Ayant testé la beta, je suis désormais fan de ce service.
Voici comment l’utiliser sous Freebsd:
* Récupérer les sources
git clone https://github.com/letsencrypt/letsencrypt.git
* Installer les dépendances
./letsencrypt-auto --help --debug
* Créer un fichier common.ini
mkdir /usr/local/www/letsencrypt mkdir /usr/local/etc/letsencrypt vi mkdir /usr/local/etc/letsencrypt/common.ini authenticator = webroot webroot-path = /usr/local/www/letsencrypt server = https://acme-v01.api.letsencrypt.org/directory renew-by-default agree-tos email = xxxx@domain.com rsa-key-size = 4096
* Editer la conf apache sur son vhost http/80
################## # LETS ENCRYPT ################## Alias "/.well-known/acme-challenge" "/usr/local/www/letsencrypt/.well-known/acme-challenge"Header set Content-Type "application/jose+json"
* Si vous avez une rewriteRule qui redirige le http => https; il faut ajouter une condition d’exclusion:
RewriteEngine On RewriteCond %{REMOTE_PORT} !^443$ RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ RewriteRule ^/(.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
* Générer son certif
root@j-transmission:~/letsencrypt # ./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly -c /usr/local/etc/letsencrypt/common.ini -d blog.distran.org Updating letsencrypt and virtual environment dependencies....... Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --server https://acme-v01.api.letsencrypt.org/directory certonly -c /usr/local/etc/letsencrypt/common.ini -d blog.distran.org IMPORTANT NOTES: - If you lose your account credentials, you can recover through e-mails sent to letsencrypt@distran.org. - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/blog.distran.org/fullchain.pem. Your cert will expire on 2016-03-11. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt so making regular backups of this folder is ideal. - If like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
* Editer la conf apache pour que ca pointe sur le certif
SSLCertificateFile "/etc/letsencrypt/live/blog.distran.org/fullchain.pem" SSLCertificateKeyFile "/etc/letsencrypt/live/blog.distran.org/privkey.pem"
* EN crontab pour une execution tous les 31 de chaque mois; donc 1 fois tous les 2 mois sachant que ca expire au bout de 3 mois:
10 3 31 * * ( /root/letsencrypt/letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly -c /usr/local/etc/letsencrypt/commo n.ini -d seed2.distran.org && /usr/local/etc/rc.d/apache24 restart ) > /tmp/cron_letsencrypt.log 2>&1