letsencrypt, le SSL gratuit pour tous !

Ayant testé la beta, je suis désormais fan de ce service.

Voici comment l’utiliser sous Freebsd:

* Récupérer les sources

git clone https://github.com/letsencrypt/letsencrypt.git

* Installer les dépendances

 ./letsencrypt-auto --help --debug

* Créer un fichier common.ini

mkdir /usr/local/www/letsencrypt
mkdir /usr/local/etc/letsencrypt
vi mkdir /usr/local/etc/letsencrypt/common.ini

authenticator = webroot
webroot-path = /usr/local/www/letsencrypt
server = https://acme-v01.api.letsencrypt.org/directory
renew-by-default
agree-tos
email = xxxx@domain.com
rsa-key-size = 4096

* Editer la conf apache sur son vhost http/80


        ##################
        # LETS ENCRYPT
        ##################
    Alias "/.well-known/acme-challenge" "/usr/local/www/letsencrypt/.well-known/acme-challenge"
    
        Header set Content-Type "application/jose+json"
    

* Si vous avez une rewriteRule qui redirige le http => https; il faut ajouter une condition d’exclusion:

        RewriteEngine On
        RewriteCond %{REMOTE_PORT}  !^443$
        RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
        RewriteRule ^/(.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

* Générer son certif

root@j-transmission:~/letsencrypt # ./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly -c /usr/local/etc/letsencrypt/common.ini -d blog.distran.org
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --server https://acme-v01.api.letsencrypt.org/directory certonly -c /usr/local/etc/letsencrypt/common.ini -d blog.distran.org

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to letsencrypt@distran.org.
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/blog.distran.org/fullchain.pem. Your cert
   will expire on 2016-03-11. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

* Editer la conf apache pour que ca pointe sur le certif

SSLCertificateFile "/etc/letsencrypt/live/blog.distran.org/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/blog.distran.org/privkey.pem"

* EN crontab pour une execution tous les 31 de chaque mois; donc 1 fois tous les 2 mois sachant que ca expire au bout de 3 mois:

10 3 31 * *   ( /root/letsencrypt/letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly -c /usr/local/etc/letsencrypt/commo
n.ini -d seed2.distran.org && /usr/local/etc/rc.d/apache24 restart ) > /tmp/cron_letsencrypt.log 2>&1

Leave a Reply

Your email address will not be published. Required fields are marked *


nine − = 6