Differences

This shows you the differences between two versions of the page.

--- strutture:lnf:dr:calcolo:sistemi:letsencrypt [2018/03/19 14:12] – dmaselli@infn.it
+++ strutture:lnf:dr:calcolo:sistemi:letsencrypt [2018/03/20 10:03] (current) – dmaselli@infn.it
@@ Line 1: / Line 1: @@
+====== Certificati SSL automatici per Server Web ======
+[[https://letsencrypt.org/]]
+[[https://github.com/diafygi/acme-tiny]]
+Creare certificato e relativa request per il sito web:
+  openssl genrsa 4096 > /etc/pki/tls/private/https.key
+  chown apache /etc/pki/tls/private/https.key
+  chmod 600 /etc/pki/tls/private/https.key
+Creare la CSR con CN= a hostname:
+  openssl req -new -sha256 -key /etc/pki/tls/private/https.key -subj "/CN=`hostname -f`" > /etc/pki/tls/certs/https.csr
+Impostare temporaneamente la CSR come CRT:
+  cp /etc/pki/tls/certs/https.csr /etc/pki/tls/certs/https.crt
+  cp /etc/pki/tls/certs/https.csr /etc/pki/tls/certs/https-chain.crt
+  cp /etc/pki/tls/certs/https.csr /etc/pki/tls/certs/https-chained.crt
+Creare la directory acme-challenge per il webserver:
+  mkdir /var/www/acme-challenge
+Far puntare i file dei certificati e configurare Apache per esportare una directory acme-challenge in http in chiaro:
+<code bash>
+cat > /etc/httpd/conf.d/acme.conf <<'EOT'
+SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+SSLCertificateFile /etc/pki/tls/certs/https.crt
+SSLCertificateKeyFile /etc/pki/tls/private/https.key
+SSLCertificateChainFile /etc/pki/tls/certs/https-chain.crt
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.2.34&openssl=1.0.2k&hsts=no&profile=intermediate
+# intermediate configuration, tweak to your needs
+SSLProtocol             all -SSLv2 -SSLv3
+SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+SSLHonorCipherOrder     on
+SSLCompression          off
+SSLSessionTickets       off
+Alias /.well-known/acme-challenge/ /var/www/acme-challenge/
+<Directory "/var/www/acme-challenge/">
+   <IfModule mod_authz_core.c>
+     # Apache 2.4
+     Require all granted
+   </IfModule>
+   <IfModule !mod_authz_core.c>
+     # Apache 2.2
+     Order allow,deny
+     Allow from All
+   </IfModule>
+  php_flag engine off
+  AllowOverride None
+  Options None
+</Directory>
+EOT
+</code>
+Far ripartire Apache:
+  service httpd restart
+Creare un utente "acme":
+  useradd acme
+Autorizzare l'utente acme a fare reload di httpd tramite sudo:
+  echo 'acme ALL=NOPASSWD: service httpd reload' > /etc/sudoers.d/acme
+Sistemare permessi file:
+  chown acme /etc/pki/tls/certs/https.crt
+  chown acme /etc/pki/tls/certs/https-chain.crt
+  chown acme /etc/pki/tls/certs/https-chained.crt
+  chown acme /var/www/acme-challenge
+Da ora in poi come utente "acme":
+  su - acme
+Creare la chiave del richiedente per il protocollo ACME:
+  openssl genrsa 4096 > account.key
+Creare symlink ai file dei certificati:
+  ln -s /etc/pki/tls/certs/https.crt .
+  ln -s /etc/pki/tls/certs/https-chain.crt .
+  ln -s /etc/pki/tls/certs/https-chained.crt .
+  ln -s /etc/pki/tls/certs/https.csr .
+  ln -s /var/www/acme-challenge .
+Per avere una csr con tutti gli host configurati su apache:
+<code bash>
+cat > get_certs_for_all_aliases.sh <<'EOT'
+#!/bin/bash
+aliases=
+sep=
+for host in `httpd -S | egrep 'alias|namevhost' | sed -r 's/^.*(alias|namevhost) (\S+).*$/\2/' | sort -u | egrep -v "internal$" | egrep -v "^$aliases$"`; do
+  checkfile=checkme$RANDOM
+  echo "$checkfile" > /var/www/acme-challenge/$checkfile
+  RESP=`curl -s http://$host/.well-known/acme-challenge/$checkfile`
+  if [ "$RESP" == "$checkfile" ]; then
+    echo $host is host alias
+    aliases=$aliases${sep}DNS:$host
+    sep=','
+#  else
+#    echo $host is NOT host alias
+  fi
+done
+rm -f /var/www/acme-challenge/$checkfile
+openssl req -text -new -sha256 -key /etc/pki/tls/private/https.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=$aliases"))
+EOT
+chmod +x get_certs_for_all_aliases.sh
+</code>
+Scaricare acme-tiny
+  git clone https://github.com/diafygi/acme-tiny.git
+Creare una directory tmp nella home di acme:
+  mkdir tmp
+Creare lo script di renew:
+<code bash>
+cat > renew.sh <<'EOT'
+#!/bin/bash
+cd $HOME
+curl -s https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > tmp/$$.chain
+if [ $? != 0 ]; then
+  echo "Error downloading chain pem. Exiting."
+  exit 1
+fi
+cat tmp/$$.chain > https-chain.crt && rm -f tmp/$$.chain
+python acme-tiny/acme_tiny.py --quiet --account-key account.key --csr https.csr --acme-dir acme-challenge/ > tmp/$$.cert
+if [ $? != 0 ]; then
+  echo "Error requesting certificate. Exiting."
+  exit 1
+fi
+cat tmp/$$.cert > https.crt && rm -f tmp/$$.cert
+cat https-chain.crt >> https-chained.crt
+sudo service httpd reload > /dev/null
+if [ $? != 0 ]; then
+  echo "Error reloading httpd. Exiting."
+  exit 1
+fi
+EOT
+chmod +x renew.sh
+</code>
+Eseguire il primo renew:
+  /home/acme/renew.sh
+Configurare il crontab, sempre come utente acme:
+9 15 * * /home/acme/renew.sh