Installation de Let’s Encryptx |
Version de l’OS | Debian 8.5 |
Version de Letsencrypt | 0.12 |
Pré-requis | Git |
/!\ Rappel
Le certificat SSL, la clé privée ainsi que la chaîne de certification seront générées dans le répertoire: /etc/letsencrypt/live/
son contenu:
cert.pem : le certificat SSL
chain.pem : la chaine de certification
fullchain.pem : le certificat SSL et la chaine de certification concaténée
privkey.pem : la clé privée
/!\ La clé privée ne doit jamais être divulguée à un tiers.
/!\
Ouvrir les ports 80 et 443 pour générer le certificat
Les ports ne doivent pas être utilisés. pensez a stopper Nginx par exemple.
1.Installation du paquet git
1 2 |
$ cd~ $ sudo apt-get install git |
Puis on récupère le client
1 |
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt |
/!\ pour mettre à jour le client depuis git, il suffit de faire un pull
1 2 |
$ cd /opt/letsencrypt $ sudo git pull |
2.Production de certificat, renseigner l’émail pour recevoir une alerte quand a l’expiration du certificat.
1 2 |
$ cd /opt/letsencrypt $ sudo ./letsencrypt-auto certonly --standalone -d example.com |
Creating virtual environment…
Installing Python packages…
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
1 2 |
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): |
——————————————————————————-
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
——————————————————————————-
1 |
(A)gree/(C)ancel: |
——————————————————————————-
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
——————————————————————————-
1 |
(Y)es/(N)o: |
——————————————————————————-
Congratulations! You have successfully enabled https://srv-test.domaine.tld
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=srv-monitor.domaine.local
——————————————————————————-
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/srv-monitor.domaine.local/fullchain.pem. Your cert
will expire on 2017-07-02. To obtain a new or tweaked version of
this certificate in the future, simply run certbot-auto again with
the “certonly” option. To non-interactively renew *all* of your
certificates, run “certbot-auto renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
/!\ Si plusieurs domaines on peux générer un seul certificat pour l’ensemble, il faut les rajouter a la suite.
Exemple ./letsencrypt-auto certonly –standalone -d monserveurmail.domaine.tld -d monserveurproxmox.domaine.tld
3.Mise en place
Voir Article Création d’un vhost pour Proxmox
Voir Article Mise en place d’un certificat Let’s Encrypt pour Zimbra
Voir Création d’un vhost pour Openfire