Letsencrypt Cheat Sheet

From Coolscript
Revision as of 15:30, 10 December 2021 by Admin (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Test Setup using Certificates from Letsencrypt.org, we use the domain Home Page for this.


Alternate installation methods

user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto
user@webserver:~$ ./certbot-auto --help

Installation:

  • Get git
root@vm-web02:/opt# apt-get install git
  • Clone the project:
root@vm-web02:/opt# git clone https://github.com/letsencrypt/letsencrypt
  • Create the virtual environment:
root@vm-web02:/opt/letsencrypt# ./letsencrypt-auto

Note: Usually you would be able to use the Apache Plugin to create the Certificates for each Web automatically but the distribution is too old as it would support this.
Instead we install the Certificate manually.
The command to do this is ./letsencrypt-auto --apache

Change to the virtual environment:

root@vm-web02:/opt# cd /root/.local/share/letsencrypt/bin/

You need to stop apache before creating the certificate:

root@vm-web02:/# service apache2 stop

Create the ssl certificate manual:

root@vm-web02:~/.local/share/letsencrypt/bin# ./letsencrypt certonly --domain www.domain.net

The reposne should look like:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/www.domain.net/fullchain.pem. Your cert
  will expire on 2016-03-09. To obtain a new version of the
  certificate in the future, simply run Let's Encrypt again.
- If like Let's Encrypt, please consider supporting our work by:

Don't forget:

root@vm-web02:/# service apache2 start

List the certificates:

root@vm-web02:~/.local/share/letsencrypt/bin# ls /etc/letsencrypt/live/www.domain.net/ -all
total 8
drwxr-xr-x 2 root root 4096 Dec 10 14:18 .
drwx------ 3 root root 4096 Dec 10 14:18 ..
lrwxrwxrwx 1 root root   42 Dec 10 14:18 cert.pem -> ../../archive/www.domain.net/cert1.pem
lrwxrwxrwx 1 root root   43 Dec 10 14:18 chain.pem -> ../../archive/www.domain.net/chain1.pem
lrwxrwxrwx 1 root root   47 Dec 10 14:18 fullchain.pem -> ../../archive/www.domain.net/fullchain1.pem
lrwxrwxrwx 1 root root   45 Dec 10 14:18 privkey.pem -> ../../archive/www.domain.net/privkey1.pem


Next, create an option file for apaches which is used by Letsencrypt:

mcedit /etc/letsencrypt/options-ssl-apache.conf
# Baseline setting to Include for SSL sites

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-   GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256- SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

CustomLog /var/log/apache2/access.log vhost_combined
LogLevel warn
ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"


Create site configuration:

<Directory "/usr/local/www/wordpress/">
 Options Indexes MultiViews FollowSymLinks
 Order allow,deny
 Allow from all
</Directory>

<Virtualhost *:443>
 ServerAdmin mis@domain.net
 ServerName www.domain.net
 DocumentRoot /usr/local/www/wordpress
 ErrorLog /var/log/apache2/www.domain.net.error
 LogLevel info
 CustomLog /var/log/apache2/www.domain.net.access combined
 SSLCertificateFile /etc/letsencrypt/live/www.domain.net/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.net/privkey.pem
 Include /etc/letsencrypt/options-ssl-apache.conf
</Virtualhost>


Renew the certificate (via cron)

root@vm-web02:~/.local/share/letsencrypt/bin# ./letsencrypt certonly --domain www.domain.net --renew-by-default

Testing the certificate:

magrathea:~# openssl s_client -connect www.domain.net:443


---
Certificate chain
0 s:/CN=www.domain.net
  i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1


subject=/CN=www.domain.net
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1



Keys: ssl tls vm-web02 wordpress