Certificats SSL amb certbot
Contingut
Introducció
Ara ja corria pressa que wiki.joanillo.org, www.joanillo.org i les altres aplicacions fossin segures (https). I al final la instal·lació d'un certificat SSL gratis ha sigut prou fàcil.
Instal·lació
Jo tinc Ubuntu 20.04, que ja té el snap preinstal·lat
The snap command lets you install, configure, refresh and remove snaps. Snaps are packages that work across many different Linux distributions, enabling secure delivery and operation of the latest apps and utilities.
3. Ensure that your version of snapd is up to date
Execute the following instructions on the command line on the machine to ensure that you have the latest version of snapd.
$ sudo snap install core; sudo snap refresh core
5. Install Certbot
Run this command on the command line on the machine to install Certbot.
$ sudo snap install --classic certbot certbot 1.23.0 from Certbot Project (certbot-eff✓) installed
6. Prepare the Certbot command
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
7. Choose how you'd like to run Certbot
Either get and install your certificates... Run this command to get a certificate and have Certbot edit your apache configuration automatically to serve it, turning on HTTPS access in a single step.
$ sudo certbot --apache Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: arthropoda.joanillo.org 2: bdquest.joanillo.org 3: catalunyamagica.joanillo.org 4: dolmens.joanillo.org 5: iesbalmes.joanillo.org 6: jmquintana.joanillo.org 7: langtrainer.joanillo.org 8: nuriaquintana.joanillo.org 9: portfolio.joanillo.org 10: projects.joanillo.org 11: quintana.joanillo.org 12: raimonviaplana.joanillo.org 13: romanic.joanillo.org 14: rutesgps.joanillo.org 15: wiki.joanillo.org 16: wikijoan.joanillo.org 17: www.joanillo.org Requesting a certificate for arthropoda.joanillo.org and 16 more domains Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/arthropoda.joanillo.org/fullchain.pem Key is saved at: /etc/letsencrypt/live/arthropoda.joanillo.org/privkey.pem This certificate expires on 2022-05-10. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. Deploying certificate Successfully deployed certificate for arthropoda.joanillo.org to /etc/apache2/sites-available/arthropoda.joanillo.org-le-ssl.conf Successfully deployed certificate for bdquest.joanillo.org to /etc/apache2/sites-available/bdquest.joanillo.org-le-ssl.conf ... Successfully deployed certificate for wiki.joanillo.org to /etc/apache2/sites-available/wiki.joanillo.org-le-ssl.conf Successfully deployed certificate for wikijoan.joanillo.org to /etc/apache2/sites-available/wikijoan.joanillo.org-le-ssl.conf Successfully deployed certificate for www.joanillo.org to /etc/apache2/sites-available/www.joanillo.org-le-ssl.conf Congratulations! You have successfully enabled HTTPS on https://arthropoda.joanillo.org, https://bdquest.joanillo.org, https://catalunyamagica.joanillo.org, https://dolmens.joanillo.org, https://iesbalmes.joanillo.org, https://jmquintana.joanillo.org, https://langtrainer.joanillo.org, https://nuriaquintana.joanillo.org, https://portfolio.joanillo.org, https://projects.joanillo.org, https://quintana.joanillo.org, https://raimonviaplana.joanillo.org, https://romanic.joanillo.org, https://rutesgps.joanillo.org, https://wiki.joanillo.org, https://wikijoan.joanillo.org, and https://www.joanillo.org
8. Test automatic renewal
The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:
$ sudo certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/arthropoda.joanillo.org.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Account registered. Simulating renewal of an existing certificate for arthropoda.joanillo.org and 16 more domains - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/arthropoda.joanillo.org/fullchain.pem (success) - - - - - - - - - - - - -
I ja està, ja funciona:
Ja funciona!
Per defecte, quan faig http:// em redirecciona a https://
Què ha fet el procés automàtic?
Per exemple, ai sites-available jo tenia el fitxer romanic.joanillo.org.conf. Ara aquest fitxer està buit i s'ha creat el fitxer romanic.joanillo.org-le-ssl.conf, amb el següent contingut:
<IfModule mod_ssl.c> <VirtualHost *:443> # el mateix que ja hi havia SSLCertificateFile /etc/letsencrypt/live/arthropoda.joanillo.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/arthropoda.joanillo.org/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule>
Tota la part de renovació està dins de /etc/letsencrypt/. No veig cap cron, en principi no s'ha de fer res, la renovació és automàtica.
Dins del directori /etc/letsencrypt/renewal tinc el fitxer arthropoda.joanillo.org.conf, i dins veiem quin és el meu account:
... account = 0c76034b680b95b1735293755e977f7c ...
nota: en cap moment del procés ens hem hagut de registrar.
Instal·lar el certbot al vps-89148e22.vps.ovh.net (Jaume Balmes)
El procediment és el mateix, però ha donat un error degut a què:
$ sudo certbot --apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): jquintana@jaumebalmes.net Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): vps-89148e22.vps.ovh.net Error creating new order :: too many certificates already issued for: ovh.net: see https://letsencrypt.org/docs/rate-limits/
Per tant, no es pot utilitzar directament el domini ovh.net
creat per Joan Quintana Compte, febrer 2022