[Gandi][Serveur] Installation de Let’s Encrypt sur Ubuntu 14.04
Remplacer ‘monsupersite.fr’ par votre nom de domaine.
1) Connexion au serveur :
[~] ➔ ssh admin@217.70.190.39 admin@217.70.190.39's password: Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.12.46-guest-39-a97a54c-x86_64 x86_64) ... admin@server01:~$ admin@server01:~$ su Password: root@server01:/home/admin# cd root@server01:~#
2) Installation de git et de bc :
root@server01:~# apt-get -y install git bc
3) Télécharger ‘Let’s Encrypt’ :
root@server01:~# git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt Cloning into '/opt/letsencrypt'...
4) Arrêter le serveur Nginx :
root@server01:~# service nginx stop
5) Vérification :
root@server01:~# netstat -na | grep ':80.*LISTEN'
6) Lancement de ‘Let’s Encrypt’ :
root@server01:~# cd /opt/letsencrypt root@server01:/opt/letsencrypt#
7) Obtention d’un certificat :
root@server01:/opt/letsencrypt# ./letsencrypt-auto certonly --standalone
Enter email address (used for urgen notices and lost key revovery) = monsupersite@gmail.com
Please enter in your domain name(s) (comma and/or space separated) = monsupersite.fr www.monsupersite.fr
Résultat :
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to monsupersite@gmail.com.
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/monsupersite.fr/fullchain.pem. Your cert will
expire on 2016-04-18. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF:
https://eff.org/donate-le
8) Vérification des fichiers :
root@server01:/opt/letsencrypt# ls -l /etc/letsencrypt/live/monsupersite.fr/ total 0 lrwxrwxrwx 1 root root 33 Jan 19 21:16 cert.pem -> ../../archive/monsupersite.fr/cert1.pem lrwxrwxrwx 1 root root 34 Jan 19 21:16 chain.pem -> ../../archive/monsupersite.fr/chain1.pem lrwxrwxrwx 1 root root 38 Jan 19 21:16 fullchain.pem -> ../../archive/monsupersite.fr/fullchain1.pem lrwxrwxrwx 1 root root 36 Jan 19 21:16 privkey.pem -> ../../archive/monsupersite.fr/privkey1.pem
9) Configuration de TLS/SSL :
Ouvrir :
/etc/nginx/sites-available/default
Chercher :
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
Remplacer par :
#listen 80 default_server;
#listen [::]:80 default_server ipv6only=on;
Chercher :
server {
Ajouter aprés :
listen 443 ssl;
server_name monsupersite.fr www.monsupersite.fr;
ssl_certificate /etc/letsencrypt/live/monsupersite.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/monsupersite.fr/privkey.pem;
Chercher :
server_name localhost;
Ajouter après :
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
A la fin, ajouter :
server {
listen 80;
server_name monsupersite.fr;
return 301 https://$host$request_uri;
}
Action :
service nginx restart
10) Vérification : https://monsupersite.fr/
11) Configuration du renouvellement de certificat :
root@server01:~# cp /opt/letsencrypt/examples/cli.ini /usr/local/etc/le-renew-webroot.ini
Ouvrir:
/usr/local/etc/le-renew-webroot.ini
Chercher :
# email = foo@example.com
Remplacer par :
email = monsupersite@gmail.com
Chercher :
# domains = example.com, www.example.com
Remplacer par:
domains = monsupersite.fr, www.monsupersite.fr
Chercher :
# webroot-path = /usr/share/nginx/html
Remplacer par :
webroot-path = /usr/share/nginx/html
12) Renouvellement de certificat :
root@server01:~# cd /opt/letsencrypt root@server01:/opt/letsencrypt# ./letsencrypt-auto certonly -a webroot --renew-by-default --config /usr/local/etc/le-renew-webroot.iniUpdating letsencrypt and virtual environment dependencies...... Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly -a webroot --renew-by-default --config /usr/local/etc/le-renew-webroot.ini An unexpected error occurred: The client sent an unacceptable anti-replay nonce :: JWS has invalid anti-replay nonce Please see the logfiles in /var/log/letsencrypt for more details. root@server01:/opt/letsencrypt#
13) Script de renouvellement de certificat automatique :
Ouvrir :
le-renew-webroot
Ajouter :
#!/bin/bash
web_service='nginx'
config_file="/usr/local/etc/le-renew-webroot.ini"
le_path='/opt/letsencrypt'
exp_limit=30;
if [ ! -f $config_file ]; then
echo "[ERROR] config file does not exist: $config_file"
exit 1;
fi
domain=`grep "^\s*domains" $config_file | sed "s/^\s*domains\s*=\s*//" | sed 's/(\s*)\|,.*$//'`
cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"
if [ ! -f $cert_file ]; then
echo "[ERROR] certificate file not found for domain $domain."
fi
exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)
datenow=$(date -d "now" +%s)
days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)
echo "Checking expiration date for $domain..."
if [ "$days_exp" -gt "$exp_limit" ] ; then
echo "The certificate is up to date, no need for renewal ($days_exp days left)."
exit 0;
else
echo "The certificate for $domain is about to expire soon. Starting webroot renewal script..."
$le_path/letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --config $config_file
echo "Reloading $web_service"
/usr/sbin/service $web_service reload
echo "Renewal process finished for domain $domain"
exit 0;
fi
Action :
chmod +x le-renew-webroot
14) Combien de jour avant renouvellement :
root@server01:~# ./le-renew-webroot Checking expiration date for monsupersite.fr... The certificate is up to date, no need for renewal (89 days left).
15) Cron :
root@server01:~# crontab -e
Ajouter à la fin :
30 2 * * 1 /usr/local/sbin/le-renew-webroot >> /var/log/le-renewal.log 35 2 * * 1 /etc/init.d/nginx reload
Comments are closed, but trackbacks and pingbacks are open.