https certificat signé gratuit avec Let's Encrypt
Par PlaceOweb le lundi, septembre 30 2019, 20:10 - Système - Lien permanent
Il y a 10 ans, il était impossible d'avoir gratuitement un certificat SSL signé pour activer HTTPS sur votre site Web, mais la technologie a avancé dans le bon sens.
Oui, il existe enfin des certificats gratuits (sans garantie de transaction commerciale) suffisant pour vos blogs afin de les passer en https, merci à Let's Encrypt - Free SSL/TLS Certificates
Les bonnes ressources pour activer le https, et renouveler automatiquement les certificats SSL sur votre serveur web apache, nginx :
- Renouveler automatiquement son certif Let’s Encrypt (one shot)
- Let’s Encrypt : Guide ultime pour générer gratuitement des certificats SSL
- Créer et installer un certificat SSL Let’s Encrypt pour Apache
- Sécuriser facilement et gratuitement un site avec HTTPS – Korben
Installation
Installer certbot, et lisez les instructions de mise en place de certbot, par exemple sur Apache on Debian 10 (buster).
Le script certbot-auto exécute automatiquement sudo si cela est nécessaire et que vous ne l'avez pas spécifié.
root@ks:~# whereis certbot
certbot: /usr/bin/certbotUne fois installée, la commande utilisée sera : certbot-auto
root@ks:~# certbot-auto
Upgrading certbot-auto 0.36.0 to 0.38.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: placeoweb.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): c
Please specify --domains, or --installer that will help in domain names autodiscovery, or --cert-name for an existing certificate name.Vérifier la date d'expiration des certificats
root@ks:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: placeoweb.com
Serial Number: 471c63479cc6718500f63d69dddd794ddb4
Key Type: ECDSA
Domains: placeoweb.com canet.placeoweb.com catllar.placeoweb.com dotclear.placeoweb.com forum.placeoweb.com maroc.placeoweb.com vtt.placeoweb.com wiki.placeoweb.com www.placeoweb.com
Expiry Date: 2024-02-21 22:41:50+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/placeoweb.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/placeoweb.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Mise à jour cyclique et automatique du certificat
Selon les différents sites, il vous faudra ajouter à vos taches cron l'une commandes :
certbot-auto renew –quiet –no-self-upgrade certbot-auto renew --rsa-key-size 4096 --force-renewal letsencrypt-auto renew --quiet letsencrypt-auto renew
root@ks:~# certbot-auto --help
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:
obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near
expiry
enhance Add security enhancements to your existing configuration
-d DOMAINS Comma-separated list of domains to obtain a certificate for
--apache Use the Apache plugin for authentication & installation
--standalone Run a standalone webserver for authentication
--nginx Use the Nginx plugin for authentication & installation
--webroot Place files in a server's webroot folder for authentication
--manual Obtain certificates interactively, or using shell script
hooks
-n Run non-interactively
--test-cert Obtain a test certificate from a staging server
--dry-run Test "renew" or "certonly" without saving any certificates
to disk
manage certificates:
certificates Display information about certificates you have from Certbot
revoke Revoke a certificate (supply --cert-path or --cert-name)
delete Delete a certificate
manage your account:
register Create an ACME account
unregister Deactivate an ACME account
update_account Update an ACME account
--agree-tos Agree to the ACME server's Subscriber Agreement
-m EMAIL Email address for important account notifications
More detailed help:
-h, --help [TOPIC] print this message, or detailed help on a topic;
the available TOPICS are:
all, automation, commands, paths, security, testing, or any of the
subcommands or plugins (certonly, renew, install, register, nginx,
apache, standalone, webroot, etc.)
-h all print a detailed help page including all topics
--version print the version number
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Tester le renouvellement automatique
root@ks:~# certbot-auto renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/toto.placeoweb.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator apache, Installer apache Renewing an existing certificate Performing the following challenges: http-01 challenge for toto.placeoweb.com Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/toto.placeoweb.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/toto.placeoweb.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator apache, Installer apache Renewing an existing certificate Performing the following challenges: http-01 challenge for toto.placeoweb.com http-01 challenge for placeoweb.com Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/toto.placeoweb.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/toto.placeoweb.com/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
Automatiser le renouvellement de certificat gratuit via des taches cron
Puisque le certificat est valide seulement 90 jours, il faut le renouveler manuellement ou automatiquement.
Renouveler son certificat Let's Encrypt automatiquement
# Certificats SSH HTTPS 40 04 28 * * /root/ssl/certbot-auto renew -n; /etc/init.d/apache reload 40 04 28 * * certbot renew -n; /etc/init.d/apache reload
On vérifie :
root@ks:~# certbot-auto certificates
Expiry Date: 2019-12-29 17:47:03+00:00 (VALID: 89 days)Renouveler uniquement un certificat Let's Encrypt en y ajoutant des sous domaines
root@ks:~# certbot certonly --cert-name placeoweb.com -d placeoweb.com,canet.placeoweb.com,catllar.placeoweb.com,dotclear.placeoweb.com,forum.placeoweb.com,maroc.placeoweb.com,vtt.placeoweb.com,wiki.placeoweb.com,www.placeoweb.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Requesting a certificate for placeoweb.com and 12 more domains
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/placeoweb.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/placeoweb.com/privkey.pem
This certificate expires on 2024-02-21.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -