Raspberry Pi Apache2 Lets Encrypt SSL: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 281: Line 281:


Include /etc/letsencrypt/options-ssl-apache.conf
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.dev.chorke.org
SSLCertificateFile /etc/letsencrypt/live/dev.chorke.org/fullchain.pem
SSLCertificateFile /etc/letsencrypt/live/dev.chorke.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dev.chorke.org/privkey.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dev.chorke.org/privkey.pem
Line 287: Line 286:


==References==
==References==
{|
| valign="top" |
===Install===
* [https://websiteforstudents.com/setup-apache2-with-http-2-and-lets-encrypt-ssl/ Setup Apache2 With HTTP/2 And Let’s Encrypt SSL Certificates]
* [https://websiteforstudents.com/setup-apache2-with-http-2-and-lets-encrypt-ssl/ Setup Apache2 With HTTP/2 And Let’s Encrypt SSL Certificates]
* [https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7 Generate Wildcard SSL certificate using Let’s Encrypt/Certbot]
* [https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7 Generate Wildcard SSL certificate using Let’s Encrypt/Certbot]
Line 293: Line 295:
* [https://letsencrypt.org/docs/client-options ACME Client Implementations]
* [https://letsencrypt.org/docs/client-options ACME Client Implementations]
* [https://www.ssllabs.com/ssltest/analyze.html?d=dev.shahed.biz SSL Report dev.shahed.biz]
* [https://www.ssllabs.com/ssltest/analyze.html?d=dev.shahed.biz SSL Report dev.shahed.biz]
* [https://certifytheweb.com Certify SSL Manager]
* [https://letsencrypt.org/docs/challenge-types Challenge Types]
* [https://letsencrypt.org/docs/challenge-types Challenge Types]
* [https://letsencrypt.org/how-it-works How It Works]
* [https://letsencrypt.org/how-it-works How It Works]
| valign="top" |
===Uninstall===
* [https://www.linode.com/community/questions/17003/how-do-i-remove-a-custom-letsencrypt-installation How do I remove a custom LetsEncrypt Installation]
* [https://www.jeffgeerling.com/blog/2016/remove-single-certbot-letsencrypt-certificate-server Remove a single Certbot certificate from a server]
* [https://medium.com/@mhagemann/correct-way-to-delete-a-certbot-ssl-certificate-e8ee123e6e01 Correct Way to Delete a Certbot SSL Certificate]
| valign="top" |
===Crontab===
* [https://serverfault.com/questions/790772 Cron job for let's encrypt renewal]
|}

Latest revision as of 06:00, 11 November 2019

Search

apt search install python-certbot-apache
: '
Sorting... Done
Full Text Search... Done
python-certbot-apache/stable 0.31.0-1 all
  transitional dummy package

python-certbot-apache-doc/stable 0.31.0-1 all
  Apache plugin documentation for Certbot
'

Install

apt install python-certbot-apache
: '
apt install python-certbot-apache
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  augeas-lenses certbot libaugeas0 python-pyicu python3-acme python3-asn1crypto python3-augeas python3-certbot python3-certbot-apache python3-cffi-backend python3-configargparse python3-configobj python3-cryptography python3-distutils
  python3-future python3-josepy python3-lib2to3 python3-mock python3-openssl python3-parsedatetime python3-pbr python3-requests-toolbelt python3-rfc3339 python3-setuptools python3-tz python3-zope.component python3-zope.event
  python3-zope.hookable python3-zope.interface
Suggested packages:
  augeas-doc python3-certbot-nginx python-certbot-doc augeas-tools python-acme-doc python-certbot-apache-doc python-configobj-doc python-cryptography-doc python3-cryptography-vectors python-future-doc python-mock-doc python-openssl-doc
  python3-openssl-dbg python-setuptools-doc
The following NEW packages will be installed:
  augeas-lenses certbot libaugeas0 python-certbot-apache python-pyicu python3-acme python3-asn1crypto python3-augeas python3-certbot python3-certbot-apache python3-cffi-backend python3-configargparse python3-configobj
  python3-cryptography python3-distutils python3-future python3-josepy python3-lib2to3 python3-mock python3-openssl python3-parsedatetime python3-pbr python3-requests-toolbelt python3-rfc3339 python3-setuptools python3-tz
  python3-zope.component python3-zope.event python3-zope.hookable python3-zope.interface
0 upgraded, 30 newly installed, 0 to remove and 18 not upgraded.
Need to get 3,010 kB of archives.
After this operation, 14.3 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
'

Setup

certbot --apache -m [email protected] -d dev.chorke.org -d www.dev.chorke.org
: '
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dev.chorke.org
http-01 challenge for www.dev.chorke.org
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/mods-available/proxy-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/mods-available/proxy-le-ssl.conf
Enabling available site: /etc/apache2/mods-available/proxy-le-ssl.conf

We were unable to find a vhost with a ServerName or Address of www.dev.chorke.org.
Which virtual host would you like to choose?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: proxy.conf                     | Multiple Names        |       | Enabled
2: 000-default.conf               | www.dev.chorke.org    |       | Enabled
3: default-ssl.conf               |                       | HTTPS | Enabled
4: proxy-le-ssl.conf              | Multiple Names        | HTTPS | Enabled
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-4] then [enter] (press 'c' to cancel): 4
Deploying Certificate to VirtualHost /etc/apache2/mods-available/proxy-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/mods-enabled/proxy.conf to ssl vhost in /etc/apache2/mods-available/proxy-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://dev.chorke.org and
https://www.dev.chorke.org

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=dev.chorke.org
https://www.ssllabs.com/ssltest/analyze.html?d=www.dev.chorke.org
'

Crontab

Add cron expression: 0 1 * * * /usr/bin/certbot renew & > /dev/null to crontab

crontab -e
: '
no crontab for root - using an empty one

Select an editor.  To change later, run 'select-editor'.
  1. /bin/nano        <---- easiest
  2. /usr/bin/vim.tiny
  3. /bin/ed

Choose 1-3 [1]: 1
crontab: installing new crontab
'

Redirect

Root

nano /etc/apache2/sites-enabled/000-default.conf

ServerName www.dev.chorke.org
ServerAdmin [email protected]
DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

RewriteEngine on
RewriteCond %{SERVER_NAME} =dev.chorke.org [OR]
RewriteCond %{SERVER_NAME} =www.dev.chorke.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

nano /etc/apache2/sites-enabled/default-ssl.conf

Include /etc/letsencrypt/options-ssl-apache.conf
ServerAdmin [email protected]
ServerAlias www.dev.chorke.org
DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   A self-signed (snakeoil) certificate can be created by installing
#   the ssl-cert package. See
#   /usr/share/doc/apache2/README.Debian.gz for more info.
#   If both key and certificate are stored in the same file, only the
#   SSLCertificateFile directive is needed.
SSLCertificateFile /etc/letsencrypt/live/dev.chorke.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dev.chorke.org/privkey.pem

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#        Translate the client X.509 into a Basic Authorisation.  This means that
#        the standard Auth/DBMAuth methods can be used for access control.  The
#        user name is the `one line' version of the client's X.509 certificate.
#        Note that no password is obtained from the user. Every entry in the user
#        file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
#        This exports two additional environment variables: SSL_CLIENT_CERT and
#        SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#        server (always existing) and the client (only existing when client
#        authentication is used). This can be used to import the certificates
#        into CGI scripts.
#   o StdEnvVars:
#        This exports the standard SSL/TLS related `SSL_*' environment variables.
#        Per default this exportation is switched off for performance reasons,
#        because the extraction step is an expensive operation and is usually
#        useless for serving static content. So one usually enables the
#        exportation for CGI and SSI requests only.
#   o OptRenegotiate:
#        This enables optimized SSL connection renegotiation handling when SSL
#        directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
</Directory>

Proxy

nano /etc/apache2/mods-enabled/proxy.conf

ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes Off
ServerName dev.chorke.org
ServerAlias www.dev.chorke.org
ServerAdmin [email protected]

<Proxy *>
    Order Allow,Deny
    Allow from all
</Proxy>

# proxy for ui.mob
ProxyPass /ui.mob http://piz.dev.chorke.org/ui.mob nocanon
ProxyPassReverse /ui.mob http://piz.dev.chorke.org/ui.mob

# proxy for ui.web
ProxyPass /ui.web http://piz.dev.chorke.org/ui.web nocanon
ProxyPassReverse /ui.web http://piz.dev.chorke.org/ui.web

# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#ProxyVia Off

RewriteEngine on
RewriteCond %{SERVER_NAME} =dev.chorke.org [OR]
RewriteCond %{SERVER_NAME} =www.dev.chorke.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

nano /etc/apache2/sites-enabled/proxy-le-ssl.conf

ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes Off
ServerName dev.chorke.org
ServerAlias www.dev.chorke.org
ServerAdmin [email protected]

<Proxy *>
    Order Allow,Deny
    Allow from all
</Proxy>

# proxy for ui.mob
ProxyPass /ui.mob http://piz.dev.chorke.org/ui.mob nocanon
ProxyPassReverse /ui.mob http://piz.dev.chorke.org/ui.mob

# proxy for ui.web
ProxyPass /ui.web http://piz.dev.chorke.org/ui.web nocanon
ProxyPassReverse /ui.web http://piz.dev.chorke.org/ui.web

# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#ProxyVia Off


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/dev.chorke.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dev.chorke.org/privkey.pem

References

Install

Uninstall

Crontab