[Gandi][Serveur] Installation de Let’s Encrypt avec Nginx sur Ubuntu 14.04

[Gandi][Serveur] Installation de Let’s Encrypt sur Ubuntu 14.04
Remplacer ‘monsupersite.fr’ par votre nom de domaine.
1) Connexion au serveur :

[~] ➔ ssh admin@217.70.190.39
admin@217.70.190.39's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.12.46-guest-39-a97a54c-x86_64 x86_64)
...
admin@server01:~$
admin@server01:~$ su
Password:
root@server01:/home/admin# cd
root@server01:~#

2) Installation de git et de bc :

root@server01:~# apt-get -y install git bc

3) Télécharger ‘Let’s Encrypt’ :

root@server01:~# git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Cloning into '/opt/letsencrypt'...

4) Arrêter le serveur Nginx :

root@server01:~# service nginx stop

5) Vérification :

root@server01:~# netstat -na | grep ':80.*LISTEN'

6) Lancement de ‘Let’s Encrypt’ :

root@server01:~# cd /opt/letsencrypt
root@server01:/opt/letsencrypt#

7) Obtention d’un certificat :

root@server01:/opt/letsencrypt# ./letsencrypt-auto certonly --standalone
Enter email address (used for urgen notices and lost key revovery) = monsupersite@gmail.com
Please enter in your domain name(s) (comma and/or space separated) = monsupersite.fr www.monsupersite.fr
Résultat :
IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to monsupersite@gmail.com.
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/monsupersite.fr/fullchain.pem. Your cert will
   expire on 2016-04-18. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:
                 https://eff.org/donate-le

8) Vérification des fichiers :

root@server01:/opt/letsencrypt# ls -l /etc/letsencrypt/live/monsupersite.fr/
total 0
lrwxrwxrwx 1 root root 33 Jan 19 21:16 cert.pem -> ../../archive/monsupersite.fr/cert1.pem
lrwxrwxrwx 1 root root 34 Jan 19 21:16 chain.pem -> ../../archive/monsupersite.fr/chain1.pem
lrwxrwxrwx 1 root root 38 Jan 19 21:16 fullchain.pem -> ../../archive/monsupersite.fr/fullchain1.pem
lrwxrwxrwx 1 root root 36 Jan 19 21:16 privkey.pem -> ../../archive/monsupersite.fr/privkey1.pem

9) Configuration de TLS/SSL :
Ouvrir :

/etc/nginx/sites-available/default

Chercher :

        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

Remplacer par :

        #listen 80 default_server;
        #listen [::]:80 default_server ipv6only=on;

Chercher :

server {

Ajouter aprés :

        listen 443 ssl;
        server_name monsupersite.fr www.monsupersite.fr;
        ssl_certificate /etc/letsencrypt/live/monsupersite.fr/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/monsupersite.fr/privkey.pem;

Chercher :

        server_name localhost;

Ajouter après :

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

A la fin, ajouter :

server {
    listen 80;
    server_name monsupersite.fr;
    return 301 https://$host$request_uri;
}

Action :

service nginx restart

10) Vérification : https://monsupersite.fr/
11) Configuration du renouvellement de certificat :

root@server01:~# cp /opt/letsencrypt/examples/cli.ini /usr/local/etc/le-renew-webroot.ini

Ouvrir:

/usr/local/etc/le-renew-webroot.ini

Chercher :

# email = foo@example.com

Remplacer par :

email = monsupersite@gmail.com

Chercher :

# domains = example.com, www.example.com

Remplacer par:

domains = monsupersite.fr, www.monsupersite.fr

Chercher :

# webroot-path = /usr/share/nginx/html

Remplacer par :

webroot-path = /usr/share/nginx/html

12) Renouvellement de certificat :

root@server01:~# cd /opt/letsencrypt
root@server01:/opt/letsencrypt# ./letsencrypt-auto certonly -a webroot --renew-by-default --config /usr/local/etc/le-renew-webroot.iniUpdating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly -a webroot --renew-by-default --config /usr/local/etc/le-renew-webroot.ini
An unexpected error occurred:
The client sent an unacceptable anti-replay nonce :: JWS has invalid anti-replay nonce
Please see the logfiles in /var/log/letsencrypt for more details.
root@server01:/opt/letsencrypt#

13) Script de renouvellement de certificat automatique :
Ouvrir :

le-renew-webroot

Ajouter :

#!/bin/bash
web_service='nginx'
config_file="/usr/local/etc/le-renew-webroot.ini"
le_path='/opt/letsencrypt'
exp_limit=30;
if [ ! -f $config_file ]; then
        echo "[ERROR] config file does not exist: $config_file"
        exit 1;
fi
domain=`grep "^\s*domains" $config_file | sed "s/^\s*domains\s*=\s*//" | sed 's/(\s*)\|,.*$//'`
cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"
if [ ! -f $cert_file ]; then
	echo "[ERROR] certificate file not found for domain $domain."
fi
exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)
datenow=$(date -d "now" +%s)
days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)
echo "Checking expiration date for $domain..."
if [ "$days_exp" -gt "$exp_limit" ] ; then
	echo "The certificate is up to date, no need for renewal ($days_exp days left)."
	exit 0;
else
	echo "The certificate for $domain is about to expire soon. Starting webroot renewal script..."
        $le_path/letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --config $config_file
	echo "Reloading $web_service"
	/usr/sbin/service $web_service reload
	echo "Renewal process finished for domain $domain"
	exit 0;
fi

Action :

chmod +x le-renew-webroot

14) Combien de jour avant renouvellement :

root@server01:~# ./le-renew-webroot
Checking expiration date for monsupersite.fr...
The certificate is up to date, no need for renewal (89 days left).

15) Cron :

root@server01:~# crontab -e

Ajouter à la fin :

30 2 * * 1 /usr/local/sbin/le-renew-webroot >> /var/log/le-renewal.log
35 2 * * 1 /etc/init.d/nginx reload

16) Lien :
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

Comments are closed, but trackbacks and pingbacks are open.