Certificat SSL
From Tuxunix
Contents
Certificat SSL autocertifié
- openssl genrsa -out server.key 1024
03:51 root@tuxedo /tmp $ openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus ..........++++++ ..++++++ e is 65537 (0x10001)
- openssl req -new -x509 -days 365 -key server.key -out server.crt
03:51 root@tuxedo /tmp $ openssl req -new -x509 -days 365 -key server.key -out server.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]:FR State or Province Name (full name) [Some-State]:France Locality Name (eg, city) []:Vicheres Organization Name (eg, company) [Internet Widgits Pty Ltd]:No company Organizational Unit Name (eg, section) []:No section Common Name (eg, YOUR name) []:*.tuxedo.fr Email Address []:pierre@tuxedo.fr
Configuration Apache2
<VirtualHost *:443> ... #SSL SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key ... </VirtualHost>
SSL V3
Modifier le virtualhost en précisent les lignes en gras :
#SSL SSLEngine On SSLProtocol -all +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key
Vérification SSL V3
#> openssl s_client -connect localhost:443 SSL handshake has read 1495 bytes and written 316 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 1EC1ED86D7F363E15D7A0CE8297B2F5B1358A6CFCAEE9BEF5848406A04090679 Session-ID-ctx: Master-Key: CE1133258E0B99B14AF0141E239A818095A6E7A27A74C5E102B6D9338F8B155E1A25056F28249D8627AC97B87A6F25A0 Key-Arg : None Start Time: 1280849648 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---
Certificat autosigné
Generating a CSR :
$ openssl req -new -key server.key -batch -out server.csr
Lastly we're going to sign our CSR and generate a new certificate.
Signing our CSR
$ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=FR/ST=Some-State/O=XXXX XX
Getting Private key
Certificat LetsEncrypt (Renouvellement automatisé) ACME
Preparation de la configuration
git clone https://github.com/Neilpang/acme.sh.git cd ./acme.sh
mkdir /var/www/letsencrypt mkdir /etc/nginx/certs
Vhost (Nginx)
Ex vhost munin :
server { listen 80; server_name test.toto.fr; location /.well-known/acme-challenge { root /var/www/letsencrypt; } location / { return 301 https://test.toto.fr$request_uri; } } server { listen 443 ssl; server_name test.toto.fr; ssl_certificate /etc/nginx/certs/toto.fr.crt; ssl_certificate_key /etc/nginx/certs/toto.fr.key; … }
Création du certificat
#> acme.sh --issue -d test.toto.fr -w /var/www/letsencrypt/ --fullchain-file /etc/nginx/certs/toto.fr.crt --key-file /etc/nginx/certs/toto.fr.key
Renouvellement automatique
- Script renouvellement automatique :
#!/bin/bash # #@Name renewCerts.sh #@Fonction renew letsencrypt certificate #@Depends acme.sh #@Version 0.1 #@Authors SYSTEM DYNAMICS #@Modify by XXXX # domain="toto.fr" subDomain1="test.toto.fr" subDomain2="sisi.toto.fr" /usr/local/scripts/acme.sh/acme.sh --issue -d ${subDomain1} -d ${subDomain2} -w /var/www/letsencrypt/ --fullchain-file /etc/nginx/certs/${domain}.crt \ --key-file /etc/nginx/certs/${domain}.key --reloadcmd '/etc/init.d/nginx reload' --force >& /usr/local/scripts/renewCerts.log
- Cron
00 03 1 */2 * /usr/local/scripts/renewCerts.sh >/dev/null 2>&1