Let'sEncrypt auf Debian-Server einbauen

FrankM

Dieses Beispiel bezieht sich auf einen Debian-Server auf dem NodeBB einwandfrei läuft. Der Hostname ist erreichbar und alles läuft. Ich nutze eine Redis-DB und Nginx als Proxy.

Installation Let'sEncrypt

Nach dieser Anleitung -> https://willy-tech.de/ssl-zertifikat-mit-lets-encrypt-erstellen/

Zertifikat erzeugen

Nginx stoppen

root@one /opt/letsencrypt # /etc/init.d/nginx stop
[ ok ] Stopping nginx (via systemctl): nginx.service.

Zertifikate erzeugen

root@one /opt/letsencrypt # ./letsencrypt-auto certonly --standalone -d frank-mankel.org -d www.frank-mankel.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for frank-mankel.org
http-01 challenge for www.frank-mankel.org
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/frank-mankel.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/frank-mankel.org/privkey.pem
   Your cert will expire on 2018-07-13. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Das hat schon mal geklappt!!

Hier liegen jetzt die Zertifikate:

/etc/letsencrypt/live/frank-mankel.org

Dort liegen jetzt folgende Files:

root@one /etc/letsencrypt/live/frank-mankel.org # ls -l
total 4
lrwxrwxrwx 1 root root  40 Apr 14 15:15 cert.pem -> ../../archive/frank-mankel.org/cert1.pem
lrwxrwxrwx 1 root root  41 Apr 14 15:15 chain.pem -> ../../archive/frank-mankel.org/chain1.pem
lrwxrwxrwx 1 root root  45 Apr 14 15:15 fullchain.pem -> ../../archive/frank-mankel.org/fullchain1.pem
lrwxrwxrwx 1 root root  43 Apr 14 15:15 privkey.pem -> ../../archive/frank-mankel.org/privkey1.pem
-rw-r--r-- 1 root root 543 Apr 14 15:15 README

Die bauen wir jetzt in Nginx ein!

Nginx konfigurieren

Nginx stoppen:

/etc/init.d/nginx stop

Meine alte Nginx Datei OHNE https:

server {
if ($host != 'frank-mankel.org' ) {
rewrite ^/(.*)$ http://frank-mankel.org/$1 permanent;
}

listen 80;

server_name frank-mankel.org;

location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;

    proxy_pass http://127.0.0.1:4567;
    proxy_redirect off;

    # Socket.IO Support
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
 }
}

Neue Datei mit https!!

### redirects http requests to https

server {
    server_name  www.frank-mankel.org;
    rewrite ^(.*) http://frank-mankel.org$1 permanent;
}



server {
    listen 80;
    server_name frank-mankel.org;
    return 302 https://$server_name$request_uri;
}

### the https server
server {
    # listen on ssl, deliver with speedy if possible
    listen 443 ssl spdy;

    server_name frank-mankel.org;


    # change these paths!
    ssl_certificate /etc/letsencrypt/live/frank-mankel.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/frank-mankel.org/privkey.pem;

    # enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # disables all weak ciphers
    ssl_ciphers 'AES128+EECDH:AES128+EDH';

    ssl_prefer_server_ciphers on;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;

        proxy_pass http://127.0.0.1:4567;  # no trailing slash
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

Der Ganze http Verkehr wird nach https umgeleitet.

Als allererstes strippen wir www aus dem Namen.

if ($host != 'frank-mankel.org' ) {
rewrite ^/(.*)$ http://frank-mankel.org/$1 permanent;
}

Der Rest entspricht der Nginx Doku!

Jetzt bauen wir das Zertifikat ein. Pfade anpassen.

# change these paths!
    ssl_certificate /etc/letsencrypt/live/frank-mankel.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/frank-mankel.org/privkey.pem;

Danach speichern und Nginx wieder starten

/etc/init.d/nginx start  

Alles Testen und schauen ob alles funktioniert. Das Let'sEncrypt Zertifikat läuft nur 90 Tage, danach muss es erneuert werden! Also legen wir uns einen crontab an

Crontab einrichten (Zur Zeit habe ich keine Ahnung ob das funktioniert)

crontab -e

Wir fügen folgende Zeile hinzu.

* 3  1 * * certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

Speichern das Ganze und hoffen, das es funktioniert

Bei einem Test kam folgendes:

root@one /opt/letsencrypt # certbot renew --dry-run --pre-hook "service nginx stop" --post-hook "service nginx start"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/frank-mankel.org.conf
-------------------------------------------------------------------------------
Attempting to parse the version 0.23.0 renewal configuration file found at /etc/letsencrypt/renewal/frank-mankel.org.conf with version 0.10.2 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Running pre-hook command: service nginx stop
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for frank-mankel.org
http-01 challenge for www.frank-mankel.org
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/frank-mankel.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
Running post-hook command: service nginx start

Das --dry-run macht nur einen Testlauf ohne was zu ändern!!

Wer was zu der Zeile "Attempting to parse the version 0.23.0 renewal ....." sagen kann, immer her damit. Die Zeile ist rot eingefärbt!

Quelle: https://certbot.eff.org/docs/using.html#renewal