Difference between revisions of "Letsencrypt"
From Jon's Wiki
m |
|||
| Line 1: | Line 1: | ||
| + | It's easy! | ||
| + | |||
| + | == Install the things == | ||
| + | |||
First install the nifty checker and make some directories: | First install the nifty checker and make some directories: | ||
| Line 4: | Line 8: | ||
mkdir -p /etc/ssl/letsencrypt | mkdir -p /etc/ssl/letsencrypt | ||
mkdir -p /var/www/letsencrypt | mkdir -p /var/www/letsencrypt | ||
| + | |||
| + | == Set up the site's handshake == | ||
This script talks to the letsencrypt CA and temporarily drops tokens in <tt>/var/www/letsencrypt</tt> for your site to host for the handshake, deleting them afterwards. So make sure the HTTP side of your site can facilitate the handshake by using a preset URL alias. In Apache, you need something like: | This script talks to the letsencrypt CA and temporarily drops tokens in <tt>/var/www/letsencrypt</tt> for your site to host for the handshake, deleting them afterwards. So make sure the HTTP side of your site can facilitate the handshake by using a preset URL alias. In Apache, you need something like: | ||
| Line 26: | Line 32: | ||
} | } | ||
} | } | ||
| + | |||
| + | == Fetch your certificates == | ||
Then run the following command. Once you've proven it works, bung it in <tt>/etc/cron.d/letsencrypt-renew</tt> to run every two months. | Then run the following command. Once you've proven it works, bung it in <tt>/etc/cron.d/letsencrypt-renew</tt> to run every two months. | ||
/opt/letsencrypt/letsencrypt.sh -c --domain '''www.myniftysite.com''' --challenge http-01 --out /etc/ssl/letsencrypt | /opt/letsencrypt/letsencrypt.sh -c --domain '''www.myniftysite.com''' --challenge http-01 --out /etc/ssl/letsencrypt | ||
| + | |||
| + | == Set up your HTTPS site == | ||
Now you can enable the HTTPS side of your site with the shiny new certificates the Letsencrypt CA generated for you. | Now you can enable the HTTPS side of your site with the shiny new certificates the Letsencrypt CA generated for you. | ||
Revision as of 13:21, 8 September 2016
It's easy!
Install the things
First install the nifty checker and make some directories:
git clone https://github.com/lukas2511/letsencrypt.sh.git /opt/letsencrypt mkdir -p /etc/ssl/letsencrypt mkdir -p /var/www/letsencrypt
Set up the site's handshake
This script talks to the letsencrypt CA and temporarily drops tokens in /var/www/letsencrypt for your site to host for the handshake, deleting them afterwards. So make sure the HTTP side of your site can facilitate the handshake by using a preset URL alias. In Apache, you need something like:
<VirtualHost *:80> ServerName www.myniftysite.com Alias "/.well-known/acme-challenge/" "/var/www/letsencrypt/" RewriteEngine On RedirectMatch 302 ^(?!/\.well-known/acme-challenge/).* https://www.myniftysite.com$0 </VirtualHost>
Or the same thing in nginx:
server {
listen 80;
server_name www.myniftysite.com;
location /.well-known/acme-challenge/ {
alias /var/www/letsencrypt/;
}
location / {
return 302 https://$host$request_uri;
}
}
Fetch your certificates
Then run the following command. Once you've proven it works, bung it in /etc/cron.d/letsencrypt-renew to run every two months.
/opt/letsencrypt/letsencrypt.sh -c --domain www.myniftysite.com --challenge http-01 --out /etc/ssl/letsencrypt
Set up your HTTPS site
Now you can enable the HTTPS side of your site with the shiny new certificates the Letsencrypt CA generated for you.
<VirtualHost *:443> SSLEngine On SSLCertificateFile /etc/ssl/letsencrypt/www.myniftysite.com/fullchain.pem SSLCertificateKeyFile /etc/ssl/letsencrypt/www.myniftysite.com/privkey.pem Header always set Strict-Transport-Security "max-age=15768000" SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES1 SSLHonorCipherOrder on SSLCompression off # Ticket option and OCSP Stapling supported in Apache 2.4 SSLSessionTickets off SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) ...
More or less the same thing in nginx:
server {
listen *:443 ssl;
server_name cloud.jon.geek.nz;
ssl on;
ssl_certificate /etc/ssl/letsencrypt/www.myniftysite.com/fullchain.pem;
ssl_certificate_key /etc/ssl/letsencrypt/www.myniftysite.com/privkey.pem;
ssl_trusted_certificate /etc/ssl/letsencrypt/www.myniftysite.com/chain.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+aRSA+AES256:EDH+aRSA+AES256:EECDH+aRSA+AES128:EDH+aRSA+AES128;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=63072000;
# For this, run this command:
# openssl dhparam -out /etc/ssl/letsencrypt/dhparam.pem 2048
ssl_dhparam /etc/ssl/letsencrypt/dhparam.pem;
...