[Gandi] Installation d’un certificat Let’s Encrypt sur une instance Simple Hosting
Par Larry Basin
Prérequis :
– créer une instance Simple Hosting de taille M :
https://wiki.gandi.net/fr/simple/create-instance
– créer votre vhost sur cette instance :
https://wiki.gandi.net/fr/simple/shs-dns_config/instance
– créer un serveur Ubuntu 16.04 LTS :
https://wiki.gandi.net/fr/iaas/references/server/create
– récupérer sa clé API :
https://wiki.gandi.net/fr/xml-api/activate
1. Configuration et mise à jour de votre serveur Ubuntu 16.04 LTS que vous aurez préalablement créé :
# apt-get update && apt-get upgrade
2. Installation du paquet de développement Python :
# apt-get install python-dev
3. Modification des locales :
# export LC_ALL=C # dpkg-reconfigure locales ==== Generating locales (this might take a while)... fr_FR.ISO-8859-1... done Generation complete. ====
4. Installation de Python pip :
# apt-get install python-pip
# pip install --upgrade pip
====
Collecting pip
Downloading pip-9.0.1-py2.py3-none-any.whl (1.3MB)
100% |################################| 1.3MB 631kB/s
Installing collected packages: pip
Found existing installation: pip 8.1.1
Not uninstalling pip at /usr/lib/python2.7/dist-packages, outside environment /usr
Successfully installed pip-9.0.1
====
# exit
5. Génération des clés SSH
$ ssh-keygen -t rsa -b 4096 -C "xxx.yyy@gmail.com" Generating public/private rsa key pair. Enter file in which to save th e key (/home/larry/.ssh/id_rsa): press [Entrée] Enter passphrase (empty for no passphrase): [Entrée] Enter same passphrase again: [Entrée] Your identification has been saved in /home/larry/.ssh/id_rsa1. Your public key has been saved in /home/larry/.ssh/id_rsa1.pub. The key fingerprint is: SHA256:OL4RumkfhCjrQFzUlG/GgLqw14G64iANLE5t1Ka9goE larry.basin@gmail.com The key's randomart image is: +---[RSA 4096]----+ | .+.. | | ...+ | | .+ o+ | |=.=.=. * | |EOo=.oB S | |B*= .+.o | |==....+ | |B oo + | |oo .o.o | +----[SHA256]-----+
6. Vérifier que les clés ont bien été générées et se trouvent dans le bon répertoire :
$ ls -l ~/.ssh/
7. Ajout de la clé publique sur l’instance Simple Hosting
Copier et coller la clé qui se trouve dans le fichier « id_rsa.pub ». Vous pourrez l’afficher avec cette commande :
$ cat ~/.ssh/id_rsa.pub
Les instructions pour ajouter cette clé SSH sur votre instance se trouveront ici :
https://wiki.gandi.net/fr/simple/ssh_key
8. Test de connexion à l’instance en SFTP
$ sftp 1073382@sftp.dc2.gpaas.net The authenticity of host 'sftp.dc2.gpaas.net (2001:4b98:dc2:950::99)' can't be established. RSA key fingerprint is SHA256:1Tpwj0UT92ARAGczV2ha6tBE3lQz0uLvBRWCaIPmh6I. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'sftp.dc2.gpaas.net,2001:4b98:dc2:950::99' (RSA) to the list of known hosts. Connected to sftp.dc2.gpaas.net. sftp> exit
9. Ajout de la clé ‘ssh-agent’
$ eval $(ssh-agent) Agent pid 16139
$ ssh-add Identity added: /home/admin/.ssh/id_rsa (/home/admin/.ssh/id_rsa)
10. Installation de Certbot
$ mkdir CERTBOT $ cd CERTBOT/ $ wget https://dl.eff.org/certbot-auto ==== --2017-05-19 09:40:53-- https://dl.eff.org/certbot-auto Résolution de dl.eff.org (dl.eff.org)… 173.239.79.196 Connexion à dl.eff.org (dl.eff.org)|173.239.79.196|:443… connecté. requête HTTP transmise, en attente de la réponse… 200 OK Taille : 47361 (46K) [application/octet-stream] Enregistre : «certbot-auto» certbot-auto 100%[=============================================>] 46,25K 296KB/s in 0,2s 2017-05-19 09:40:55 (296 KB/s) - «certbot-auto» enregistré [47361/47361] ==== $ chmod a+x certbot-auto
Ajout de l’utilisateur « admin » dans le groupe sudo :
# adduser admin sudo Adding user `admin' to group `sudo' ... Adding user admin to group sudo Done.
Ajout de la variable « Defaults env_keep+=SSH_AUTH_SOCK » dans le fichier « /etc/sudoers »
$ ./certbot-auto
Après exécution de cette commande, j’ai obtenu ce type de message :
===== Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap) [sudo] password for admin: Sorry, try again. [sudo] password for admin: admin is not in the sudoers file. This incident will be reported. apt-get update hit problems but continuing anyway... =====
Pour corriger cette erreur :
ouvrir /etc/sudoers
et ajouter : admin ALL=(ALL:ALL) ALL
sous # User privilege specification
J’exécute à nouveau :
$ ./certbot-auto
Cette fois j’ai obtenu :
==== OSError: Command /home/admin/.local/s...ncrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 1 ====
Solution :
# pip install setuptools
====
Collecting setuptools
Downloading setuptools-35.0.2-py2.py3-none-any.whl (390kB)
100% |################################| 399kB 1.5MB/s
Collecting appdirs>=1.4.0 (from setuptools)
Downloading appdirs-1.4.3-py2.py3-none-any.whl
Collecting packaging>=16.8 (from setuptools)
Downloading packaging-16.8-py2.py3-none-any.whl
Collecting six>=1.6.0 (from setuptools)
Downloading six-1.10.0-py2.py3-none-any.whl
Collecting pyparsing (from packaging>=16.8->setuptools)
Downloading pyparsing-2.2.0-py2.py3-none-any.whl (56kB)
100% |################################| 61kB 4.2MB/s
Installing collected packages: appdirs, pyparsing, six, packaging, setuptools
Successfully installed appdirs-1.4.3 packaging-16.8 pyparsing-2.2.0 setuptools-35.0.2 six-1.10.0
====
$ export LC_ALL="C"
Et enfin, j’exécute à nouveau la commande :
$ ./certbot-auto ==== ..... Failed to find executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot-auto certonly" to do so. You'll need to manually configure your web server to use the resulting certificate. ====
Ne vous inquiétez pas pour ce message.
Utilisez la commande « cd » pour revenir dans votre dossier personnel.
11. Téléchargement du plugin « Let’s encrypt Gandi »
Au préalable, pensez à installer « git » :
# apt-get install git $ mkdir LETSENCRYPT $ cd LETSENCRYPT/ $ git clone https://github.com/Gandi/letsencrypt-gandi.git ==== Cloning into 'letsencrypt-gandi'... remote: Counting objects: 82, done. remote: Total 82 (delta 0), reused 0 (delta 0), pack-reused 82 Unpacking objects: 100% (82/82), done. Checking connectivity... done. ==== $ cd letsencrypt-gandi/
Mise à jour de « Python-pip » :
$ ~/.local/share/letsencrypt/bin/pip install --upgrade pip
====
Collecting pip
Using cached pip-9.0.1-py2.py3-none-any.whl
Installing collected packages: pip
Found existing installation: pip 8.0.3
Uninstalling pip-8.0.3:
Successfully uninstalled pip-8.0.3
Successfully installed pip-9.0.1
====
Installation du plugin :
$ ~/.local/share/letsencrypt/bin/pip install -e . ==== Obtaining file:///home/admin/CERTBOT/LETSENCRYPT/letsencrypt-gandi Requirement already satisfied: setuptools in /home/admin/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt-gandi==0.0.1.dev0) Requirement already satisfied: mock in /home/admin/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt-gandi==0.0.1.dev0) Installing collected packages: letsencrypt-gandi Running setup.py develop for letsencrypt-gandi Successfully installed letsencrypt-gandi ====
12. Création et Installation du certificat sur l’instance
# .local/share/letsencrypt/bin/certbot run \
--domains git.belette.space \
--authenticator letsencrypt-gandi:gandi-shs \
--letsencrypt-gandi:gandi-shs-name encrypt \
--letsencrypt-gandi:gandi-shs-vhost git.belette.space \
--letsencrypt-gandi:gandi-shs-api-key 7es2Es8OCdRG6UH8I8li0CCC \
--installer letsencrypt-gandi:gandi-shs
====
You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
_api_key_from_args
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):larry.basin@gmail.com
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel:A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o:N
......
-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://git.belette.space
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=git.belette.space
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/git.belette.space/fullchain.pem. Your cert
will expire on 2017-08-20. To obtain a new or tweaked version of
this certificate in the future, simply run letsencrypt-auto again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "letsencrypt-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
====
Comments are closed, but trackbacks and pingbacks are open.