Le but ici est de mettre en place un vhost HTTPS sous nginx via l'utilisation d'un certificat TLS valide et signé par une société tierce.
$ sudo apt-get update $ sudo apt-get install -y git $ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt $ cd /opt/letsencrypt $ sudo ./letsencrypt-auto
Cette opération va nous permettre de préciser à Let's Encrypt le certificat qu'il va devoir générer.
$ cd /var/www $ mkdir letsencrypt $ sudo chgrp www-data letsencrypt $ sudo mkdir -p /etc/letsencrypt/configs/ $ sudo vim /etc/letsencrypt/configs/guarda.mousur.org.conf
Son contenu :
# the domain we want to get the cert for; # technically it's possible to have multiple of this lines, but it only worked # with one domain for me, another one only got one cert, so I would recommend # separate config files per domain. domains = my-domain # increase key size rsa-key-size = 2048 # Or 4096 # the current closed beta (as of 2015-Nov-07) is using this server server = https://acme-v01.api.letsencrypt.org/directory # this address will receive renewal reminders email = my-email # turn off the ncurses UI, we want this to be run as a cronjob text = True # authenticate by placing a file in the webroot (under .well-known/acme-challenge/) # and then letting LE fetch it authenticator = webroot webroot-path = /var/www/letsencrypt/
Il faut sur le vhost http par défaut autoriser l'accès au dossier “/.well-known/acme-challenge”.
server { ... location /.well-known/acme-challenge { root /var/www/letsencrypt; } ... }
Testons la configuration :
sudo nginx -t
Si tout est ok nous pouvons recharger nginx :
sudo service nginx reload
$ cd /opt/letsencrypt $ sudo ./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.conf certonly Updating letsencrypt and virtual environment dependencies...... Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/my-domain.conf certonly IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/my-domain/fullchain.pem. Your cert will expire on date. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. ...
Il faut maintenant créer un vhost https.
$ sudo vim /etc/nginx/sites-available/000-defauthttps.conf
server { listen 443 ssl default_server; server_name my-domain; ssl_certificate /etc/letsencrypt/live/my-domain/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/my-domain/privkey.pem; ... }
Activation du vhost :
$ sudo ln -snf /etc/nginx/sites-available/000-defauthttps.conf /etc/nginx/sites-enable/000-defauthttps.conf
Testons la configuration :
sudo nginx -t
Si tout est ok nous pouvons recharger nginx :
sudo service nginx reload
Les certificats let's encrypt sont délivrés avec une durée de vie de 90j.
Nous allons ainsi créer une tâche cron permettant de régénérer ces certificats tous les mois.
$ sudo vim /root/renew‑letsencrypt.sh
Son contenu :
#!/bin/sh cd /opt/letsencrypt/ ./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.conf certonly if [ $? -ne 0 ] then ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log` echo -e "The Let's Encrypt cert has not been renewed! \n \n" \ $ERRORLOG else nginx -s reload fi exit 0
$ sudo chmod +x /root/renew‑letsencrypt.sh
Ajout de la tâche dans cron :
$ crontab -e 0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * /root/renew‑letsencrypt.sh