Let's encrypt installation - renouvellement de multiple domaine - HTTPS Nginx Or Apache

4 févr. 2016let's encrypt, https

1. Installation du client Let's encrypt

apt-get update
apt-get -y install git bc
git clone https://github.com/certbot/certbot /opt/certbot

Let's encrypt est désormais installé dans /opt/letsencrypt

2. Création fichier de config

mkdir /usr/local/etc/letsencrypt
vi /usr/local/etc/letsencrypt/example.com.ini

/usr/local/etc/letsencrypt/example.com.ini

# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
email = yourcontact@gmail.com
domains = example.com,www.example.com
webroot-path = /var/www/example-webroot

3. Obtention du certificat

cd /opt/certbot
./certbot-auto certonly --config /usr/local/etc/letsencrypt/example.com.ini --webroot
Le nouveau certificat est créé 
ls /etc/letsencrypt/live/example.com

4. Configuration serveur Nginx

vi /etc/nginx/sites-available/example
server {
       server_name www.example.com example.com;
       listen 443 ssl;

       ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_prefer_server_ciphers on;
       ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

       root /var/www/example;
       index index.php index.html index.htm;

       error_page 500 502 503 504 /50x.html;
       location = /50x.html {
                root /usr/share/nginx/html;
       }

       # pass the PHP scripts to FastCGI server listening on the php-fpm socket

       location / {
                try_files $uri $uri/ /index.php?$args;
       }
       location ~ \.php$ {
                try_files $uri =404;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
       }
}
server {
   listen 80;
   #Redirect all request from 80 port to https 
   server_name example.com, www.example.com;
   return 301 https://$host$request_uri;

}

Sauvegarder et quitter, redémarrer Nginx

service nginx restart

Désormais, on peut tester si l'url example.com est bien en HTTPS.

4.Bis Configuration serveur Apache 

<VirtualHost _default_:443>

ServerAdmin webmaster@localhost
ServerName example.com
DocumentRoot /var/www

<Directory /var/www/>
    Options FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
</Directory>

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile "/etc/letsencrypt/live/example.com/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/example.com/chain.pem"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
       SSLOptions +StdEnvVars
</Directory>

</VirtualHost>

<VirtualHost *:80>
        #Redirect all traffic on 80 port to https
        ServerName example.com
        RedirectMatch permanent ^(.*)$ https://example.com$1
</VirtualHost>

Activer SSL sur apache 

a2enmod ssl

5. Mise en place du renouvellement automatique

Les certificats let's encrypt sont valident 90 jours, nous devons donc les renouveller avant cela. Pas question de renouveller à la main.

apt-get install curl
curl -L -o /usr/local/sbin/le-renew-webroot https://gist.githubusercontent.com/spiderneo/3f4b66c4282809e228f2/raw/e62f6f63e52cf3814c790b72c453a575add29b04/le-renew-webroot
chmod +x /usr/local/sbin/le-renew-webroot

Test le script

le-renew-webroot

output
Checking expiration date for example.com...
The certificate is up to date, no need for renewal (89 days left).

On ajoute une ligne au crontab

crontab -e

30 2 * * 1 /usr/local/sbin/le-renew-webroot >> /var/log/le-renewal.log

 

6. Options - Force rechargement  d'un domaine

cd /opt/certbot
./certbot-auto certonly -a webroot --renew-by-default --config /usr/local/etc/letsencrypt/example.com.ini

Redémarrer Nginx

service nginx restart

7. Problème création acme-challenge 403 ou 404 sur apache

Impossible de valider le lien sur apache avec ma config (allez savoir pourquoi). A chaque fois ->W erreur 403 le dossier .well-know était innacessible.

Pour palier à celà, on va rediriger les utilisateur vers un sous dossier sans le .

mkdir -p /srv/www/acme-challenges/
vi /etc/apache2/conf-enabled/acme-challenges.conf

Coller cette conf afind e rediriger les utilsateur qui ouvrent /.well-known/acme-challenge vers /srv/www/acme-challenges

Alias /.well-known/acme-challenge /srv/www/acme-challenges
<Directory "/srv/www/acme-challenges">
    Options -Indexes
    AllowOverride all
    Require all granted
</Directory>

Création du lien symbolique qui permet à Certbot de savoir que well-know/acme-challenge a change de répertoire.

cd /var/www/example.com/.well-known/
ln -s /srv/www/acme-challenges/ acme-challenge

Relancer votre certbot-auto et Voilà