User Tools

Site Tools


Sidebar

documentation:systemes:services:nginx:let_s_encrypt

Let's Encrypt dans nginx

Article en cours de rédaction !

Le but ici est de mettre en place un vhost HTTPS sous nginx via l'utilisation d'un certificat TLS valide et signé par une société tierce.

Mise en place

Installation du client

$ sudo apt-get update
$ sudo apt-get install -y git
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
$ cd /opt/letsencrypt
$ sudo ./letsencrypt-auto

Création d'un template

Cette opération va nous permettre de préciser à Let's Encrypt le certificat qu'il va devoir générer.

$ cd /var/www
$ mkdir letsencrypt
$ sudo chgrp www-data letsencrypt
$ sudo mkdir -p /etc/letsencrypt/configs/
$ sudo vim /etc/letsencrypt/configs/guarda.mousur.org.conf

Son contenu :

# the domain we want to get the cert for;
# technically it's possible to have multiple of this lines, but it only worked
# with one domain for me, another one only got one cert, so I would recommend
# separate config files per domain.
domains = my-domain

# increase key size
rsa-key-size = 2048 # Or 4096

# the current closed beta (as of 2015-Nov-07) is using this server
server = https://acme-v01.api.letsencrypt.org/directory

# this address will receive renewal reminders
email = my-email

# turn off the ncurses UI, we want this to be run as a cronjob
text = True

# authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
# and then letting LE fetch it
authenticator = webroot
webroot-path = /var/www/letsencrypt/

Mise en place sous nginx

Il faut sur le vhost http par défaut autoriser l'accès au dossier “/.well-known/acme-challenge”.

server {
    ...
    location /.well-known/acme-challenge {
        root /var/www/letsencrypt;
    }
    ...
}

Testons la configuration :

sudo nginx -t

Si tout est ok nous pouvons recharger nginx :

sudo service nginx reload

Demande de certificat

$ cd /opt/letsencrypt
$ sudo ./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.conf certonly
Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/my-domain.conf certonly

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/my-domain/fullchain.pem. Your cert
   will expire on date. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
   ...

Configuration finale de nginx

Il faut maintenant créer un vhost https.

$ sudo vim /etc/nginx/sites-available/000-defauthttps.conf
server {
    listen 443 ssl default_server;
    server_name my-domain;

    ssl_certificate /etc/letsencrypt/live/my-domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/my-domain/privkey.pem;

    ...
}

Activation du vhost :

$ sudo ln -snf /etc/nginx/sites-available/000-defauthttps.conf /etc/nginx/sites-enable/000-defauthttps.conf

Testons la configuration :

sudo nginx -t

Si tout est ok nous pouvons recharger nginx :

sudo service nginx reload

Automatisation du renouvellement

Les certificats let's encrypt sont délivrés avec une durée de vie de 90j.

Nous allons ainsi créer une tâche cron permettant de régénérer ces certificats tous les mois.

$ sudo vim /root/renew‑letsencrypt.sh

Son contenu :

#!/bin/sh

cd /opt/letsencrypt/
./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.conf certonly

if [ $? -ne 0 ]
 then
        ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
        echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
                 $ERRORLOG
 else
        nginx -s reload
fi

exit 0
$ sudo chmod +x /root/renew‑letsencrypt.sh

Ajout de la tâche dans cron :

$ crontab -e
0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * /root/renew‑letsencrypt.sh

Annexe

documentation/systemes/services/nginx/let_s_encrypt.txt · Last modified: 2017/07/14 19:45 (external edit)