Difference between revisions of "Letsencrypt"
(5 intermediate revisions by the same user not shown) | |||
Line 4: | Line 4: | ||
== Install the things == | == Install the things == | ||
− | First install the nifty dehydrated utility | + | First install the nifty dehydrated utility<ref>If you don't have Ubuntu 20.04, use <pre>git clone <nowiki>https://github.com/lukas2511/dehydrated.git</nowiki> /opt/dehydrated |
− | ln -s /opt/ | + | ln -s /opt/dehydrated/dehydrated /usr/local/bin/</pre></ref>: |
apt install dehydrated | apt install dehydrated | ||
− | |||
== Set up the site's handshake == | == Set up the site's handshake == | ||
− | + | You can use the dehydrated script to use the ACME HTTP challenge method. It talks to the Letsencrypt CA and temporarily drops tokens in <tt>/var/lib/dehydrated/acme-challenges</tt> for your site to host for the handshake, deleting them afterwards. So make sure the HTTP side of your site can facilitate the handshake by using a known URL alias without redirecting it to HTTPS. In Apache, you need something like: | |
<VirtualHost *:80> | <VirtualHost *:80> | ||
Line 38: | Line 37: | ||
Then run the following command. Once you've proven it works, bung it in <tt>/etc/cron.d/letsencrypt-renew</tt> to run every so often (Letsencrypt certificates expire in 3 months). | Then run the following command. Once you've proven it works, bung it in <tt>/etc/cron.d/letsencrypt-renew</tt> to run every so often (Letsencrypt certificates expire in 3 months). | ||
− | /usr | + | /usr/bin/dehydrated -c --domain '''www.myniftysite.com''' --challenge http-01 |
== Set up your HTTPS site == | == Set up your HTTPS site == | ||
− | Now you can enable the HTTPS side of your site with the shiny new certificates the Letsencrypt CA generated for you | + | Now you can enable the HTTPS side of your site with the shiny new certificates the Letsencrypt CA generated for you. |
<VirtualHost *:443> | <VirtualHost *:443> | ||
+ | ServerName '''www.myniftysite.com''' | ||
SSLEngine On | SSLEngine On | ||
− | SSLCertificateFile / | + | SSLCertificateFile /var/lib/dehydrated/certs/'''www.myniftysite.com'''/fullchain.pem |
− | SSLCertificateKeyFile / | + | SSLCertificateKeyFile /var/lib/dehydrated/certs/'''www.myniftysite.com'''/privkey.pem |
− | Header always set Strict-Transport-Security "max-age= | + | Header always set Strict-Transport-Security "max-age=63072000" |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
... | ... | ||
Line 68: | Line 55: | ||
server { | server { | ||
listen *:443 ssl; | listen *:443 ssl; | ||
− | server_name | + | server_name '''www.myniftysite.com;''' |
− | |||
ssl on; | ssl on; | ||
− | ssl_certificate / | + | ssl_certificate /var/lib/dehydrated/certs/'''www.myniftysite.com'''/fullchain.pem; |
− | ssl_certificate_key / | + | ssl_certificate_key /var/lib/dehydrated/certs/'''www.myniftysite.com'''/privkey.pem; |
− | ssl_trusted_certificate / | + | ssl_trusted_certificate /var/lib/dehydrated/certs/'''www.myniftysite.com'''/chain.pem; |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
add_header Strict-Transport-Security max-age=63072000; | add_header Strict-Transport-Security max-age=63072000; | ||
− | |||
− | |||
− | |||
− | |||
... | ... | ||
+ | |||
+ | In addition, you probably want to lock down the SSL nicely. Best to refer to the [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla SSL config generator] for the most up-to-date configuration, and put this in a separate common config file that you can include where needed. | ||
== Run a script from cron == | == Run a script from cron == | ||
− | + | Edit the config file: | |
− | # | + | ''# Contents of /etc/dehydrated/config'' |
− | CERTDIR='/ | + | CERTDIR='/var/lib/dehydrated/certs' |
CHALLENGETYPE='http-01' | CHALLENGETYPE='http-01' | ||
− | Then a script | + | Then make a script to run from a cron job: |
− | + | ''#!/bin/bash'' | |
− | #!/bin/bash | + | ''# Script: /usr/local/bin/letsencrypt-renew'' |
− | # Renew SSL certificates with LetsEncrypt using dehydrated. | + | ''# Renew site SSL certificates with LetsEncrypt using dehydrated.'' |
− | # See: https://github.com/lukas2511/dehydrated | + | ''# See: https://github.com/lukas2511/dehydrated'' |
+ | for domain in \ | ||
+ | my-domain-1.com \ | ||
+ | my-other-domain.com \ | ||
+ | foo-bar-baz.com \ | ||
+ | ; do | ||
+ | dehydrated -c --domain $domain | ||
+ | sleep 2 | ||
+ | done | ||
− | + | And a cron job like this: | |
− | + | ''# Contents of /etc/cron.d/letsencrypt-renew'' | |
− | + | ''# Attempt SSL certificate renewals with dehydrated weekly'' | |
− | + | 22 22 * * 2 root /usr/local/bin/letsencrypt-renew > /var/log/letsencrypt-renew.log 2> /var/log/letsencrypt-renew.err | |
− | |||
− | |||
− | |||
− | |||
− | |||
== Notes == | == Notes == | ||
<references/> | <references/> |
Latest revision as of 11:14, 1 September 2021
It's easy in Ubuntu 20.04 using dehydrated.
Install the things
First install the nifty dehydrated utility[1]:
apt install dehydrated
Set up the site's handshake
You can use the dehydrated script to use the ACME HTTP challenge method. It talks to the Letsencrypt CA and temporarily drops tokens in /var/lib/dehydrated/acme-challenges for your site to host for the handshake, deleting them afterwards. So make sure the HTTP side of your site can facilitate the handshake by using a known URL alias without redirecting it to HTTPS. In Apache, you need something like:
<VirtualHost *:80> ServerName www.myniftysite.com Alias "/.well-known/acme-challenge/" "/var/lib/dehydrated/acme-challenges/" RewriteEngine On RedirectMatch 301 ^(?!/\.well-known/acme-challenge/).* https://www.myniftysite.com$0 </VirtualHost>
Or the same thing in nginx:
server { listen 80; server_name www.myniftysite.com; location /.well-known/acme-challenge/ { alias /var/lib/dehydrated/acme-challenges/; } location / { return 301 https://$host$request_uri; } }
Fetch your certificates
Then run the following command. Once you've proven it works, bung it in /etc/cron.d/letsencrypt-renew to run every so often (Letsencrypt certificates expire in 3 months).
/usr/bin/dehydrated -c --domain www.myniftysite.com --challenge http-01
Set up your HTTPS site
Now you can enable the HTTPS side of your site with the shiny new certificates the Letsencrypt CA generated for you.
<VirtualHost *:443> ServerName www.myniftysite.com SSLEngine On SSLCertificateFile /var/lib/dehydrated/certs/www.myniftysite.com/fullchain.pem SSLCertificateKeyFile /var/lib/dehydrated/certs/www.myniftysite.com/privkey.pem Header always set Strict-Transport-Security "max-age=63072000" ...
More or less the same thing in nginx:
server { listen *:443 ssl; server_name www.myniftysite.com; ssl on; ssl_certificate /var/lib/dehydrated/certs/www.myniftysite.com/fullchain.pem; ssl_certificate_key /var/lib/dehydrated/certs/www.myniftysite.com/privkey.pem; ssl_trusted_certificate /var/lib/dehydrated/certs/www.myniftysite.com/chain.pem; add_header Strict-Transport-Security max-age=63072000; ...
In addition, you probably want to lock down the SSL nicely. Best to refer to the Mozilla SSL config generator for the most up-to-date configuration, and put this in a separate common config file that you can include where needed.
Run a script from cron
Edit the config file:
# Contents of /etc/dehydrated/config CERTDIR='/var/lib/dehydrated/certs' CHALLENGETYPE='http-01'
Then make a script to run from a cron job:
#!/bin/bash # Script: /usr/local/bin/letsencrypt-renew # Renew site SSL certificates with LetsEncrypt using dehydrated. # See: https://github.com/lukas2511/dehydrated for domain in \ my-domain-1.com \ my-other-domain.com \ foo-bar-baz.com \ ; do dehydrated -c --domain $domain sleep 2 done
And a cron job like this:
# Contents of /etc/cron.d/letsencrypt-renew # Attempt SSL certificate renewals with dehydrated weekly 22 22 * * 2 root /usr/local/bin/letsencrypt-renew > /var/log/letsencrypt-renew.log 2> /var/log/letsencrypt-renew.err
Notes
- ↑ If you don't have Ubuntu 20.04, use
git clone https://github.com/lukas2511/dehydrated.git /opt/dehydrated ln -s /opt/dehydrated/dehydrated /usr/local/bin/