Galileo Labs

User Tools

Site Tools

You are here: start » tips » ssl

Sidebar

/dev/null

tips:ssl
Book Creator
 Add this page to your book
Book Creator
 Remove this page from your book  

 Manage book(0 page(s))
 Help

**This is an old revision of the document!**

SSL certificates

, ,

letsencrypt certification authority is free, automated and open.

acme.sh integration for letsencrypt

On host that has apache/nginx install acme.sh 

wget -O -  https://get.acme.sh | sh
. ~/.bashrc
# now /root/.acme.sh/acme.sh.env is avalaible with bash alias

certificate generation

with nginx enable this server on port 80 for initial challenge

site.conf
server {
      listen 80;
      server_name  "mail.csgalileo.org";
 
      # create this folder empty
      location /.well-known/acme-challenge {
        root /var/www;
	allow all;
      }
 
      location / {
	return 301 https://$server_name$request_uri;
      }
}
# /var/www is documentroot of mail.csgalileo.org
acme.sh --issue -w /var/www -d mail.csgalileo.org --keylength ec-256

results in /root/.acme.sh/mail.csgalileo.orgecc/** <file> [Fri Oct 14 08:05:13 CEST 2016] Creating account key [Fri Oct 14 08:05:15 CEST 2016] Registering account [Fri Oct 14 08:05:18 CEST 2016] Registered [Fri Oct 14 08:05:20 CEST 2016] Update success. [Fri Oct 14 08:05:20 CEST 2016] Creating domain key [Fri Oct 14 08:05:20 CEST 2016] Single domain='mail.csgalileo.org' [Fri Oct 14 08:05:20 CEST 2016] Verify each domain [Fri Oct 14 08:05:20 CEST 2016] Getting webroot for domain='mail.csgalileo.org' [Fri Oct 14 08:05:20 CEST 2016] _w='/var/www' [Fri Oct 14 08:05:20 CEST 2016] Getting new-authz for domain='mail.csgalileo.org' [Fri Oct 14 08:05:23 CEST 2016] Verifying:mail.csgalileo.org [Fri Oct 14 08:05:31 CEST 2016] Success [Fri Oct 14 08:05:31 CEST 2016] Verify finished, start to sign. [Fri Oct 14 08:05:34 CEST 2016] Cert success. —–BEGIN CERTIFICATE—– … —–END CERTIFICATE—– [Fri Oct 14 08:05:34 CEST 2016] Your cert is in /root/.acme.sh/mail.csgalileo.orgecc/mail.csgalileo.org.cer [Fri Oct 14 08:05:34 CEST 2016] Your cert key is in /root/.acme.sh/mail.csgalileo.orgecc/mail.csgalileo.org.key [Fri Oct 14 08:05:34 CEST 2016] The intermediate CA cert is in /root/.acme.sh/mail.csgalileo.orgecc/ca.cer [Fri Oct 14 08:05:34 CEST 2016] And the full chain certs is there: /root/.acme.sh/mail.csgalileo.org_ecc/fullchain.cer </file> ==== certificate integration for apache ==== <code bash> HOST=mail.csgalileo.org acme.sh –installcert -d $HOST \ –certpath /etc/ssl/certs/${HOST}.cer \ –keypath /etc/ssl/private/${HOST}.key \ –capath /etc/ssl/certs/ca.cer \ –fullchainpath /etc/apache2/fullchain.cer \ –ecc \ –reloadcmd “service apache2 reload” </code> <file yaml apache.conf> SSLngine on SSLCertificateFile /etc/ssl/certs/mail.csgalileo.org.cer SSLCertificateKeyFile /etc/ssl/private/mail.csgalileo.org.key SSLCertificateChainFile /etc/apache2/fullchain.cer SSLCACertificateFile /etc/ssl/certs/ca.cer </file> ==== certificate integration for nginx ==== <file yaml site.conf> server { listen 443 ssl; server_name “scipio.csgalileo.org”;
# … sslcertificate /etc/ssl/certs/scipio.csgalileo.org.cer; sslcertificate_key /etc/ssl/private/scipio.csgalileo.org.key; } </file> <code bash> HOST=mail.csgalileo.org acme.sh –installcert -d $HOST \ –certpath /etc/ssl/certs/${HOST}.cer \ –keypath /etc/ssl/private/${HOST}.key \ –capath /etc/ssl/certs/ca.cer \ –fullchain /etc/ssl/cert/fullchain.cer \ –ecc \ –reloadcmd “service nginx reload” </code> ==== renew automatic every 60 days ==== in cron there is already <code bash> 04 0 * * * “/root/.acme.sh”/acme.sh –cron –home “/root/.acme.sh” > /dev/null </code> ==== renew manual ==== <code bash> acme.sh –renew -d mail.csgalileo.org –force –ecc </code>

tips/ssl.1478804472.txt.gz · Last modified: by scipio

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki