Certificats SSL amb certbot

De wikijoan
Salta a la navegació Salta a la cerca

Introducció

Ara ja corria pressa que wiki.joanillo.org, www.joanillo.org i les altres aplicacions fossin segures (https). I al final la instal·lació d'un certificat SSL gratis ha sigut prou fàcil.

Instal·lació

Cert https.jpg

Jo tinc Ubuntu 20.04, que ja té el snap preinstal·lat

The snap command lets you install, configure, refresh and remove snaps. Snaps are packages that work across many different Linux distributions, enabling secure delivery and operation of the latest apps and utilities.

3. Ensure that your version of snapd is up to date

Execute the following instructions on the command line on the machine to ensure that you have the latest version of snapd.

$ sudo snap install core; sudo snap refresh core

5. Install Certbot

Run this command on the command line on the machine to install Certbot.

$ sudo snap install --classic certbot
certbot 1.23.0 from Certbot Project (certbot-eff✓) installed

6. Prepare the Certbot command

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

7. Choose how you'd like to run Certbot

Either get and install your certificates... Run this command to get a certificate and have Certbot edit your apache configuration automatically to serve it, turning on HTTPS access in a single step.

$ sudo certbot --apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: arthropoda.joanillo.org
2: bdquest.joanillo.org
3: catalunyamagica.joanillo.org
4: dolmens.joanillo.org
5: iesbalmes.joanillo.org
6: jmquintana.joanillo.org
7: langtrainer.joanillo.org
8: nuriaquintana.joanillo.org
9: portfolio.joanillo.org
10: projects.joanillo.org
11: quintana.joanillo.org
12: raimonviaplana.joanillo.org
13: romanic.joanillo.org
14: rutesgps.joanillo.org
15: wiki.joanillo.org
16: wikijoan.joanillo.org
17: www.joanillo.org

Requesting a certificate for arthropoda.joanillo.org and 16 more domains

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/arthropoda.joanillo.org/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/arthropoda.joanillo.org/privkey.pem
This certificate expires on 2022-05-10.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for arthropoda.joanillo.org to /etc/apache2/sites-available/arthropoda.joanillo.org-le-ssl.conf
Successfully deployed certificate for bdquest.joanillo.org to /etc/apache2/sites-available/bdquest.joanillo.org-le-ssl.conf
...
Successfully deployed certificate for wiki.joanillo.org to /etc/apache2/sites-available/wiki.joanillo.org-le-ssl.conf
Successfully deployed certificate for wikijoan.joanillo.org to /etc/apache2/sites-available/wikijoan.joanillo.org-le-ssl.conf
Successfully deployed certificate for www.joanillo.org to /etc/apache2/sites-available/www.joanillo.org-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://arthropoda.joanillo.org, https://bdquest.joanillo.org, https://catalunyamagica.joanillo.org, https://dolmens.joanillo.org, https://iesbalmes.joanillo.org, https://jmquintana.joanillo.org, https://langtrainer.joanillo.org, https://nuriaquintana.joanillo.org, https://portfolio.joanillo.org, https://projects.joanillo.org, https://quintana.joanillo.org, https://raimonviaplana.joanillo.org, https://romanic.joanillo.org, https://rutesgps.joanillo.org, https://wiki.joanillo.org, https://wikijoan.joanillo.org, and https://www.joanillo.org

8. Test automatic renewal

The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:

$ sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/arthropoda.joanillo.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for arthropoda.joanillo.org and 16 more domains

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/arthropoda.joanillo.org/fullchain.pem (success)
- - - - - - - - - - - - - 

I ja està, ja funciona:


Ja funciona!

Per defecte, quan faig http:// em redirecciona a https://

Què ha fet el procés automàtic?

Per exemple, ai sites-available jo tenia el fitxer romanic.joanillo.org.conf. Ara aquest fitxer està buit i s'ha creat el fitxer romanic.joanillo.org-le-ssl.conf, amb el següent contingut:

<IfModule mod_ssl.c>
<VirtualHost *:443>

# el mateix que ja hi havia

SSLCertificateFile /etc/letsencrypt/live/arthropoda.joanillo.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/arthropoda.joanillo.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Tota la part de renovació està dins de /etc/letsencrypt/. No veig cap cron, en principi no s'ha de fer res, la renovació és automàtica.

Dins del directori /etc/letsencrypt/renewal tinc el fitxer arthropoda.joanillo.org.conf, i dins veiem quin és el meu account:

...
account = 0c76034b680b95b1735293755e977f7c
...

nota: en cap moment del procés ens hem hagut de registrar.

Instal·lar el certbot al vps-89148e22.vps.ovh.net (Jaume Balmes)

El procediment és el mateix, però ha donat un error degut a què:

$ sudo certbot --apache
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): jquintana@jaumebalmes.net

Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): 

vps-89148e22.vps.ovh.net

Error creating new order :: too many certificates already issued for: ovh.net: see https://letsencrypt.org/docs/rate-limits/

Per tant, no es pot utilitzar directament el domini ovh.net


creat per Joan Quintana Compte, febrer 2022