Let’s Encrypt je certifikační autorita, která vám vydá zdarma certifikát a umožní jej automaticky obnovovat. V tomto příspěvku si nainstalujeme certifikát a nakonfigurujeme webový server Nginx tak, aby web komunikoval pomocí HTTPS.
Přidání repozitáře
add-apt-repository ppa:certbot/certbot
Update a instalace
apt-get update apt-get install python-certbot-nginx
Mělo by fungovat i toto
apt-get install software-properties-common apt-get install certbot
Do Nginx konfigurace je třeba doplnit
location /.well-known/acme-challenge { root /var/www/letsencrypt; }
Instalace certifikátu (složku /var/www/letsencrypt si musíte vytvořit)
certbot certonly --webroot --agree-tos --no-eff-email --email mujmail@mail.cz -w /var/www/letsencrypt -d www.mojedomena.cz -d mojedomena.cz Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for www.mojedomena.cz http-01 challenge for mojedomena.cz Using the webroot path /var/www/letsencrypt for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.mojedomena.cz/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.mojedomena.cz/privkey.pem Your cert will expire on 2018-06-28. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Zde je obsah README, který se s dalšími soubory vytvořil ve složce /etc/letsencrypt/live/www.mojedomena.cz/
This directory contains your keys and certificates. `privkey.pem` : the private key for your certificate. `fullchain.pem`: the certificate file used in most server software. `chain.pem` : used for OCSP stapling in Nginx >=1.3.7. `cert.pem` : will break many server configurations, and should not be used without reading further documentation (see link below). We recommend not moving these files. For more information, see the Certbot User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.
Nyní změníme konfigurace Nginx tak, aby poslouchal i na portu 443 a zároveň všechnu komunikaci po HTTP přesměrujeme na HTTPS (return 301 https://www.mojedomena.cz$request_uri;
). Uvádím zde celou konfiguraci. Pokud jste nečetli předchozí příspěvek na téma Nginx a Tomcat, záznam proxy_pass http://localhost:8080/
; směřuje komunikaci na port 8080, kde standardně poslouchá Tomcat.
server { listen 80; listen [::]:80; server_name mojedomena.cz www.mojedomena.cz; return 301 https://www.mojedomena.cz$request_uri; location /.well-known/acme-challenge { root /var/www/letsencrypt; } } server { listen 443 ssl; listen [::]:443 ssl; server_name mojedomena.cz www.mojedomena.cz; ssl_certificate /etc/letsencrypt/live/www.mojedomena.cz/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.mojedomena.cz/privkey.pem; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://localhost:8080/; } }
Nyní otestujeme obnovení certifikátu
certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/www.mojedomena.cz.conf ------------------------------------------------------------------------------- Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for mojedomena.cz http-01 challenge for www.mojedomena.cz Waiting for verification... Cleaning up challenges ------------------------------------------------------------------------------- new certificate deployed without reload, fullchain is /etc/letsencrypt/live/www.mojedomena.cz/fullchain.pem ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/www.mojedomena.cz/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) ------------------------------------------------------------------------------- IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
Zdroje: