documentation/infra/letsencrypt.md

124 lines
2.8 KiB
Markdown
Raw Normal View History

2021-10-22 15:38:41 +02:00
# Let's encrypt
# Installation
Installer les paquets :
```
apt-get install dehydrated dehydrated-apache2
```
Recharger Apache :
```
systemctl reload apache2.service
```
2022-01-27 04:37:34 +01:00
S'enregistrer :
2021-10-22 15:38:41 +02:00
```
/usr/bin/dehydrated --register --accept-terms
```
# Générer un certificat
2022-01-27 04:37:34 +01:00
Ouvrir les ports http (80) et https (443) :
```
ufw allow '80'
ufw allow '443'
```
Configurer a minima le site web dans `/etc/apache2/sites-available/foo.libre-service.org.conf` :
```
<VirtualHost *:80>
ServerName foo.libre-service.eu
ServerAdmin admin@libre-service.eu
CustomLog ${APACHE_LOG_DIR}/foo.libre-service.eu/infos.libre-service.eu-access.log combined
ErrorLog ${APACHE_LOG_DIR}/foo.libre-service.eu/infos.libre-service.eu-error.log
LogLevel warn
Redirect 302 / https://foo.libre-service.eu/
</VirtualHost>
```
Activer la configuration :
```
a2ensite foo.libre-service.eu.conf
```
Vérifier que c'est bon et recharger :
```
apachectl configtest && systemctl reload apache2
```
Vérifier le logrotate des logs :
```
/var/log/apache2/*.log
/var/log/apache2/*/*log
{
monthly
missingok
rotate 6
```
2021-10-22 15:38:41 +02:00
Ajouter foo.libre-service.eu dans `/etc/dehydrated/domains.txt`.
Lancer la génération :
```
/usr/bin/dehydrated -c
```
2022-01-19 15:16:19 +01:00
Le certificat est généré dans `/var/lib/dehydrated/certs/foo.libre-service.eu/`.
2022-01-27 04:37:34 +01:00
Compléter la partie SSL `/etc/apache2/sites-enabled/foo.libre-service.org.conf` :
```
<VirtualHost *:443>
ServerName pad.libre-service.eu
ServerAdmin admin@libre-service.eu
CustomLog ${APACHE_LOG_DIR}/pad.libre-service.eu/pad.libre-service.eu-access.log combined
ErrorLog ${APACHE_LOG_DIR}/pad.libre-service.eu/pad.libre-service.eu-error.log
LogLevel warn
SSLEngine On
SSLCertificateFile /var/lib/dehydrated/certs/pad.libre-service.eu/fullchain.pem
SSLCertificateKeyFile /var/lib/dehydrated/certs/pad.libre-service.eu/privkey.pem
#Include hsts.conf
#Include statoolinfos.conf
DocumentRoot /var/www/pad.libre-service.eu
#php_admin_value open_basedir "/var/www/pad.libre-service.eu/"
<Directory "/var/www//pad.libre-service.eu/">
Options FollowSymLinks
AllowOverride None
Require all granted
DirectoryIndex index.xhtml
</Directory>
</VirtualHost>
```
Activer le module SSL :
```
apachectl configtest && systemctl reload apache2
```
Vérifier que c'est bon et recharger :
```
apachectl configtest && systemctl reload apache2
```
2022-01-19 15:16:19 +01:00
# Renouvellement automatique
Ajouter un script cron dans `/etc/cron.weekly/dehydrated` :
```
#!/bin/bash
/usr/bin/dehydrated -c
systemctl reload apache2.service
```
Et lui donner les bonnes permissions :
```
chmod a+rx /etc/cron.weekly/dehydrated
```