Gedächtnisstützen IT

Server, Unix/Linux, Webserver

Letsencrypt mit Debian

Inhaltsverzeichnis

Erzeugen neuer letsencrypt Stern-Zertifikats

Installation von certbot

# apt-get install python-certbot-apache

Erzeugen der Zertifikate

# /etc/letsencrypt/live# sudo certbot certonly --manual -d *.rana.at --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for rana.at

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.rana.at with the following value:

dfpLiD95pF30KpwyBt_E1nnpjQy5mjJbUZIuqW7nF1s

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/rana.at/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/rana.at/privkey.pem
   Your cert will expire on 2020-05-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Die aktuellen Zertifikate sind im Verzeichnis /etc/letsencrypt/live/rana.at/ zu finden.
Apache-Konfiguration

/etc/apache2/sites-available/rana.at.conf:

…
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/rana.at/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/rana.at/privkey.pem

Update des Zertifikate

# certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d '*.example.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.org with the following value:

sadkljfs87q80493rdsn.kadlsf89aeduicasiodfuap

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.org/privkey.pem
   Your cert will expire on 2020-02-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Wöhrend der Ausführung nach dem ersten Y den TXT-Record nach Aufforderung anpassen und die DNS-Zonendatei neu laden!

Alternativ kann man vermutlich folgendermaßen updaten, was ich mich am Beginn nicht getraut habe:

# letsencrypt renew

Das Ergebnis, wenn das Zertifikat noch nicht nahe dem Ablaufdatum sind:

# letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gfw.at.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/rana.at.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/rana.wien.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/gfw.at/fullchain.pem expires on 2020-05-26 (skipped)
  /etc/letsencrypt/live/rana.at/fullchain.pem expires on 2020-05-26 (skipped)
  /etc/letsencrypt/live/rana.wien/fullchain.pem expires on 2020-05-26 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

letsencrypt-Zertifikate für Courier-Server verwenden

Um die Letsencrypt-Zertifikate für den Courier-Server verwenden zu können, müssen sowohl das Zertifikat als auch der Private Schlüssel in eine Datei gepackt werden:

# cat /etc/letsencrypt/live/rana.at/cert.pem /etc/letsencrypt/live/rana.at/privkey.pem > /etc/courier/letsencrypt/fullchain.pem

Die oben erzeugte Datei muss entsprechend eingebunden werden:

Courier imapd-ssl

/etc/courier/imapd-ssl

…
# In all cases, $TLS_CERTFILE needs to be linked to one of the existing
# certificate files.

TLS_CERTFILE=/etc/courier/letsencrypt/fullchain.pem
…

Courier pop3d-ssl

/etc/courier/pop3d-ssl

…
# In all cases, $TLS_CERTFILE needs to be linked to one of the existing
# certificate files.

TLS_CERTFILE=/etc/courier/letsencrypt/fullchain.pem
…

Neustart der Prozesse

# systemctl reload apache2.service
# systemctl restart courier-pop-ssl.service
# systemctl restart courier-imap-ssl.service

Sichern und kopieren der Zertifikate

# cd /etc
# tar -cvf letsencrypt.tar letsencrypt
# scp letsencrypt.tar user@server:

Schreibe eine Antwort

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.