Certificat SSL
From Tuxunix
Contents
Certificat SSL autocertifié
- openssl genrsa -out server.key 1024
03:51 root@tuxedo /tmp $ openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus ..........++++++ ..++++++ e is 65537 (0x10001)
- openssl req -new -x509 -days 365 -key server.key -out server.crt
03:51 root@tuxedo /tmp $ openssl req -new -x509 -days 365 -key server.key -out server.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]:FR State or Province Name (full name) [Some-State]:France Locality Name (eg, city) []:Vicheres Organization Name (eg, company) [Internet Widgits Pty Ltd]:No company Organizational Unit Name (eg, section) []:No section Common Name (eg, YOUR name) []:*.tuxedo.fr Email Address []:pierre@tuxedo.fr
Configuration Apache2
<VirtualHost *:443> ... #SSL SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key ... </VirtualHost>
SSL V3
Modifier le virtualhost en précisent les lignes en gras :
#SSL SSLEngine On SSLProtocol -all +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key
Vérification SSL V3
#> openssl s_client -connect localhost:443
SSL handshake has read 1495 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 1EC1ED86D7F363E15D7A0CE8297B2F5B1358A6CFCAEE9BEF5848406A04090679
Session-ID-ctx:
Master-Key: CE1133258E0B99B14AF0141E239A818095A6E7A27A74C5E102B6D9338F8B155E1A25056F28249D8627AC97B87A6F25A0
Key-Arg : None
Start Time: 1280849648
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
Certificat autosigné
Generating a CSR :
$ openssl req -new -key server.key -batch -out server.csr
Lastly we're going to sign our CSR and generate a new certificate.
Signing our CSR
$ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=FR/ST=Some-State/O=XXXX XX
Getting Private key
Certificat LetsEncrypt (Renouvellement automatisé) ACME
Preparation de la configuration
git clone https://github.com/Neilpang/acme.sh.git cd ./acme.sh
mkdir /var/www/letsencrypt mkdir /etc/nginx/certs
Vhost (Nginx)
Ex vhost munin :
server {
listen 80;
server_name test.toto.fr;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
location / {
return 301 https://test.toto.fr$request_uri;
}
}
server {
listen 443 ssl;
server_name test.toto.fr;
ssl_certificate /etc/nginx/certs/toto.fr.crt;
ssl_certificate_key /etc/nginx/certs/toto.fr.key;
…
}
Création du certificat
#> acme.sh --issue -d test.toto.fr -w /var/www/letsencrypt/ --fullchain-file /etc/nginx/certs/toto.fr.crt --key-file /etc/nginx/certs/toto.fr.key
Renouvellement automatique
- Script renouvellement automatique :
#!/bin/bash
#
#@Name renewCerts.sh
#@Fonction renew letsencrypt certificate
#@Depends acme.sh
#@Version 0.1
#@Authors SYSTEM DYNAMICS
#@Modify by XXXX
#
domain="toto.fr"
subDomain1="test.toto.fr"
subDomain2="sisi.toto.fr"
/usr/local/scripts/acme.sh/acme.sh --issue -d ${subDomain1} -d ${subDomain2} -w /var/www/letsencrypt/ --fullchain-file /etc/nginx/certs/${domain}.crt \
--key-file /etc/nginx/certs/${domain}.key --reloadcmd '/etc/init.d/nginx reload' --force >& /usr/local/scripts/renewCerts.log
- Cron
00 03 1 */2 * /usr/local/scripts/renewCerts.sh >/dev/null 2>&1
