====== Certificati SSL automatici per Server Web ======

[[https://letsencrypt.org/]]

[[https://github.com/diafygi/acme-tiny]]

Creare certificato e relativa request per il sito web:
  openssl genrsa 4096 > /etc/pki/tls/private/https.key
  chown apache /etc/pki/tls/private/https.key
  chmod 600 /etc/pki/tls/private/https.key

Creare la CSR con CN= a hostname:
  openssl req -new -sha256 -key /etc/pki/tls/private/https.key -subj "/CN=`hostname -f`" > /etc/pki/tls/certs/https.csr

Impostare temporaneamente la CSR come CRT:
  cp /etc/pki/tls/certs/https.csr /etc/pki/tls/certs/https.crt
  cp /etc/pki/tls/certs/https.csr /etc/pki/tls/certs/https-chain.crt
  cp /etc/pki/tls/certs/https.csr /etc/pki/tls/certs/https-chained.crt

Creare la directory acme-challenge per il webserver:
  mkdir /var/www/acme-challenge

Far puntare i file dei certificati e configurare Apache per esportare una directory acme-challenge in http in chiaro:

<code bash>
cat > /etc/httpd/conf.d/acme.conf <<'EOT'
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLCertificateFile /etc/pki/tls/certs/https.crt
SSLCertificateKeyFile /etc/pki/tls/private/https.key
SSLCertificateChainFile /etc/pki/tls/certs/https-chain.crt

# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.2.34&openssl=1.0.2k&hsts=no&profile=intermediate
# intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

Alias /.well-known/acme-challenge/ /var/www/acme-challenge/
<Directory "/var/www/acme-challenge/">
   <IfModule mod_authz_core.c>
     # Apache 2.4
     Require all granted
   </IfModule>
   <IfModule !mod_authz_core.c>
     # Apache 2.2
     Order allow,deny
     Allow from All
   </IfModule>
  php_flag engine off
  AllowOverride None
  Options None
</Directory>
EOT
</code>

Far ripartire Apache:
  service httpd restart

Creare un utente "acme":
  useradd acme

Autorizzare l'utente acme a fare reload di httpd tramite sudo:
  echo 'acme ALL=NOPASSWD: service httpd reload' > /etc/sudoers.d/acme

Sistemare permessi file:
  chown acme /etc/pki/tls/certs/https.crt
  chown acme /etc/pki/tls/certs/https-chain.crt
  chown acme /etc/pki/tls/certs/https-chained.crt
  chown acme /var/www/acme-challenge
  
Da ora in poi come utente "acme":
  su - acme

Creare la chiave del richiedente per il protocollo ACME:
  openssl genrsa 4096 > account.key
  
Creare symlink ai file dei certificati:
  ln -s /etc/pki/tls/certs/https.crt .
  ln -s /etc/pki/tls/certs/https-chain.crt .
  ln -s /etc/pki/tls/certs/https-chained.crt .
  ln -s /etc/pki/tls/certs/https.csr .
  ln -s /var/www/acme-challenge .
  
Per avere una csr con tutti gli host configurati su apache:
<code bash>
cat > get_certs_for_all_aliases.sh <<'EOT'
#!/bin/bash

aliases=
sep=
for host in `httpd -S | egrep 'alias|namevhost' | sed -r 's/^.*(alias|namevhost) (\S+).*$/\2/' | sort -u | egrep -v "internal$" | egrep -v "^$aliases$"`; do

  checkfile=checkme$RANDOM
  echo "$checkfile" > /var/www/acme-challenge/$checkfile

  RESP=`curl -s http://$host/.well-known/acme-challenge/$checkfile`

  if [ "$RESP" == "$checkfile" ]; then
    echo $host is host alias
    aliases=$aliases${sep}DNS:$host
    sep=','
#  else
#    echo $host is NOT host alias
  fi

done

rm -f /var/www/acme-challenge/$checkfile

openssl req -text -new -sha256 -key /etc/pki/tls/private/https.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=$aliases"))
EOT

chmod +x get_certs_for_all_aliases.sh
</code>

Scaricare acme-tiny
  git clone https://github.com/diafygi/acme-tiny.git
  

Creare una directory tmp nella home di acme:
  mkdir tmp
  
Creare lo script di renew:
<code bash>
cat > renew.sh <<'EOT'
#!/bin/bash

cd $HOME

curl -s https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > tmp/$$.chain
if [ $? != 0 ]; then
  echo "Error downloading chain pem. Exiting."
  exit 1
fi
cat tmp/$$.chain > https-chain.crt && rm -f tmp/$$.chain

python acme-tiny/acme_tiny.py --quiet --account-key account.key --csr https.csr --acme-dir acme-challenge/ > tmp/$$.cert
if [ $? != 0 ]; then
  echo "Error requesting certificate. Exiting."
  exit 1
fi
cat tmp/$$.cert > https.crt && rm -f tmp/$$.cert
cat https-chain.crt >> https-chained.crt

sudo service httpd reload > /dev/null
if [ $? != 0 ]; then
  echo "Error reloading httpd. Exiting."
  exit 1
fi
EOT

chmod +x renew.sh
</code>


Eseguire il primo renew:
  /home/acme/renew.sh
  
Configurare il crontab, sempre come utente acme:
  30 9 15 * * /home/acme/renew.sh