Difference between revisions of "Letsencrypt"

From Jon's Wiki
m
Line 1: Line 1:
 +
It's easy!
 +
 +
== Install the things ==
 +
 
First install the nifty checker and make some directories:
 
First install the nifty checker and make some directories:
  
Line 4: Line 8:
 
  mkdir -p /etc/ssl/letsencrypt
 
  mkdir -p /etc/ssl/letsencrypt
 
  mkdir -p /var/www/letsencrypt
 
  mkdir -p /var/www/letsencrypt
 +
 +
== Set up the site's handshake ==
  
 
This script talks to the letsencrypt CA and temporarily drops tokens in <tt>/var/www/letsencrypt</tt> for your site to host for the handshake, deleting them afterwards. So make sure the HTTP side of your site can facilitate the handshake by using a preset URL alias. In Apache, you need something like:
 
This script talks to the letsencrypt CA and temporarily drops tokens in <tt>/var/www/letsencrypt</tt> for your site to host for the handshake, deleting them afterwards. So make sure the HTTP side of your site can facilitate the handshake by using a preset URL alias. In Apache, you need something like:
Line 26: Line 32:
 
   }
 
   }
 
  }
 
  }
 +
 +
== Fetch your certificates ==
  
 
Then run the following command. Once you've proven it works, bung it in <tt>/etc/cron.d/letsencrypt-renew</tt> to run every two months.
 
Then run the following command. Once you've proven it works, bung it in <tt>/etc/cron.d/letsencrypt-renew</tt> to run every two months.
  
 
  /opt/letsencrypt/letsencrypt.sh -c --domain '''www.myniftysite.com''' --challenge http-01 --out /etc/ssl/letsencrypt
 
  /opt/letsencrypt/letsencrypt.sh -c --domain '''www.myniftysite.com''' --challenge http-01 --out /etc/ssl/letsencrypt
 +
 +
== Set up your HTTPS site ==
  
 
Now you can enable the HTTPS side of your site with the shiny new certificates the Letsencrypt CA generated for you.
 
Now you can enable the HTTPS side of your site with the shiny new certificates the Letsencrypt CA generated for you.

Revision as of 13:21, 8 September 2016

It's easy!

Install the things

First install the nifty checker and make some directories:

git clone https://github.com/lukas2511/letsencrypt.sh.git /opt/letsencrypt
mkdir -p /etc/ssl/letsencrypt
mkdir -p /var/www/letsencrypt

Set up the site's handshake

This script talks to the letsencrypt CA and temporarily drops tokens in /var/www/letsencrypt for your site to host for the handshake, deleting them afterwards. So make sure the HTTP side of your site can facilitate the handshake by using a preset URL alias. In Apache, you need something like:

<VirtualHost *:80>
  ServerName www.myniftysite.com
  Alias "/.well-known/acme-challenge/" "/var/www/letsencrypt/"
  RewriteEngine On
  RedirectMatch 302 ^(?!/\.well-known/acme-challenge/).* https://www.myniftysite.com$0
</VirtualHost>

Or the same thing in nginx:

server {
  listen 80;
  server_name www.myniftysite.com;
  location /.well-known/acme-challenge/ {
    alias /var/www/letsencrypt/;
  }
  location / {
    return 302 https://$host$request_uri; 
  }
}

Fetch your certificates

Then run the following command. Once you've proven it works, bung it in /etc/cron.d/letsencrypt-renew to run every two months.

/opt/letsencrypt/letsencrypt.sh -c --domain www.myniftysite.com --challenge http-01 --out /etc/ssl/letsencrypt

Set up your HTTPS site

Now you can enable the HTTPS side of your site with the shiny new certificates the Letsencrypt CA generated for you.

<VirtualHost *:443>
  SSLEngine On
  SSLCertificateFile /etc/ssl/letsencrypt/www.myniftysite.com/fullchain.pem
  SSLCertificateKeyFile /etc/ssl/letsencrypt/www.myniftysite.com/privkey.pem
  Header always set Strict-Transport-Security "max-age=15768000"
  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES1
  SSLHonorCipherOrder on
  SSLCompression off

  # Ticket option and OCSP Stapling supported in Apache 2.4
  SSLSessionTickets off
  SSLUseStapling on
  SSLStaplingResponderTimeout 5
  SSLStaplingReturnResponderErrors off
  SSLStaplingCache shmcb:/var/run/ocsp(128000)
  ... 

More or less the same thing in nginx:

server {
  listen        *:443 ssl;
  server_name   cloud.jon.geek.nz;

  ssl  on;
  ssl_certificate     /etc/ssl/letsencrypt/www.myniftysite.com/fullchain.pem;
  ssl_certificate_key /etc/ssl/letsencrypt/www.myniftysite.com/privkey.pem;
  ssl_trusted_certificate /etc/ssl/letsencrypt/www.myniftysite.com/chain.pem;
  ssl_session_timeout  5m;
  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers EECDH+aRSA+AES256:EDH+aRSA+AES256:EECDH+aRSA+AES128:EDH+aRSA+AES128;
  ssl_session_cache shared:SSL:50m;
  ssl_prefer_server_ciphers on;
  ssl_stapling on;
  ssl_stapling_verify on;
  add_header Strict-Transport-Security max-age=63072000;

  # For this, run this command:
  #    openssl dhparam -out /etc/ssl/letsencrypt/dhparam.pem 2048
  ssl_dhparam /etc/ssl/letsencrypt/dhparam.pem;
  ...