Sidebar
documentation:systemes:services:nginx:let_s_encrypt
Table of Contents
Let's Encrypt dans nginx
Article en cours de rédaction !
Le but ici est de mettre en place un vhost HTTPS sous nginx via l'utilisation d'un certificat TLS valide et signé par une société tierce.
Mise en place
Installation du client
$ sudo apt-get update $ sudo apt-get install -y git $ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt $ cd /opt/letsencrypt $ sudo ./letsencrypt-auto
Création d'un template
Cette opération va nous permettre de préciser à Let's Encrypt le certificat qu'il va devoir générer.
$ cd /var/www $ mkdir letsencrypt $ sudo chgrp www-data letsencrypt $ sudo mkdir -p /etc/letsencrypt/configs/ $ sudo vim /etc/letsencrypt/configs/guarda.mousur.org.conf
Son contenu :
# the domain we want to get the cert for; # technically it's possible to have multiple of this lines, but it only worked # with one domain for me, another one only got one cert, so I would recommend # separate config files per domain. domains = my-domain # increase key size rsa-key-size = 2048 # Or 4096 # the current closed beta (as of 2015-Nov-07) is using this server server = https://acme-v01.api.letsencrypt.org/directory # this address will receive renewal reminders email = my-email # turn off the ncurses UI, we want this to be run as a cronjob text = True # authenticate by placing a file in the webroot (under .well-known/acme-challenge/) # and then letting LE fetch it authenticator = webroot webroot-path = /var/www/letsencrypt/
Mise en place sous nginx
Il faut sur le vhost http par défaut autoriser l'accès au dossier “/.well-known/acme-challenge”.
server {
...
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
...
}
Testons la configuration :
sudo nginx -t
Si tout est ok nous pouvons recharger nginx :
sudo service nginx reload
Demande de certificat
$ cd /opt/letsencrypt $ sudo ./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.conf certonly Updating letsencrypt and virtual environment dependencies...... Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/my-domain.conf certonly IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/my-domain/fullchain.pem. Your cert will expire on date. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. ...
Configuration finale de nginx
Il faut maintenant créer un vhost https.
$ sudo vim /etc/nginx/sites-available/000-defauthttps.conf
server {
listen 443 ssl default_server;
server_name my-domain;
ssl_certificate /etc/letsencrypt/live/my-domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my-domain/privkey.pem;
...
}
Activation du vhost :
$ sudo ln -snf /etc/nginx/sites-available/000-defauthttps.conf /etc/nginx/sites-enable/000-defauthttps.conf
Testons la configuration :
sudo nginx -t
Si tout est ok nous pouvons recharger nginx :
sudo service nginx reload
Automatisation du renouvellement
Les certificats let's encrypt sont délivrés avec une durée de vie de 90j.
Nous allons ainsi créer une tâche cron permettant de régénérer ces certificats tous les mois.
$ sudo vim /root/renew‑letsencrypt.sh
Son contenu :
#!/bin/sh
cd /opt/letsencrypt/
./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.conf certonly
if [ $? -ne 0 ]
then
ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
$ERRORLOG
else
nginx -s reload
fi
exit 0
$ sudo chmod +x /root/renew‑letsencrypt.sh
Ajout de la tâche dans cron :
$ crontab -e 0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * /root/renew‑letsencrypt.sh
Annexe
documentation/systemes/services/nginx/let_s_encrypt.txt · Last modified: 2017/07/14 19:45 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
