Difference between revisions of "Letsencrypt"
Line 4: | Line 4: | ||
== Install the things == | == Install the things == | ||
− | First install the nifty dehydrated utility | + | First install the nifty dehydrated utility<ref>If you don't have Ubuntu 20.04, use <pre>git clone <nowiki>https://github.com/lukas2511/dehydrated.git</nowiki> /opt/dehydrated |
− | ln -s /opt/ | + | ln -s /opt/dehydrated/dehydrated /usr/local/bin/</pre></ref>: |
apt install dehydrated | apt install dehydrated | ||
− | |||
== Set up the site's handshake == | == Set up the site's handshake == | ||
Line 38: | Line 37: | ||
Then run the following command. Once you've proven it works, bung it in <tt>/etc/cron.d/letsencrypt-renew</tt> to run every so often (Letsencrypt certificates expire in 3 months). | Then run the following command. Once you've proven it works, bung it in <tt>/etc/cron.d/letsencrypt-renew</tt> to run every so often (Letsencrypt certificates expire in 3 months). | ||
− | /usr/local/bin/dehydrated -c --domain '''www.myniftysite.com''' --challenge http-01 | + | /usr/local/bin/dehydrated -c --domain '''www.myniftysite.com''' --challenge http-01 |
== Set up your HTTPS site == | == Set up your HTTPS site == | ||
Line 46: | Line 45: | ||
<VirtualHost *:443> | <VirtualHost *:443> | ||
SSLEngine On | SSLEngine On | ||
− | SSLCertificateFile / | + | SSLCertificateFile /var/lib/dehydrated/certs/'''www.myniftysite.com'''/fullchain.pem |
− | SSLCertificateKeyFile / | + | SSLCertificateKeyFile /var/lib/dehydrated/certs/'''www.myniftysite.com'''/privkey.pem |
Header always set Strict-Transport-Security "max-age=15768000" | Header always set Strict-Transport-Security "max-age=15768000" | ||
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 | SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 | ||
Line 71: | Line 70: | ||
ssl on; | ssl on; | ||
− | ssl_certificate / | + | ssl_certificate /var/lib/dehydrated/certs/'''www.myniftysite.com'''/fullchain.pem; |
− | ssl_certificate_key / | + | ssl_certificate_key /var/lib/dehydrated/certs/'''www.myniftysite.com'''/privkey.pem; |
− | ssl_trusted_certificate / | + | ssl_trusted_certificate /var/lib/dehydrated/certs/'''www.myniftysite.com'''/chain.pem; |
ssl_session_timeout 5m; | ssl_session_timeout 5m; | ||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
Line 93: | Line 92: | ||
# Stick this in /etc/dehydrated/config | # Stick this in /etc/dehydrated/config | ||
− | CERTDIR='/ | + | CERTDIR='/var/lib/dehydrated/certs' |
CHALLENGETYPE='http-01' | CHALLENGETYPE='http-01' | ||
Revision as of 21:39, 14 December 2020
It's easy in Ubuntu 20.04 using dehydrated.
Install the things
First install the nifty dehydrated utility[1]:
apt install dehydrated
Set up the site's handshake
This script talks to the Letsencrypt CA and temporarily drops tokens in /var/lib/dehydrated/acme-challenges for your site to host for the handshake, deleting them afterwards. So make sure the HTTP side of your site can facilitate the handshake by using a known URL alias without redirecting it to HTTPS. In Apache, you need something like:
<VirtualHost *:80> ServerName www.myniftysite.com Alias "/.well-known/acme-challenge/" "/var/lib/dehydrated/acme-challenges/" RewriteEngine On RedirectMatch 301 ^(?!/\.well-known/acme-challenge/).* https://www.myniftysite.com$0 </VirtualHost>
Or the same thing in nginx:
server { listen 80; server_name www.myniftysite.com; location /.well-known/acme-challenge/ { alias /var/lib/dehydrated/acme-challenges/; } location / { return 301 https://$host$request_uri; } }
Fetch your certificates
Then run the following command. Once you've proven it works, bung it in /etc/cron.d/letsencrypt-renew to run every so often (Letsencrypt certificates expire in 3 months).
/usr/local/bin/dehydrated -c --domain www.myniftysite.com --challenge http-01
Set up your HTTPS site
Now you can enable the HTTPS side of your site with the shiny new certificates the Letsencrypt CA generated for you (best to refer to the Mozilla SSL config generator for the most up-to-date configuration).
<VirtualHost *:443> SSLEngine On SSLCertificateFile /var/lib/dehydrated/certs/www.myniftysite.com/fullchain.pem SSLCertificateKeyFile /var/lib/dehydrated/certs/www.myniftysite.com/privkey.pem Header always set Strict-Transport-Security "max-age=15768000" SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES1 SSLHonorCipherOrder on SSLCompression off # Ticket option and OCSP Stapling supported in Apache 2.4 SSLSessionTickets off SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) ...
More or less the same thing in nginx:
server { listen *:443 ssl; server_name cloud.jon.geek.nz; ssl on; ssl_certificate /var/lib/dehydrated/certs/www.myniftysite.com/fullchain.pem; ssl_certificate_key /var/lib/dehydrated/certs/www.myniftysite.com/privkey.pem; ssl_trusted_certificate /var/lib/dehydrated/certs/www.myniftysite.com/chain.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+aRSA+AES256:EDH+aRSA+AES256:EECDH+aRSA+AES128:EDH+aRSA+AES128; ssl_session_cache shared:SSL:50m; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security max-age=63072000; # For this, run this command: # openssl dhparam -out /etc/ssl/letsencrypt/dhparam.pem 2048 ssl_dhparam /etc/ssl/letsencrypt/dhparam.pem; ...
Run a script from cron
Set up a config file:
# Stick this in /etc/dehydrated/config CERTDIR='/var/lib/dehydrated/certs' CHALLENGETYPE='http-01'
Then a script somewhere in /usr/local/bin to run from a cron job:
#!/bin/bash # Renew SSL certificates with LetsEncrypt using dehydrated. # See: https://github.com/lukas2511/dehydrated DEHYDRATED='/usr/local/bin/dehydrated' for domain in \ my-domain-1.com \ my-other-domain.com \ foo-bar-baz.com \ ; do $DEHYDRATED -c --domain $domain sleep 2 done
Notes
- ↑ If you don't have Ubuntu 20.04, use
git clone https://github.com/lukas2511/dehydrated.git /opt/dehydrated ln -s /opt/dehydrated/dehydrated /usr/local/bin/