Let's encrypt

De knowledge
Aller à la navigation Aller à la recherche

Avec Apache

Installer les packages de base pour let's encrypt

sudo apt update
sudo apt install certbot python3-certbot-apache

A part un "yes" il n'y a rien à faire.

Obtenir le certificat

On lance la configuration

sudo certbot --apache

Et on réponds aux questions:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel):

Il faut entrer une adresse mail valide. C'est celle là qui sera utilisée si let's encrypt veut nous donner une info importante.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

Répondre par yes "y" pour accepter les conditions d'utilisation.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

Là on choisit si on accepte de partager son email avec la "Electronic Frontier Foundation". Moi j'ai dit oui...

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: principal.mondomaine.com
2: www.principal.mondomaine.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Moi j'ai choisit les deux : "1,2"

Requesting a certificate for principal.mondomaine.com and www.principal.mondomaine.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/principal.mondomaine.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/principal.mondomaine.com/privkey.pem
This certificate expires on 2025-05-11.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for secure.pinon-hebert.fr to /etc/apache2/sites-available/000-principal-le-ssl.conf
Successfully deployed certificate for www.secure.pinon-hebert.fr to /etc/apache2/sites-available/000-principal-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://principal.mondomaine.com and https://www.principal.mondomaine.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

C'est fait il ne reste plus qu'à tester. En local : 

curl  https://127.0.0.1

Nous réponds :

curl: (60) SSL: no alternative certificate subject name matches target host name '127.0.0.1'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

et c'est normal puisque 127.0.0.1 n'est pas dans le CN du retificat! On force curl à ne pas vérifier le certificat avec -k

curl -k https://127.0.0.1

qui nous réponds:

<html>
<head>
<title>Not secured</title>
</head>
<body>
<h1>Not secured</h1>
</body>
</html>

Ca marche.

Maintenant on va ouvrir le port 443 du routeur et le rediriger vers notre serveur.

maintenant de n'importe où :

curl http://principal.mondomaine.com

Nous renvoie

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://principal.mondomaine.com/">here</a>.</p>
<hr>
<address>Apache/2.4.62 (Debian) Server at principal.mondomaine.com Port 80</address>
</body></html>

Notre serveur a bien été configuré pour rediriger les requêtes http vers https. On change le fichier index.html

sudo vi /var/www/html/secured/index.html

avec :

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Secured</title>
</head>
<body>
<h1>Secured</h1>
</body>
</html>

Et enfin avec Chrome:

Index.html secured.png

Récupérée de « https://knowledge.pinon-hebert.fr/index.php?title=Let%27s_encrypt&oldid=1364 »