INFN wiki

User Tools

Site Tools

Trace: Certificati SSL automatici per Server Web
strutture:lnf:dr:calcolo:sistemi:letsencrypt

Certificati SSL automatici per Server Web

https://letsencrypt.org/

https://github.com/diafygi/acme-tiny

Creare certificato e relativa request per il sito web: 

openssl genrsa 4096 > /etc/pki/tls/private/https.key
chown apache /etc/pki/tls/private/https.key
chmod 600 /etc/pki/tls/private/https.key

Creare la CSR con CN= a hostname: 

openssl req -new -sha256 -key /etc/pki/tls/private/https.key -subj "/CN=`hostname -f`" > /etc/pki/tls/certs/https.csr

Impostare temporaneamente la CSR come CRT: 

cp /etc/pki/tls/certs/https.csr /etc/pki/tls/certs/https.crt
cp /etc/pki/tls/certs/https.csr /etc/pki/tls/certs/https-chain.crt
cp /etc/pki/tls/certs/https.csr /etc/pki/tls/certs/https-chained.crt

Creare la directory acme-challenge per il webserver: 

mkdir /var/www/acme-challenge

Far puntare i file dei certificati e configurare Apache per esportare una directory acme-challenge in http in chiaro: 

cat > /etc/httpd/conf.d/acme.conf <<'EOT'
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLCertificateFile /etc/pki/tls/certs/https.crt
SSLCertificateKeyFile /etc/pki/tls/private/https.key
SSLCertificateChainFile /etc/pki/tls/certs/https-chain.crt
 
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.2.34&openssl=1.0.2k&hsts=no&profile=intermediate
# intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off
 
Alias /.well-known/acme-challenge/ /var/www/acme-challenge/
<Directory "/var/www/acme-challenge/">
   <IfModule mod_authz_core.c>
     # Apache 2.4
     Require all granted
   </IfModule>
   <IfModule !mod_authz_core.c>
     # Apache 2.2
     Order allow,deny
     Allow from All
   </IfModule>
  php_flag engine off
  AllowOverride None
  Options None
</Directory>
EOT

Far ripartire Apache: 

service httpd restart

Creare un utente "acme": 

useradd acme

Autorizzare l'utente acme a fare reload di httpd tramite sudo: 

echo 'acme ALL=NOPASSWD: service httpd reload' > /etc/sudoers.d/acme

Sistemare permessi file: 

chown acme /etc/pki/tls/certs/https.crt
chown acme /etc/pki/tls/certs/https-chain.crt
chown acme /etc/pki/tls/certs/https-chained.crt
chown acme /var/www/acme-challenge

Da ora in poi come utente "acme": 

su - acme

Creare la chiave del richiedente per il protocollo ACME: 

openssl genrsa 4096 > account.key

Creare symlink ai file dei certificati: 

ln -s /etc/pki/tls/certs/https.crt .
ln -s /etc/pki/tls/certs/https-chain.crt .
ln -s /etc/pki/tls/certs/https-chained.crt .
ln -s /etc/pki/tls/certs/https.csr .
ln -s /var/www/acme-challenge .

Per avere una csr con tutti gli host configurati su apache: 

cat > get_certs_for_all_aliases.sh <<'EOT'
#!/bin/bash
 
aliases=
sep=
for host in `httpd -S | egrep 'alias|namevhost' | sed -r 's/^.*(alias|namevhost) (\S+).*$/\2/' | sort -u | egrep -v "internal$" | egrep -v "^$aliases$"`; do
 
  checkfile=checkme$RANDOM
  echo "$checkfile" > /var/www/acme-challenge/$checkfile
 
  RESP=`curl -s http://$host/.well-known/acme-challenge/$checkfile`
 
  if [ "$RESP" == "$checkfile" ]; then
    echo $host is host alias
    aliases=$aliases${sep}DNS:$host
    sep=','
#  else
#    echo $host is NOT host alias
  fi
 
done
 
rm -f /var/www/acme-challenge/$checkfile
 
openssl req -text -new -sha256 -key /etc/pki/tls/private/https.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=$aliases"))
EOT
 
chmod +x get_certs_for_all_aliases.sh

Scaricare acme-tiny 

git clone https://github.com/diafygi/acme-tiny.git

Creare una directory tmp nella home di acme: 

mkdir tmp

Creare lo script di renew: 

cat > renew.sh <<'EOT'
#!/bin/bash
 
cd $HOME
 
curl -s https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > tmp/$$.chain
if [ $? != 0 ]; then
  echo "Error downloading chain pem. Exiting."
  exit 1
fi
cat tmp/$$.chain > https-chain.crt && rm -f tmp/$$.chain
 
python acme-tiny/acme_tiny.py --quiet --account-key account.key --csr https.csr --acme-dir acme-challenge/ > tmp/$$.cert
if [ $? != 0 ]; then
  echo "Error requesting certificate. Exiting."
  exit 1
fi
cat tmp/$$.cert > https.crt && rm -f tmp/$$.cert
cat https-chain.crt >> https-chained.crt
 
sudo service httpd reload > /dev/null
if [ $? != 0 ]; then
  echo "Error reloading httpd. Exiting."
  exit 1
fi
EOT
 
chmod +x renew.sh

Eseguire il primo renew: 

/home/acme/renew.sh

Configurare il crontab, sempre come utente acme: 

30 9 15 * * /home/acme/renew.sh
strutture/lnf/dr/calcolo/sistemi/letsencrypt.txt · Last modified: 2018/03/20 10:03 by dmaselli@infn.it
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki