Инструменты пользователя

Инструменты сайта


Боковая панель

Software

Hardware

software:linux:letsencrypt_apache_ubuntu

Создание сертификата Let’s Encrypt для Apache в Ubuntu 18.04

Требования

  • Сервер Ubuntu 18.04, настроенный по этому мануалу.
  • FRDN. В этом мануале используется условный домен example.com.
  • DNS-записи А для example.com и www.example.com, указывающие на внешний IP-адрес сервера.
  • Веб-сервер Apache, установленный по этому мануалу. В этом мануале в качестве виртуального хоста используется /etc/apache2/sites-available/example.com.conf.

Установка Certbot

Для начала нужно установить клиент Certbot. Установить можно из стандартного репозитория Ubuntu

$ sudo apt update && sudo apt upgrade
$ sudo apt install certbot

Создание Strong Dh (Diffie-Hellman) Group

Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys over an unsecured communication channel. We’re going to generate a new set of 2048 bit DH parameters to strengthen the security:

$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Получение SSL-сертификата Let's Encrypt

To obtain an SSL certificate for our domain we’re going to use the Webroot plugin that works by creating a temporary file for validating the requested domain in the ${webroot-path}/.well-known/acme-challenge directory. The Let’s Encrypt server makes HTTP requests to the temporary file to validate that the requested domain resolves to the server where certbot runs.

To make it more simple we’re going to map all HTTP requests for .well-known/acme-challenge to a single directory, /var/lib/letsencrypt.

The following commands will create the directory and make it writable for the Apache server.

$ sudo mkdir -p /var/lib/letsencrypt/.well-known
$ sudo chgrp www-data /var/lib/letsencrypt
$ sudo chmod g+s /var/lib/letsencrypt

To avoid duplicating code create the following two configurations snippets:

/etc/apache2/conf-available/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>
/etc/apache2/conf-available/ssl-params.conf
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
software/linux/letsencrypt_apache_ubuntu.txt · Последние изменения: 2019/10/10 07:06 — oleg