Raspberry Pi Apache2 Lets Encrypt SSL: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
(→Proxy) |
||
(15 intermediate revisions by the same user not shown) | |||
Line 15: | Line 15: | ||
==Install== | ==Install== | ||
<source lang="bash"> | <source lang="bash"> | ||
apt | apt install python-certbot-apache | ||
: ' | : ' | ||
apt install python-certbot-apache | apt install python-certbot-apache | ||
Line 41: | Line 41: | ||
==Setup== | ==Setup== | ||
<source lang="bash"> | <source lang="bash"> | ||
certbot --apache -m | certbot --apache -m admin@chorke.org -d dev.chorke.org -d www.dev.chorke.org | ||
: ' | : ' | ||
Saving debug log to /var/log/letsencrypt/letsencrypt.log | Saving debug log to /var/log/letsencrypt/letsencrypt.log | ||
Line 76: | Line 76: | ||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
1: proxy.conf | Multiple Names | | Enabled | 1: proxy.conf | Multiple Names | | Enabled | ||
2: 000-default.conf | | 2: 000-default.conf | www.dev.chorke.org | | Enabled | ||
3: default-ssl.conf | | HTTPS | Enabled | 3: default-ssl.conf | | HTTPS | Enabled | ||
4: proxy-le-ssl.conf | Multiple Names | HTTPS | Enabled | 4: proxy-le-ssl.conf | Multiple Names | HTTPS | Enabled | ||
Line 120: | Line 120: | ||
' | ' | ||
</source> | </source> | ||
==Redirect== | |||
===Root=== | |||
<code> nano /etc/apache2/sites-enabled/000-default.conf</code> | |||
<source lang="ini"> | |||
ServerName www.dev.chorke.org | |||
ServerAdmin [email protected] | |||
DocumentRoot /var/www/html | |||
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn, | |||
# error, crit, alert, emerg. | |||
# It is also possible to configure the loglevel for particular | |||
# modules, e.g. | |||
#LogLevel info ssl:warn | |||
ErrorLog ${APACHE_LOG_DIR}/error.log | |||
CustomLog ${APACHE_LOG_DIR}/access.log combined | |||
# For most configuration files from conf-available/, which are | |||
# enabled or disabled at a global level, it is possible to | |||
# include a line for only one particular virtual host. For example the | |||
# following line enables the CGI configuration for this host only | |||
# after it has been globally disabled with "a2disconf". | |||
#Include conf-available/serve-cgi-bin.conf | |||
RewriteEngine on | |||
RewriteCond %{SERVER_NAME} =dev.chorke.org [OR] | |||
RewriteCond %{SERVER_NAME} =www.dev.chorke.org | |||
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] | |||
</source> | |||
<code>nano /etc/apache2/sites-enabled/default-ssl.conf</code> | |||
<source lang="ini"> | |||
Include /etc/letsencrypt/options-ssl-apache.conf | |||
ServerAdmin [email protected] | |||
ServerAlias www.dev.chorke.org | |||
DocumentRoot /var/www/html | |||
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn, | |||
# error, crit, alert, emerg. | |||
# It is also possible to configure the loglevel for particular | |||
# modules, e.g. | |||
#LogLevel info ssl:warn | |||
ErrorLog ${APACHE_LOG_DIR}/error.log | |||
CustomLog ${APACHE_LOG_DIR}/access.log combined | |||
# For most configuration files from conf-available/, which are | |||
# enabled or disabled at a global level, it is possible to | |||
# include a line for only one particular virtual host. For example the | |||
# following line enables the CGI configuration for this host only | |||
# after it has been globally disabled with "a2disconf". | |||
#Include conf-available/serve-cgi-bin.conf | |||
# SSL Engine Switch: | |||
# Enable/Disable SSL for this virtual host. | |||
SSLEngine on | |||
# A self-signed (snakeoil) certificate can be created by installing | |||
# the ssl-cert package. See | |||
# /usr/share/doc/apache2/README.Debian.gz for more info. | |||
# If both key and certificate are stored in the same file, only the | |||
# SSLCertificateFile directive is needed. | |||
SSLCertificateFile /etc/letsencrypt/live/dev.chorke.org/fullchain.pem | |||
SSLCertificateKeyFile /etc/letsencrypt/live/dev.chorke.org/privkey.pem | |||
# SSL Engine Options: | |||
# Set various options for the SSL engine. | |||
# o FakeBasicAuth: | |||
# Translate the client X.509 into a Basic Authorisation. This means that | |||
# the standard Auth/DBMAuth methods can be used for access control. The | |||
# user name is the `one line' version of the client's X.509 certificate. | |||
# Note that no password is obtained from the user. Every entry in the user | |||
# file needs this password: `xxj31ZMTZzkVA'. | |||
# o ExportCertData: | |||
# This exports two additional environment variables: SSL_CLIENT_CERT and | |||
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the | |||
# server (always existing) and the client (only existing when client | |||
# authentication is used). This can be used to import the certificates | |||
# into CGI scripts. | |||
# o StdEnvVars: | |||
# This exports the standard SSL/TLS related `SSL_*' environment variables. | |||
# Per default this exportation is switched off for performance reasons, | |||
# because the extraction step is an expensive operation and is usually | |||
# useless for serving static content. So one usually enables the | |||
# exportation for CGI and SSI requests only. | |||
# o OptRenegotiate: | |||
# This enables optimized SSL connection renegotiation handling when SSL | |||
# directives are used in per-directory context. | |||
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire | |||
<FilesMatch "\.(cgi|shtml|phtml|php)$"> | |||
SSLOptions +StdEnvVars | |||
</FilesMatch> | |||
<Directory /usr/lib/cgi-bin> | |||
SSLOptions +StdEnvVars | |||
</Directory> | |||
</source> | |||
===Proxy=== | |||
<code>nano /etc/apache2/mods-enabled/proxy.conf</code> | |||
<source lang="ini"> | |||
ProxyRequests Off | |||
ProxyPreserveHost On | |||
AllowEncodedSlashes Off | |||
ServerName dev.chorke.org | |||
ServerAlias www.dev.chorke.org | |||
ServerAdmin [email protected] | |||
<Proxy *> | |||
Order Allow,Deny | |||
Allow from all | |||
</Proxy> | |||
# proxy for ui.mob | |||
ProxyPass /ui.mob http://piz.dev.chorke.org/ui.mob nocanon | |||
ProxyPassReverse /ui.mob http://piz.dev.chorke.org/ui.mob | |||
# proxy for ui.web | |||
ProxyPass /ui.web http://piz.dev.chorke.org/ui.web nocanon | |||
ProxyPassReverse /ui.web http://piz.dev.chorke.org/ui.web | |||
# Enable/disable the handling of HTTP/1.1 "Via:" headers. | |||
# ("Full" adds the server version; "Block" removes all outgoing Via: headers) | |||
# Set to one of: Off | On | Full | Block | |||
#ProxyVia Off | |||
RewriteEngine on | |||
RewriteCond %{SERVER_NAME} =dev.chorke.org [OR] | |||
RewriteCond %{SERVER_NAME} =www.dev.chorke.org | |||
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] | |||
</source> | |||
<code>nano /etc/apache2/sites-enabled/proxy-le-ssl.conf</code> | |||
<source lang="ini"> | |||
ProxyRequests Off | |||
ProxyPreserveHost On | |||
AllowEncodedSlashes Off | |||
ServerName dev.chorke.org | |||
ServerAlias www.dev.chorke.org | |||
ServerAdmin [email protected] | |||
<Proxy *> | |||
Order Allow,Deny | |||
Allow from all | |||
</Proxy> | |||
# proxy for ui.mob | |||
ProxyPass /ui.mob http://piz.dev.chorke.org/ui.mob nocanon | |||
ProxyPassReverse /ui.mob http://piz.dev.chorke.org/ui.mob | |||
# proxy for ui.web | |||
ProxyPass /ui.web http://piz.dev.chorke.org/ui.web nocanon | |||
ProxyPassReverse /ui.web http://piz.dev.chorke.org/ui.web | |||
# Enable/disable the handling of HTTP/1.1 "Via:" headers. | |||
# ("Full" adds the server version; "Block" removes all outgoing Via: headers) | |||
# Set to one of: Off | On | Full | Block | |||
#ProxyVia Off | |||
Include /etc/letsencrypt/options-ssl-apache.conf | |||
SSLCertificateFile /etc/letsencrypt/live/dev.chorke.org/fullchain.pem | |||
SSLCertificateKeyFile /etc/letsencrypt/live/dev.chorke.org/privkey.pem | |||
</source> | |||
==References== | |||
{| | |||
| valign="top" | | |||
===Install=== | |||
* [https://websiteforstudents.com/setup-apache2-with-http-2-and-lets-encrypt-ssl/ Setup Apache2 With HTTP/2 And Let’s Encrypt SSL Certificates] | |||
* [https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7 Generate Wildcard SSL certificate using Let’s Encrypt/Certbot] | |||
* [https://github.com/srvrco/getssl/tree/APIv2 Obtain SSL certificates from the letsencrypt.org ACME server] | |||
* [https://upcloud.com/community/tutorials/install-lets-encrypt-apache/ How to install Let’s Encrypt on Apache2] | |||
* [https://letsencrypt.org/docs/client-options ACME Client Implementations] | |||
* [https://www.ssllabs.com/ssltest/analyze.html?d=dev.shahed.biz SSL Report dev.shahed.biz] | |||
* [https://certifytheweb.com Certify SSL Manager] | |||
* [https://letsencrypt.org/docs/challenge-types Challenge Types] | |||
* [https://letsencrypt.org/how-it-works How It Works] | |||
| valign="top" | | |||
===Uninstall=== | |||
* [https://www.linode.com/community/questions/17003/how-do-i-remove-a-custom-letsencrypt-installation How do I remove a custom LetsEncrypt Installation] | |||
* [https://www.jeffgeerling.com/blog/2016/remove-single-certbot-letsencrypt-certificate-server Remove a single Certbot certificate from a server] | |||
* [https://medium.com/@mhagemann/correct-way-to-delete-a-certbot-ssl-certificate-e8ee123e6e01 Correct Way to Delete a Certbot SSL Certificate] | |||
| valign="top" | | |||
===Crontab=== | |||
* [https://serverfault.com/questions/790772 Cron job for let's encrypt renewal] | |||
|} |
Latest revision as of 06:00, 11 November 2019
Search
apt search install python-certbot-apache
: '
Sorting... Done
Full Text Search... Done
python-certbot-apache/stable 0.31.0-1 all
transitional dummy package
python-certbot-apache-doc/stable 0.31.0-1 all
Apache plugin documentation for Certbot
'
Install
apt install python-certbot-apache
: '
apt install python-certbot-apache
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
augeas-lenses certbot libaugeas0 python-pyicu python3-acme python3-asn1crypto python3-augeas python3-certbot python3-certbot-apache python3-cffi-backend python3-configargparse python3-configobj python3-cryptography python3-distutils
python3-future python3-josepy python3-lib2to3 python3-mock python3-openssl python3-parsedatetime python3-pbr python3-requests-toolbelt python3-rfc3339 python3-setuptools python3-tz python3-zope.component python3-zope.event
python3-zope.hookable python3-zope.interface
Suggested packages:
augeas-doc python3-certbot-nginx python-certbot-doc augeas-tools python-acme-doc python-certbot-apache-doc python-configobj-doc python-cryptography-doc python3-cryptography-vectors python-future-doc python-mock-doc python-openssl-doc
python3-openssl-dbg python-setuptools-doc
The following NEW packages will be installed:
augeas-lenses certbot libaugeas0 python-certbot-apache python-pyicu python3-acme python3-asn1crypto python3-augeas python3-certbot python3-certbot-apache python3-cffi-backend python3-configargparse python3-configobj
python3-cryptography python3-distutils python3-future python3-josepy python3-lib2to3 python3-mock python3-openssl python3-parsedatetime python3-pbr python3-requests-toolbelt python3-rfc3339 python3-setuptools python3-tz
python3-zope.component python3-zope.event python3-zope.hookable python3-zope.interface
0 upgraded, 30 newly installed, 0 to remove and 18 not upgraded.
Need to get 3,010 kB of archives.
After this operation, 14.3 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
'
Setup
certbot --apache -m [email protected] -d dev.chorke.org -d www.dev.chorke.org
: '
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dev.chorke.org
http-01 challenge for www.dev.chorke.org
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/mods-available/proxy-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/mods-available/proxy-le-ssl.conf
Enabling available site: /etc/apache2/mods-available/proxy-le-ssl.conf
We were unable to find a vhost with a ServerName or Address of www.dev.chorke.org.
Which virtual host would you like to choose?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: proxy.conf | Multiple Names | | Enabled
2: 000-default.conf | www.dev.chorke.org | | Enabled
3: default-ssl.conf | | HTTPS | Enabled
4: proxy-le-ssl.conf | Multiple Names | HTTPS | Enabled
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-4] then [enter] (press 'c' to cancel): 4
Deploying Certificate to VirtualHost /etc/apache2/mods-available/proxy-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/mods-enabled/proxy.conf to ssl vhost in /etc/apache2/mods-available/proxy-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://dev.chorke.org and
https://www.dev.chorke.org
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=dev.chorke.org
https://www.ssllabs.com/ssltest/analyze.html?d=www.dev.chorke.org
'
Crontab
Add cron expression: 0 1 * * * /usr/bin/certbot renew & > /dev/null
to crontab
crontab -e
: '
no crontab for root - using an empty one
Select an editor. To change later, run 'select-editor'.
1. /bin/nano <---- easiest
2. /usr/bin/vim.tiny
3. /bin/ed
Choose 1-3 [1]: 1
crontab: installing new crontab
'
Redirect
Root
nano /etc/apache2/sites-enabled/000-default.conf
ServerName www.dev.chorke.org
ServerAdmin [email protected]
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =dev.chorke.org [OR]
RewriteCond %{SERVER_NAME} =www.dev.chorke.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
nano /etc/apache2/sites-enabled/default-ssl.conf
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAdmin [email protected]
ServerAlias www.dev.chorke.org
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/letsencrypt/live/dev.chorke.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dev.chorke.org/privkey.pem
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
Proxy
nano /etc/apache2/mods-enabled/proxy.conf
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes Off
ServerName dev.chorke.org
ServerAlias www.dev.chorke.org
ServerAdmin [email protected]
<Proxy *>
Order Allow,Deny
Allow from all
</Proxy>
# proxy for ui.mob
ProxyPass /ui.mob http://piz.dev.chorke.org/ui.mob nocanon
ProxyPassReverse /ui.mob http://piz.dev.chorke.org/ui.mob
# proxy for ui.web
ProxyPass /ui.web http://piz.dev.chorke.org/ui.web nocanon
ProxyPassReverse /ui.web http://piz.dev.chorke.org/ui.web
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#ProxyVia Off
RewriteEngine on
RewriteCond %{SERVER_NAME} =dev.chorke.org [OR]
RewriteCond %{SERVER_NAME} =www.dev.chorke.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
nano /etc/apache2/sites-enabled/proxy-le-ssl.conf
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes Off
ServerName dev.chorke.org
ServerAlias www.dev.chorke.org
ServerAdmin [email protected]
<Proxy *>
Order Allow,Deny
Allow from all
</Proxy>
# proxy for ui.mob
ProxyPass /ui.mob http://piz.dev.chorke.org/ui.mob nocanon
ProxyPassReverse /ui.mob http://piz.dev.chorke.org/ui.mob
# proxy for ui.web
ProxyPass /ui.web http://piz.dev.chorke.org/ui.web nocanon
ProxyPassReverse /ui.web http://piz.dev.chorke.org/ui.web
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#ProxyVia Off
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/dev.chorke.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dev.chorke.org/privkey.pem