Difference between revisions of "Letsencrypt"
From Jon's Wiki
Line 49: | Line 49: | ||
Header always set Strict-Transport-Security "max-age=15768000" | Header always set Strict-Transport-Security "max-age=15768000" | ||
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 | SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 | ||
− | SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES1 | + | SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384: |
+ | ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305: | ||
+ | ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES1 | ||
SSLHonorCipherOrder on | SSLHonorCipherOrder on | ||
SSLCompression off | SSLCompression off |
Revision as of 08:05, 11 September 2016
It's easy!
Install the things
First install the nifty checker and make some directories:
git clone https://github.com/lukas2511/letsencrypt.sh.git /opt/letsencrypt mkdir -p /etc/ssl/letsencrypt mkdir -p /var/www/letsencrypt
Set up the site's handshake
This script talks to the letsencrypt CA and temporarily drops tokens in /var/www/letsencrypt for your site to host for the handshake, deleting them afterwards. So make sure the HTTP side of your site can facilitate the handshake by using a preset URL alias. In Apache, you need something like:
<VirtualHost *:80> ServerName www.myniftysite.com Alias "/.well-known/acme-challenge/" "/var/www/letsencrypt/" RewriteEngine On RedirectMatch 302 ^(?!/\.well-known/acme-challenge/).* https://www.myniftysite.com$0 </VirtualHost>
Or the same thing in nginx:
server { listen 80; server_name www.myniftysite.com; location /.well-known/acme-challenge/ { alias /var/www/letsencrypt/; } location / { return 302 https://$host$request_uri; } }
Fetch your certificates
Then run the following command. Once you've proven it works, bung it in /etc/cron.d/letsencrypt-renew to run every two months.
/opt/letsencrypt/letsencrypt.sh -c --domain www.myniftysite.com --challenge http-01 --out /etc/ssl/letsencrypt
Set up your HTTPS site
Now you can enable the HTTPS side of your site with the shiny new certificates the Letsencrypt CA generated for you.
<VirtualHost *:443> SSLEngine On SSLCertificateFile /etc/ssl/letsencrypt/www.myniftysite.com/fullchain.pem SSLCertificateKeyFile /etc/ssl/letsencrypt/www.myniftysite.com/privkey.pem Header always set Strict-Transport-Security "max-age=15768000" SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES1 SSLHonorCipherOrder on SSLCompression off # Ticket option and OCSP Stapling supported in Apache 2.4 SSLSessionTickets off SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) ...
More or less the same thing in nginx:
server { listen *:443 ssl; server_name cloud.jon.geek.nz; ssl on; ssl_certificate /etc/ssl/letsencrypt/www.myniftysite.com/fullchain.pem; ssl_certificate_key /etc/ssl/letsencrypt/www.myniftysite.com/privkey.pem; ssl_trusted_certificate /etc/ssl/letsencrypt/www.myniftysite.com/chain.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+aRSA+AES256:EDH+aRSA+AES256:EECDH+aRSA+AES128:EDH+aRSA+AES128; ssl_session_cache shared:SSL:50m; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security max-age=63072000; # For this, run this command: # openssl dhparam -out /etc/ssl/letsencrypt/dhparam.pem 2048 ssl_dhparam /etc/ssl/letsencrypt/dhparam.pem; ...