Let'sEncrypt auf Debian-Server einbauen
-
Dieses Beispiel bezieht sich auf einen Debian-Server auf dem NodeBB einwandfrei läuft. Der Hostname ist erreichbar und alles läuft. Ich nutze eine Redis-DB und Nginx als Proxy.
Installation Let'sEncrypt
Nach dieser Anleitung -> https://willy-tech.de/ssl-zertifikat-mit-lets-encrypt-erstellen/
Zertifikat erzeugen
Nginx stoppen
root@one /opt/letsencrypt # /etc/init.d/nginx stop [ ok ] Stopping nginx (via systemctl): nginx.service.Zertifikate erzeugen
root@one /opt/letsencrypt # ./letsencrypt-auto certonly --standalone -d frank-mankel.org -d www.frank-mankel.org Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for frank-mankel.org http-01 challenge for www.frank-mankel.org Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/frank-mankel.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/frank-mankel.org/privkey.pem Your cert will expire on 2018-07-13. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-leDas hat schon mal geklappt!!
Hier liegen jetzt die Zertifikate:
/etc/letsencrypt/live/frank-mankel.orgDort liegen jetzt folgende Files:
root@one /etc/letsencrypt/live/frank-mankel.org # ls -l total 4 lrwxrwxrwx 1 root root 40 Apr 14 15:15 cert.pem -> ../../archive/frank-mankel.org/cert1.pem lrwxrwxrwx 1 root root 41 Apr 14 15:15 chain.pem -> ../../archive/frank-mankel.org/chain1.pem lrwxrwxrwx 1 root root 45 Apr 14 15:15 fullchain.pem -> ../../archive/frank-mankel.org/fullchain1.pem lrwxrwxrwx 1 root root 43 Apr 14 15:15 privkey.pem -> ../../archive/frank-mankel.org/privkey1.pem -rw-r--r-- 1 root root 543 Apr 14 15:15 READMEDie bauen wir jetzt in Nginx ein!
Nginx konfigurieren
Nginx stoppen:
/etc/init.d/nginx stopMeine alte Nginx Datei OHNE https:
server { if ($host != 'frank-mankel.org' ) { rewrite ^/(.*)$ http://frank-mankel.org/$1 permanent; } listen 80; server_name frank-mankel.org; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://127.0.0.1:4567; proxy_redirect off; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }Neue Datei mit https!!
### redirects http requests to https server { server_name www.frank-mankel.org; rewrite ^(.*) http://frank-mankel.org$1 permanent; } server { listen 80; server_name frank-mankel.org; return 302 https://$server_name$request_uri; } ### the https server server { # listen on ssl, deliver with speedy if possible listen 443 ssl spdy; server_name frank-mankel.org; # change these paths! ssl_certificate /etc/letsencrypt/live/frank-mankel.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/frank-mankel.org/privkey.pem; # enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # disables all weak ciphers ssl_ciphers 'AES128+EECDH:AES128+EDH'; ssl_prefer_server_ciphers on; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://127.0.0.1:4567; # no trailing slash proxy_redirect off; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }Der Ganze http Verkehr wird nach https umgeleitet.
Als allererstes strippen wir www aus dem Namen.
if ($host != 'frank-mankel.org' ) { rewrite ^/(.*)$ http://frank-mankel.org/$1 permanent; }Der Rest entspricht der Nginx Doku!
Jetzt bauen wir das Zertifikat ein. Pfade anpassen.
# change these paths! ssl_certificate /etc/letsencrypt/live/frank-mankel.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/frank-mankel.org/privkey.pem;Danach speichern und Nginx wieder starten
/etc/init.d/nginx startAlles Testen und schauen ob alles funktioniert. Das Let'sEncrypt Zertifikat läuft nur 90 Tage, danach muss es erneuert werden! Also legen wir uns einen crontab an
Crontab einrichten (Zur Zeit habe ich keine Ahnung ob das funktioniert)
crontab -eWir fügen folgende Zeile hinzu.
* 3 1 * * certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"Speichern das Ganze und hoffen, das es funktioniert
Bei einem Test kam folgendes:
root@one /opt/letsencrypt # certbot renew --dry-run --pre-hook "service nginx stop" --post-hook "service nginx start" Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/frank-mankel.org.conf ------------------------------------------------------------------------------- Attempting to parse the version 0.23.0 renewal configuration file found at /etc/letsencrypt/renewal/frank-mankel.org.conf with version 0.10.2 of Certbot. This might not work. Cert not due for renewal, but simulating renewal for dry run Running pre-hook command: service nginx stop Renewing an existing certificate Performing the following challenges: http-01 challenge for frank-mankel.org http-01 challenge for www.frank-mankel.org Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/frank-mankel.org/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) Running post-hook command: service nginx startDas --dry-run macht nur einen Testlauf ohne was zu ändern!!
Wer was zu der Zeile "Attempting to parse the version 0.23.0 renewal ....." sagen kann, immer her damit. Die Zeile ist rot eingefärbt!
