let-s-encrypt
Let’s Encrypt
Let’s Encrypt is a new Certificate Authority:
It’s free, automated, and open.
Instalace ACME
Přidat uživatele
shell# adduser letsencrypt
Nainstalovat GIT
shell# yum install git.x86_64 nmap-ncat.x86_64 openssl.x86_64
Instalace
shell# su - letsencrypt shell$ git clone https://github.com/Neilpang/acme.sh.git shell$ cd ./acme.sh shell$ ./acme.sh --install
Oprávnění uživatele letsencrypt pro reload httpd.service
shell# visudo letsencrypt ALL=NOPASSWD:/bin/systemctl reload httpd.service
Nový certifikát
Příklad vystavení cerifikátu (Apache, není třeba root)
shell# .acme.sh/acme.sh --issue -d example.com -d www.example.com -w /data/www/example.com/www-le/ --reloadcmd "sudo systemctl reload httpd.service"
Příklad vystavení certifikátu bez webserveru (netcat, root nebo práva na port 80)
shell# ./acme.sh --issue --standalone -d example.com -d www.example.com --keylength ec-256
Apache HTTP secure
# example.com <VirtualHost *:80> ServerName example.com ServerAlias www.example.com RewriteEngine On RewriteRule ^/(.*) https://www.example.com/$1 [L,R=301] </VirtualHost> <VirtualHost *:443> ServerName example.com RewriteEngine On RewriteRule ^/(.*) https://www.example.com/$1 [L,R=301] SSLEngine on SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 SSLCompression Off Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" # Header always set X-Frame-Options SAMEORIGIN Header always set X-Frame-Options DENY SSLCertificateFile /home/letsencrypt/.acme.sh/example.com/example.com.cer SSLCertificateKeyFile /home/letsencrypt/.acme.sh/example.com/example.com.key SSLCACertificateFile /home/letsencrypt/.acme.sh/example.com/fullchain.cer </VirtualHost> <VirtualHost *:443> ServerName www.example.com DocumentRoot /data/www/example.com/www ServerAdmin blazek@example.com SSLEngine on SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 SSLCompression Off Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" # Header always set X-Frame-Options SAMEORIGIN Header always set X-Frame-Options DENY SSLCertificateFile /home/letsencrypt/.acme.sh/example.com/example.com.cer SSLCertificateKeyFile /home/letsencrypt/.acme.sh/example.com/example.com.key SSLCACertificateFile /home/letsencrypt/.acme.sh/example.com/fullchain.cer ErrorLog logs/example.com-error_log CustomLog logs/example.com-access_log common <Directory "/data/www/example.com/www"> AllowOverride All Require all granted </Directory> # let's encrypt Alias /.well-known/ /data/www/example.com/www-le/.well-known/ <Directory /data/www/example.com/www-le/> AllowOverride None Require all granted Satisfy Any </Directory> </VirtualHost>
let-s-encrypt.txt · Poslední úprava: 2023/12/26 19:13 autor: 127.0.0.1