## Installation des certificats letsencrypt
root@aijan:/home/ericadmin/bin# apt install certbot python-certbot-apache
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances
Lecture des informations d'état... Fait
The following additional packages will be installed:
augeas-lenses libaugeas0 python-acme python-augeas python-certbot python-cffi-backend python-chardet python-configargparse python-configobj python-cryptography
python-dnspython python-enum34 python-funcsigs python-idna python-ipaddress python-mock python-openssl python-parsedatetime python-pbr python-pkg-resources python-psutil
python-pyasn1 python-pyicu python-requests python-rfc3339 python-setuptools python-six python-tz python-urllib3 python-zope.component python-zope.event
python-zope.hookable python-zope.interface
...
Bien, les programmes sont installés. Nous allons créer des certificats pour les zones suivantes, après avoir créé les hôtes virtuels apache.
yojik.net
www.yojik.net
atom.yojik.net
Les 2 premiers concernent le site web, le dernier, le serveur de mail. Nous allons d'abord rajouter les noms manquants dans le fichier de zone DNS; pour l'instant, nous n'avons déclaré qu'un seul nom: aijan.yojik.net. Rajoutons les suivants avec des enregistrements CNAME. Ne pas oublier d'incrémenter le compteur situé dans le fichier de zone DNS après chaque modification.
Nous ajoutons ici la référence du serveur web, avec un enregistrement CNAME: www.yojik.eu
www IN CNAME aijan.yojik.net.
Relecture des fichiers de configuration par bind:
root@aijan:/home/ericadmin# service bind9 reload
lancement du programme certbot
certbot --apache
root@aijan:/home/ericadmin# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: yojik.net
2: www.yojik.net
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):1 2
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Bon, il y a un problème ... après recherche sur le web, il se trouve que le programme certbot de Debian/stretch n'est pas à jour (modification due à un problème de sécurité.) (lien: https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983)
Il nous faut ajouter dans /etc/sources.list le dépot backports pour obtenir le fichier qui suit: (lien: https://backports.debian.org/Instructions/)
root@aijan:/home/ericadmin# cat /etc/apt/sources.list
#
# deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 NETINST 20171209-12:10]/ stretch main
#deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 NETINST 20171209-12:10]/ stretch main
deb http://deb.debian.org/debian/ stretch main contrib non-free
deb-src http://deb.debian.org/debian/ stretch main contrib non-free
deb http://security.debian.org/debian-security stretch/updates main contrib non-free
deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free
# stretch-updates, previously known as 'volatile'
deb http://deb.debian.org/debian/ stretch-updates main contrib non-free
deb-src http://deb.debian.org/debian/ stretch-updates main contrib non-free
deb http://ftp.debian.org/debian stretch-backports main contrib non-free
Notez la dernière ligne rajoutée au fichier. Ensuite,entrez les commandes suivantes:
apt update apt-get install python-certbot-apache -t stretch-backports
Un grand nombre de paquets vont être installés ...
On relance le programme certbot:
certbot --apache
Cette fois-ci, ça fonctionne.
root@aijan:/home/ericadmin# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: yojik.net
2: www.yojik.net
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yojik.net
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/yojiknet-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/yojiknet-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/yojiknet-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/yojiknet.conf to ssl vhost in /etc/apache2/sites-available/yojiknet-le-ssl.conf
-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://yojik.net
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=yojik.net
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yojik.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yojik.net/privkey.pem
Your cert will expire on 2018-08-19. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
root@aijan:/home/ericadmin#
On retape les mêmes commandes pour générer les certificats pour le domaine www.yojik.net.
Testez votre configuration comme indiqué ci-dessus. Vous devez obtenir une note A.
Il nous faut maintenant créer un certificat pour notre serveur mail:
``root@aijan:/home/ericadmin# certbot certonly -d aijan.yojik.net Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
1: Apache Web Server plugin - Beta (apache) 2: Spin up a temporary webserver (standalone) 3: Place files in webroot directory (webroot)
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1 Plugins selected: Authenticator apache, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for aijan.yojik.net Waiting for verification... Cleaning up challenges
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/aijan.yojik.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/aijan.yojik.net/privkey.pem Your cert will expire on 2018-08-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
root@aijan:/home/ericadmin# `
```
Voilà, le certificat est créé.