Yojik.net/site/Tutoriels/tutostretch/Installation-Cerificats-Letsencrypt/index.html

<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  
  
  
  <link rel="shortcut icon" href="../../../img/favicon.ico">
  <title>Installation des certificats letsencrypt - Les Tutoriels du Yojik</title>
  <link rel="stylesheet" href="../../../css/theme.css" />
  <link rel="stylesheet" href="../../../css/theme_extra.css" />
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/github.min.css" />
  
  <script>
    // Current page data
    var mkdocs_page_name = "Installation des certificats letsencrypt";
    var mkdocs_page_input_path = "Tutoriels/tutostretch/Installation-Cerificats-Letsencrypt.md";
    var mkdocs_page_url = null;
  </script>
  
  <script src="../../../js/jquery-2.1.1.min.js" defer></script>
  <script src="../../../js/modernizr-2.8.3.min.js" defer></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/highlight.min.js"></script>
  <script>hljs.initHighlightingOnLoad();</script> 
  
</head>

<body class="wy-body-for-nav" role="document">

  <div class="wy-grid-for-nav">

    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side stickynav">
    <div class="wy-side-scroll">
      <div class="wy-side-nav-search">
        <a href="../../.." class="icon icon-home"> Les Tutoriels du Yojik</a>
        <div role="search">
  <form id ="rtd-search-form" class="wy-form" action="../../../search.html" method="get">
    <input type="text" name="q" placeholder="Search docs" title="Type search term here" />
  </form>
</div>
      </div>

      <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
                <p class="caption"><span class="caption-text">Home</span></p>
                <ul>
                    <li class="toctree-l1"><a class="reference internal" href="../../..">Page d'accueil</a>
                    </li>
                </ul>
                <p class="caption"><span class="caption-text">Tutoriels</span></p>
                <ul>
                    <li class="toctree-l1"><a class="reference internal" href="../../tutos/">Introduction</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="#">Installation d'un serveur sécurisé, version Debian/Stretch (obsolète)</a>
    <ul>
                <li class="toctree-l2"><a class="reference internal" href="../tutostretch/">Présentation</a>
                </li>
                <li class="toctree-l2"><a class="reference internal" href="#">Installation</a>
    <ul>
                <li class="toctree-l3"><a class="reference internal" href="../Installation-de-base/">Installation du système de base</a>
                </li>
                <li class="toctree-l3"><a class="reference internal" href="../ovh/">Démarrage sur serveur OVH</a>
                </li>
                <li class="toctree-l3"><a class="reference internal" href="../Premi%C3%A8re-Etape-S%C3%A9curisation/">Première étapes de sécurisation du serveur</a>
                </li>
                <li class="toctree-l3"><a class="reference internal" href="../Configuration-R%C3%A9seau/">Configuration du réseau</a>
                </li>
                <li class="toctree-l3"><a class="reference internal" href="../Installation-Serveur-Temps/">Installation d'un serveur de temps</a>
                </li>
                <li class="toctree-l3"><a class="reference internal" href="../Installation-Parre-Feu/">Installation d'un pare-feu</a>
                </li>
                <li class="toctree-l3"><a class="reference internal" href="../Installation-Fail2ban/">Contrer les attaques de brute-force avec fail2ban</a>
                </li>
                <li class="toctree-l3"><a class="reference internal" href="../Installation-Serveur-Courrier-Basique/">Installation d'un serveur de courrier basique</a>
                </li>
                <li class="toctree-l3"><a class="reference internal" href="../Installation-Serveur-DNS/">Installation du serveur DNS</a>
                </li>
                <li class="toctree-l3"><a class="reference internal" href="../Installation-Serveur-Web/">Installation d'un serveur web</a>
                </li>
                <li class="toctree-l3"><a class="reference internal" href="../Installation-Dovecot-Authentification/">Installation de dovecot et de l'authentification</a>
                </li>
                <li class="toctree-l3"><a class="" href="../Installation-Certificats-Letsencrypt.md)">Installation des certificats letsencrypt</a>
                </li>
                <li class="toctree-l3"><a class="" href="../courrier-SPF-DKIM-OPENDMARC.md">Ajout des enregistrements **spf**, **DKIM**, **DMARC** au fichier de zone DNS</a>
                </li>
                <li class="toctree-l3"><a class="reference internal" href="../Courrier-Comptes-Virtuels/">Ajout des comptes émail virtuels</a>
                </li>
                <li class="toctree-l3"><a class="reference internal" href="../Surveillance-Serveur/">Installation de programmes de surveillance du serveur</a>
                </li>
                <li class="toctree-l3"><a class="reference internal" href="../Installation-Webmail/">Installation d'un webmail (rainloop)</a>
                </li>
                <li class="toctree-l3"><a class="" href="../Sécurisation-Serveur-Web">Sécurisation d'un serveur WEB</a>
                </li>
    </ul>
                </li>
    </ul>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="#">Installation d'un serveur sécurisé, version Debian/Buster (en cours d'écriture)</a>
    <ul>
                <li class="toctree-l2"><a class="reference internal" href="../../tutobuster/1-tutobuster/">Présentation</a>
                </li>
                <li class="toctree-l2"><a class="reference internal" href="../../tutobuster/2-Installation-de-base/">Installation de base</a>
                </li>
                <li class="toctree-l2"><a class="reference internal" href="../../tutobuster/3-ovh/">Démarrage sur serveur OVH</a>
                </li>
                <li class="toctree-l2"><a class="reference internal" href="../../tutobuster/4-Plan/">Plan d'ensemble</a>
                </li>
                <li class="toctree-l2"><a class="reference internal" href="../../tutobuster/5-Premi%C3%A8re-Etape-S%C3%A9curisation/">Premières étapes de sécurisation du serveur</a>
                </li>
    </ul>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="#">Installation d'un serveur sécurisé, version Debian/Buster sur RaspberryPI</a>
    <ul>
                <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/tutoraspi/">Présentation</a>
                </li>
                <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Installation-de-base/">Installation de base</a>
                </li>
                <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Premier-d%C3%A9marrage/">Premier démarrage</a>
                </li>
                <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Etat-des-lieux/">État des lieux</a>
                </li>
                <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/S%C3%A9curisation-SSH/">Sécurisation SSH</a>
                </li>
                <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/R%C3%A9seau/">Réseau (des IPs fixes)</a>
                </li>
                <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Knot/">Installation de Knot-resolver</a>
                </li>
                <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Firewall/">Installation d'un pare-feux</a>
                </li>
                <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Fail2ban/">Contrer les attaques de force brute</a>
                </li>
                <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Logwatch/">Surveillance du serveur</a>
                </li>
                <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Installation-courrier-basique/">Installation d'un serveur de courriers basique</a>
                </li>
                <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Annexe/">Annexe</a>
                </li>
    </ul>
                    </li>
                </ul>
      </div>
    </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" role="navigation" aria-label="top navigation">
        <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
        <a href="../../..">Les Tutoriels du Yojik</a>
      </nav>

      
      <div class="wy-nav-content">
        <div class="rst-content">
          <div role="navigation" aria-label="breadcrumbs navigation">
  <ul class="wy-breadcrumbs">
    <li><a href="../../..">Docs</a> &raquo;</li>
    
      
    
    <li>Installation des certificats letsencrypt</li>
    <li class="wy-breadcrumbs-aside">
      
    </li>
  </ul>
  
  <hr/>
</div>
          <div role="main">
            <div class="section">
              
                <h1 id="installation-des-certificats-letsencrypt">Installation des certificats letsencrypt</h1>
<h2 id="installation-des-programmes">Installation des programmes</h2>
<p>Il existe plusieurs clients <strong>letsencrypt</strong> pour la gestion des certificats. Nous utiliserons <strong>certbot</strong>, le client officiel de <strong>letsencrypt</strong>.</p>
<pre><code>root@atom:/home/ericadmin/bin# apt install certbot python-certbot-apache
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances
Lecture des informations d'état... Fait
The following additional packages will be installed:
  augeas-lenses libaugeas0 python-acme python-augeas python-certbot python-cffi-backend python-chardet python-configargparse python-configobj python-cryptography
  python-dnspython python-enum34 python-funcsigs python-idna python-ipaddress python-mock python-openssl python-parsedatetime python-pbr python-pkg-resources python-psutil
  python-pyasn1 python-pyicu python-requests python-rfc3339 python-setuptools python-six python-tz python-urllib3 python-zope.component python-zope.event
  python-zope.hookable python-zope.interface
etc...
</code></pre>
<h2 id="creation-des-certificats-pour-nos-domaines">Création des certificats pour nos domaines</h2>
<p>Bien, les programmes sont installés. Nous allons créer des certificats pour les domaines suivantes, après avoir créé les hôtes virtuels apache.</p>
<ul>
<li>yojik.net</li>
<li>www.yojik.net</li>
<li>atom.yojik.net</li>
</ul>
<p>Les 2 premiers concernent le site web, le dernier, le serveur de mail. Nous allons d'abord rajouter les noms manquants dans le fichier de zone DNS; pour l'instant, nous n'avons déclaré qu'un seul nom: atom.yojik.net. Rajoutons les suivants avec des enregistrements CNAME. Ne pas oublier d'incrémenter le compteur situé dans le fichier de zone DNS après chaque modification.</p>
<p>Lors de l'installation de notre webmail, nous rajouterons le domaine correspondant.</p>
<p>Nous ajoutons ici la référence du serveur web, avec un enregistrement  CNAME: www.yojik.eu</p>
<pre><code>www             IN CNAME  atom.yojik.net.
</code></pre>
<p>Relecture des fichiers de configuration par bind:</p>
<pre><code>root@atom:/home/ericadmin# service bind9 reload
</code></pre>
<h2 id="lancement-du-programme-certbot">lancement du programme certbot</h2>
<pre><code>root@atom:/home/ericadmin# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
-
1: yojik.net
2: www.yojik.net
-
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):1 2
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
</code></pre>
<p>Bon, il y a un problème ... après recherche sur le web, il se trouve que le programme certbot de Debian/stretch n'est pas à jour (modification due à un problème de sécurité.)</p>
<ul>
<li>
<p>Voici le lien:</p>
<p><a href="https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983">certbot sur Debian/Stretch problem and solution</a></p>
</li>
<li>
<p>Ajout des backports dans la liste des dépots:</p>
<p>Il nous faut ajouter dans /etc/sources.list le dépot <strong>backports</strong> pour obtenir le fichier qui suit:</p>
<p>Lien: <a href="https://backports.debian.org/Instructions/">Installation des backports</a></p>
<p>Voici le contenu du fichier <em>etc/apt/sources.list</em></p>
<pre><code>root@atom:/home/ericadmin# cat /etc/apt/sources.list
#

# deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 NETINST 20171209-12:10]/ stretch main

#deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 NETINST 20171209-12:10]/ stretch main

deb http://deb.debian.org/debian/ stretch main contrib
deb-src http://deb.debian.org/debian/ stretch main contrib

deb http://security.debian.org/debian-security stretch/updates main contrib
deb-src http://security.debian.org/debian-security stretch/updates main contrib

# stretch-updates, previously known as 'volatile'
deb http://deb.debian.org/debian/ stretch-updates main contrib
deb-src http://deb.debian.org/debian/ stretch-updates main contrib

deb http://ftp.debian.org/debian stretch-backports main contrib
</code></pre>
<p>Notez la dernière ligne rajoutée au fichier. Ensuite,entrez les commandes suivantes:</p>
<pre><code>apt update
apt-get install python-certbot-apache -t stretch-backports
</code></pre>
<p>Un grand nombre de paquets vont être installés ...</p>
</li>
</ul>
<p>On relance le programme certbot:</p>
<pre><code>certbot --apache
</code></pre>
<p>Cette fois-ci, ça fonctionne.</p>
<pre><code>root@atom:/home/ericadmin# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
-
1: yojik.net
2: www.yojik.net
-
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yojik.net
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/yojiknet-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/yojiknet-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/yojiknet-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/yojiknet.conf to ssl vhost in /etc/apache2/sites-available/yojiknet-le-ssl.conf

-
Congratulations! You have successfully enabled https://yojik.net

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=yojik.net
-

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yojik.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yojik.net/privkey.pem
   Your cert will expire on 2018-08-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@atom:/home/ericadmin#
</code></pre>
<p>On retape les mêmes commandes pour générer les certificats pour le domaine <strong>www.yojik.net</strong>.</p>
<p>Testez votre configuration comme indiqué ci-dessus. Vous devez obtenir une note <strong>A</strong>.</p>
<p>Il nous faut maintenant créer un certificat pour notre serveur mail:</p>
<pre><code>root@atom:/home/ericadmin# certbot certonly -d atom.yojik.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
-
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
-
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for atom.yojik.net
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/atom.yojik.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/atom.yojik.net/privkey.pem
   Your cert will expire on 2018-08-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@atom:/home/ericadmin#
</code></pre>
<p>Voilà, nos certificats sont créés. Lors de la configuration, notez que j'ai demandé une redirection automatique vers la version en <strong>https</strong>.</p>
              
            </div>
          </div>
          <footer>
  

  <hr/>

  <div role="contentinfo">
    <!-- Copyright etc -->
    
  </div>

  Built with <a href="https://www.mkdocs.org/">MkDocs</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
      
        </div>
      </div>

    </section>

  </div>

  <div class="rst-versions" role="note" aria-label="versions">
    <span class="rst-current-version" data-toggle="rst-current-version">
      
      
      
    </span>
</div>
    <script>var base_url = '../../..';</script>
    <script src="../../../js/theme.js" defer></script>
      <script src="../../../search/main.js" defer></script>
    <script defer>
        window.onload = function () {
            SphinxRtdTheme.Navigation.enable(true);
        };
    </script>

</body>
</html>