index.html 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443
  1. <!DOCTYPE html>
  2. <!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
  3. <!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
  4. <head>
  5. <meta charset="utf-8">
  6. <meta http-equiv="X-UA-Compatible" content="IE=edge">
  7. <meta name="viewport" content="width=device-width, initial-scale=1.0">
  8. <title>Installation des certificats letsencrypt - The Yojik Server Installation Guide</title>
  9. <link rel="shortcut icon" href="../img/favicon.ico">
  10. <link href='https://fonts.googleapis.com/css?family=Lato:400,700|Roboto+Slab:400,700|Inconsolata:400,700' rel='stylesheet' type='text/css'>
  11. <link rel="stylesheet" href="../css/theme.css" type="text/css" />
  12. <link rel="stylesheet" href="../css/theme_extra.css" type="text/css" />
  13. <link rel="stylesheet" href="../css/highlight.css">
  14. <script>
  15. // Current page data
  16. var mkdocs_page_name = "Installation des certificats letsencrypt";
  17. var mkdocs_page_input_path = "11-onze.md";
  18. var mkdocs_page_url = "/11-onze/";
  19. </script>
  20. <script src="../js/jquery-2.1.1.min.js"></script>
  21. <script src="../js/modernizr-2.8.3.min.js"></script>
  22. <script type="text/javascript" src="../js/highlight.pack.js"></script>
  23. <script src="../js/theme.js"></script>
  24. </head>
  25. <body class="wy-body-for-nav" role="document">
  26. <div class="wy-grid-for-nav">
  27. <nav data-toggle="wy-nav-shift" class="wy-nav-side stickynav">
  28. <div class="wy-side-nav-search">
  29. <a href=".." class="icon icon-home"> The Yojik Server Installation Guide</a>
  30. <div role="search">
  31. <form id ="rtd-search-form" class="wy-form" action="../search.html" method="get">
  32. <input type="text" name="q" placeholder="Search docs" />
  33. </form>
  34. </div>
  35. </div>
  36. <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
  37. <ul class="current">
  38. <li>
  39. <li class="toctree-l1 ">
  40. <a class="" href="..">Home</a>
  41. </li>
  42. <li>
  43. <li>
  44. <li class="toctree-l1 ">
  45. <a class="" href="../1-un/">Installation d'un serveur Debian/Stretch sécurisé</a>
  46. </li>
  47. <li>
  48. <li>
  49. <li class="toctree-l1 ">
  50. <a class="" href="../2-deux/">Premières étapes de sécurisation du serveur</a>
  51. </li>
  52. <li>
  53. <li>
  54. <li class="toctree-l1 ">
  55. <a class="" href="../3-trois/">Configuration du réseau</a>
  56. </li>
  57. <li>
  58. <li>
  59. <li class="toctree-l1 ">
  60. <a class="" href="../4-quatre/">Installation d'un serveur de temps</a>
  61. </li>
  62. <li>
  63. <li>
  64. <li class="toctree-l1 ">
  65. <a class="" href="../5-cinq/">Installation d'un pare-feu</a>
  66. </li>
  67. <li>
  68. <li>
  69. <li class="toctree-l1 ">
  70. <a class="" href="../6-six/">Contrer les attaques de brute-force avec fail2ban</a>
  71. </li>
  72. <li>
  73. <li>
  74. <li class="toctree-l1 ">
  75. <a class="" href="../7-sept/">Installation d'un serveur de courrier basique</a>
  76. </li>
  77. <li>
  78. <li>
  79. <li class="toctree-l1 ">
  80. <a class="" href="../8-huit/">Installation du serveur DNS</a>
  81. </li>
  82. <li>
  83. <li>
  84. <li class="toctree-l1 ">
  85. <a class="" href="../9-neuf/">Installation d'un serveur web</a>
  86. </li>
  87. <li>
  88. <li>
  89. <li class="toctree-l1 ">
  90. <a class="" href="../10-dix/">Installation de dovecot et de l'authentification</a>
  91. </li>
  92. <li>
  93. <li>
  94. <li class="toctree-l1 current">
  95. <a class="current" href="./">Installation des certificats letsencrypt</a>
  96. <ul>
  97. <li class="toctree-l3"><a href="#lancement-du-programme-certbot">lancement du programme certbot</a></li>
  98. <li class="toctree-l3"><a href="#how-would-you-like-to-authenticate-with-the-acme-ca">How would you like to authenticate with the ACME CA?</a></li>
  99. </ul>
  100. </li>
  101. <li>
  102. <li>
  103. <li class="toctree-l1 ">
  104. <a class="" href="../12-douze/">Ajout des enregistrements SPF et DKIM au fichier de zone DNS</a>
  105. </li>
  106. <li>
  107. <li>
  108. <li class="toctree-l1 ">
  109. <a class="" href="../17-dixsept/">Installation de programmes de surveillance du serveur</a>
  110. </li>
  111. <li>
  112. <li>
  113. <li class="toctree-l1 ">
  114. <a class="" href="../18-dixhuit/">Installation d'un webmail</a>
  115. </li>
  116. <li>
  117. <li>
  118. <li class="toctree-l1 ">
  119. <a class="" href="../19-dixneuf/">Installation de git et de gogs</a>
  120. </li>
  121. <li>
  122. </ul>
  123. </div>
  124. &nbsp;
  125. </nav>
  126. <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
  127. <nav class="wy-nav-top" role="navigation" aria-label="top navigation">
  128. <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
  129. <a href="..">The Yojik Server Installation Guide</a>
  130. </nav>
  131. <div class="wy-nav-content">
  132. <div class="rst-content">
  133. <div role="navigation" aria-label="breadcrumbs navigation">
  134. <ul class="wy-breadcrumbs">
  135. <li><a href="..">Docs</a> &raquo;</li>
  136. <li>Installation des certificats letsencrypt</li>
  137. <li class="wy-breadcrumbs-aside">
  138. </li>
  139. </ul>
  140. <hr/>
  141. </div>
  142. <div role="main">
  143. <div class="section">
  144. <p>## Installation des certificats letsencrypt</p>
  145. <hr />
  146. <pre><code>root@aijan:/home/ericadmin/bin# apt install certbot python-certbot-apache
  147. Lecture des listes de paquets... Fait
  148. Construction de l'arbre des dépendances
  149. Lecture des informations d'état... Fait
  150. The following additional packages will be installed:
  151. augeas-lenses libaugeas0 python-acme python-augeas python-certbot python-cffi-backend python-chardet python-configargparse python-configobj python-cryptography
  152. python-dnspython python-enum34 python-funcsigs python-idna python-ipaddress python-mock python-openssl python-parsedatetime python-pbr python-pkg-resources python-psutil
  153. python-pyasn1 python-pyicu python-requests python-rfc3339 python-setuptools python-six python-tz python-urllib3 python-zope.component python-zope.event
  154. python-zope.hookable python-zope.interface
  155. ...
  156. </code></pre>
  157. <hr />
  158. <p>Bien, les programmes sont installés. Nous allons créer des certificats pour les zones suivantes, après avoir créé les hôtes virtuels apache.</p>
  159. <blockquote>
  160. <p>yojik.net</p>
  161. <p>www.yojik.net</p>
  162. <p>atom.yojik.net</p>
  163. </blockquote>
  164. <p>Les 2 premiers concernent le site web, le dernier, le serveur de mail. Nous allons d'abord rajouter les noms manquants dans le fichier de zone DNS; pour l'instant, nous n'avons déclaré qu'un seul nom: aijan.yojik.net. Rajoutons les suivants avec des enregistrements CNAME. Ne pas oublier d'incrémenter le compteur situé dans le fichier de zone DNS après chaque modification.</p>
  165. <p>Nous ajoutons ici la référence du serveur web, avec un enregistrement CNAME: www.yojik.eu</p>
  166. <hr />
  167. <pre><code>www IN CNAME aijan.yojik.net.
  168. </code></pre>
  169. <hr />
  170. <p>Relecture des fichiers de configuration par bind:</p>
  171. <hr />
  172. <pre><code>root@aijan:/home/ericadmin# service bind9 reload
  173. </code></pre>
  174. <hr />
  175. <h3 id="lancement-du-programme-certbot">lancement du programme certbot</h3>
  176. <blockquote>
  177. <p>certbot --apache</p>
  178. </blockquote>
  179. <hr />
  180. <pre><code>root@aijan:/home/ericadmin# certbot --apache
  181. Saving debug log to /var/log/letsencrypt/letsencrypt.log
  182. Which names would you like to activate HTTPS for?
  183. -------------------------------------------------------------------------------
  184. 1: yojik.net
  185. 2: www.yojik.net
  186. -------------------------------------------------------------------------------
  187. Select the appropriate numbers separated by commas and/or spaces, or leave input
  188. blank to select all options shown (Enter 'c' to cancel):1 2
  189. Obtaining a new certificate
  190. Performing the following challenges:
  191. Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
  192. Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
  193. </code></pre>
  194. <hr />
  195. <p>Bon, il y a un problème ... après recherche sur le web, il se trouve que le programme certbot de Debian/stretch n'est pas à jour (modification due à un problème de sécurité.) (lien: https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983)</p>
  196. <p>Il nous faut ajouter dans /etc/sources.list le dépot <strong>backports</strong> pour obtenir le fichier qui suit:
  197. (lien: https://backports.debian.org/Instructions/)</p>
  198. <hr />
  199. <pre><code>root@aijan:/home/ericadmin# cat /etc/apt/sources.list
  200. #
  201. # deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 NETINST 20171209-12:10]/ stretch main
  202. #deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 NETINST 20171209-12:10]/ stretch main
  203. deb http://deb.debian.org/debian/ stretch main contrib non-free
  204. deb-src http://deb.debian.org/debian/ stretch main contrib non-free
  205. deb http://security.debian.org/debian-security stretch/updates main contrib non-free
  206. deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free
  207. # stretch-updates, previously known as 'volatile'
  208. deb http://deb.debian.org/debian/ stretch-updates main contrib non-free
  209. deb-src http://deb.debian.org/debian/ stretch-updates main contrib non-free
  210. deb http://ftp.debian.org/debian stretch-backports main contrib non-free
  211. </code></pre>
  212. <hr />
  213. <p>Notez la dernière ligne rajoutée au fichier. Ensuite,entrez les commandes suivantes:</p>
  214. <blockquote>
  215. <p>apt update
  216. apt-get install python-certbot-apache -t stretch-backports</p>
  217. </blockquote>
  218. <p>Un grand nombre de paquets vont être installés ...</p>
  219. <p>On relance le programme certbot:</p>
  220. <blockquote>
  221. <p>certbot --apache</p>
  222. </blockquote>
  223. <p>Cette fois-ci, ça fonctionne.</p>
  224. <hr />
  225. <pre><code>root@aijan:/home/ericadmin# certbot --apache
  226. Saving debug log to /var/log/letsencrypt/letsencrypt.log
  227. Plugins selected: Authenticator apache, Installer apache
  228. Which names would you like to activate HTTPS for?
  229. -------------------------------------------------------------------------------
  230. 1: yojik.net
  231. 2: www.yojik.net
  232. -------------------------------------------------------------------------------
  233. Select the appropriate numbers separated by commas and/or spaces, or leave input
  234. blank to select all options shown (Enter 'c' to cancel): 1
  235. Obtaining a new certificate
  236. Performing the following challenges:
  237. http-01 challenge for yojik.net
  238. Waiting for verification...
  239. Cleaning up challenges
  240. Created an SSL vhost at /etc/apache2/sites-available/yojiknet-le-ssl.conf
  241. Deploying Certificate to VirtualHost /etc/apache2/sites-available/yojiknet-le-ssl.conf
  242. Enabling available site: /etc/apache2/sites-available/yojiknet-le-ssl.conf
  243. Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
  244. -------------------------------------------------------------------------------
  245. 1: No redirect - Make no further changes to the webserver configuration.
  246. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
  247. new sites, or if you're confident your site works on HTTPS. You can undo this
  248. change by editing your web server's configuration.
  249. -------------------------------------------------------------------------------
  250. Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
  251. Redirecting vhost in /etc/apache2/sites-enabled/yojiknet.conf to ssl vhost in /etc/apache2/sites-available/yojiknet-le-ssl.conf
  252. -------------------------------------------------------------------------------
  253. Congratulations! You have successfully enabled https://yojik.net
  254. You should test your configuration at:
  255. https://www.ssllabs.com/ssltest/analyze.html?d=yojik.net
  256. -------------------------------------------------------------------------------
  257. IMPORTANT NOTES:
  258. - Congratulations! Your certificate and chain have been saved at:
  259. /etc/letsencrypt/live/yojik.net/fullchain.pem
  260. Your key file has been saved at:
  261. /etc/letsencrypt/live/yojik.net/privkey.pem
  262. Your cert will expire on 2018-08-19. To obtain a new or tweaked
  263. version of this certificate in the future, simply run certbot again
  264. with the &quot;certonly&quot; option. To non-interactively renew *all* of
  265. your certificates, run &quot;certbot renew&quot;
  266. - If you like Certbot, please consider supporting our work by:
  267. Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
  268. Donating to EFF: https://eff.org/donate-le
  269. root@aijan:/home/ericadmin#
  270. </code></pre>
  271. <hr />
  272. <p>On retape les mêmes commandes pour générer les certificats pour le domaine <strong>www.yojik.net</strong>.</p>
  273. <p>Testez votre configuration comme indiqué ci-dessus. Vous devez obtenir une note <strong>A</strong>.</p>
  274. <p>Il nous faut maintenant créer un certificat pour notre serveur mail:</p>
  275. <hr />
  276. <p>``root@aijan:/home/ericadmin# certbot certonly -d aijan.yojik.net
  277. Saving debug log to /var/log/letsencrypt/letsencrypt.log</p>
  278. <h2 id="how-would-you-like-to-authenticate-with-the-acme-ca">How would you like to authenticate with the ACME CA?</h2>
  279. <p>1: Apache Web Server plugin - Beta (apache)
  280. 2: Spin up a temporary webserver (standalone)
  281. 3: Place files in webroot directory (webroot)</p>
  282. <hr />
  283. <p>Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
  284. Plugins selected: Authenticator apache, Installer None
  285. Obtaining a new certificate
  286. Performing the following challenges:
  287. http-01 challenge for aijan.yojik.net
  288. Waiting for verification...
  289. Cleaning up challenges</p>
  290. <p>IMPORTANT NOTES:
  291. - Congratulations! Your certificate and chain have been saved at:
  292. /etc/letsencrypt/live/aijan.yojik.net/fullchain.pem
  293. Your key file has been saved at:
  294. /etc/letsencrypt/live/aijan.yojik.net/privkey.pem
  295. Your cert will expire on 2018-08-19. To obtain a new or tweaked
  296. version of this certificate in the future, simply run certbot
  297. again. To non-interactively renew <em>all</em> of your certificates, run
  298. "certbot renew"
  299. - If you like Certbot, please consider supporting our work by:</p>
  300. <p>Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
  301. Donating to EFF: https://eff.org/donate-le</p>
  302. <p>root@aijan:/home/ericadmin#
  303. `</p>
  304. <p>```</p>
  305. <hr />
  306. <p>Voilà, le certificat est créé.</p>
  307. </div>
  308. </div>
  309. <footer>
  310. <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
  311. <a href="../12-douze/" class="btn btn-neutral float-right" title="Ajout des enregistrements SPF et DKIM au fichier de zone DNS">Next <span class="icon icon-circle-arrow-right"></span></a>
  312. <a href="../10-dix/" class="btn btn-neutral" title="Installation de dovecot et de l'authentification"><span class="icon icon-circle-arrow-left"></span> Previous</a>
  313. </div>
  314. <hr/>
  315. <div role="contentinfo">
  316. <!-- Copyright etc -->
  317. </div>
  318. Built with <a href="http://www.mkdocs.org">MkDocs</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
  319. </footer>
  320. </div>
  321. </div>
  322. </section>
  323. </div>
  324. <div class="rst-versions" role="note" style="cursor: pointer">
  325. <span class="rst-current-version" data-toggle="rst-current-version">
  326. <span><a href="../10-dix/" style="color: #fcfcfc;">&laquo; Previous</a></span>
  327. <span style="margin-left: 15px"><a href="../12-douze/" style="color: #fcfcfc">Next &raquo;</a></span>
  328. </span>
  329. </div>
  330. </body>
  331. </html>