumentRoot /usr/local/www/wordpress
 ErrorLog /var/log/apache2/www.domain.net.error
 LogLevel info
 CustomLog /var/log/apache2/www.domain.net.access combined
 SSLCertificateFile /etc/letsencrypt/live/www.domain.net/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.net/privkey.pem
 Include /etc/letsencrypt/options-ssl-apache.conf
</Virtualhost>


Renew the certificate (via cron) 

root@vm-web02:~/.local/share/letsencrypt/bin# ./letsencrypt certonly --domain www.domain.net --renew-by-default

Testing the certificate: 

magrathea:~# openssl s_client -connect www.domain.net:443


---
Certificate chain
0 s:/CN=www.domain.net
  i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1


subject=/CN=www.domain.net
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1



Keys: ssl tls vm-web02 wordpress

Retrieved from "https://coolscript.org/index.php?title=Letsencrypt_Cheat_Sheet&oldid=596"