====== Let’s Encrypt ======

Let’s Encrypt is a new Certificate Authority:\\
It’s **free**, **automated**, and **open**. 

  * https://letsencrypt.org/
  * https://github.com/letsencrypt/letsencrypt
  * https://gist.github.com/renchap/c093702f06df69ba5cac#file-readme-md

===== Instalace ACME =====

Přidat uživatele

<code>
shell# adduser letsencrypt
</code>

Nainstalovat GIT

<code>
shell# yum install git.x86_64 nmap-ncat.x86_64 openssl.x86_64
</code>

Instalace

<code>
shell# su - letsencrypt
shell$ git clone https://github.com/Neilpang/acme.sh.git
shell$ cd ./acme.sh
shell$ ./acme.sh --install
</code>

Oprávnění uživatele letsencrypt pro reload httpd.service

<code>
shell# visudo
letsencrypt     ALL=NOPASSWD:/bin/systemctl reload httpd.service
</code>

===== Nový certifikát =====

Příklad vystavení cerifikátu (Apache, není třeba root)

<code>
shell# .acme.sh/acme.sh --issue -d example.com -d www.example.com -w /data/www/example.com/www-le/ --reloadcmd "sudo systemctl reload httpd.service"
</code>

Příklad vystavení certifikátu bez webserveru (netcat, root nebo práva na port 80)

<code>
shell# ./acme.sh --issue --standalone -d example.com -d www.example.com --keylength ec-256
</code>

====== Apache HTTP secure ======

<file /etc/httpd/conf.d/example.com.conf>
# example.com
<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com
  RewriteEngine On
  RewriteRule ^/(.*) https://www.example.com/$1 [L,R=301]
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  RewriteEngine On
  RewriteRule ^/(.*) https://www.example.com/$1 [L,R=301]
  SSLEngine on
  SSLProtocol All -SSLv2 -SSLv3
  SSLHonorCipherOrder on
  SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
  SSLCompression Off
  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
  # Header always set X-Frame-Options SAMEORIGIN
  Header always set X-Frame-Options DENY
  SSLCertificateFile /home/letsencrypt/.acme.sh/example.com/example.com.cer
  SSLCertificateKeyFile /home/letsencrypt/.acme.sh/example.com/example.com.key
  SSLCACertificateFile /home/letsencrypt/.acme.sh/example.com/fullchain.cer
</VirtualHost>

<VirtualHost *:443>
  ServerName www.example.com
  DocumentRoot /data/www/example.com/www
  ServerAdmin blazek@example.com
  SSLEngine on
  SSLProtocol All -SSLv2 -SSLv3
  SSLHonorCipherOrder on
  SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
  SSLCompression Off
  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
  # Header always set X-Frame-Options SAMEORIGIN  
  Header always set X-Frame-Options DENY
  SSLCertificateFile /home/letsencrypt/.acme.sh/example.com/example.com.cer
  SSLCertificateKeyFile /home/letsencrypt/.acme.sh/example.com/example.com.key
  SSLCACertificateFile /home/letsencrypt/.acme.sh/example.com/fullchain.cer
  ErrorLog logs/example.com-error_log
  CustomLog logs/example.com-access_log common
  <Directory  "/data/www/example.com/www">
    AllowOverride All
    Require all granted
  </Directory>
  # let's encrypt
  Alias /.well-known/ /data/www/example.com/www-le/.well-known/
  <Directory /data/www/example.com/www-le/>
    AllowOverride None
    Require all granted
    Satisfy Any
  </Directory>
</VirtualHost>
</file>