Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
admin_grundlagen:dehydrated [2023/08/02 15:20] ingo_wichmann |
admin_grundlagen:dehydrated [2024/04/25 15:20] |
||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== Let's Encrypt mit dehydrated ====== | ||
- | Pakete: | ||
- | * ''dehydrated'' ''dehydrated-apache2'' ''apache2'' ''ssl-cert'' (Debian 11) | ||
- | |||
- | apachectl graceful | ||
- | useradd -r -s /bin/false -d /var/lib/dehydrated/ dehydrated | ||
- | gpasswd -a www-data ssl-cert | ||
- | |||
- | <file txt /etc/dehydrated/conf.d/server.lxht.de.sh> | ||
- | # CA="https://acme-staging-v02.api.letsencrypt.org/directory" | ||
- | DEHYDRATED_USER=dehydrated | ||
- | DEHYDRATED_GROUP=ssl-cert | ||
- | CONTACT_EMAIL=admin@example.com | ||
- | </file> | ||
- | |||
- | dpkg-statoverride --update --add dehydrated ssl-cert 2750 /var/lib/dehydrated | ||
- | dpkg-statoverride --update --add dehydrated ssl-cert 2750 /var/lib/dehydrated/acme-challenges | ||
- | |||
- | Letsencrypt Account anlegen: | ||
- | dehydrated --register --accept-terms | ||
- | ls -l /var/lib/dehydrated/accounts/* | ||
- | |||
- | <file txt /etc/dehydrated/domains.txt> | ||
- | server.lxht.de cname.lxht.de | ||
- | </file> | ||
- | dehydrated service anlegen: | ||
- | systemctl edit --full --force dehydrated.service | ||
- | <file txt /etc/systemd/system/dehydrated.service> | ||
- | [Unit] | ||
- | Description=get let's encrypt certificate via dehydrated | ||
- | |||
- | [Service] | ||
- | Type=oneshot | ||
- | User=dehydrated | ||
- | Group=ssl-cert | ||
- | WorkingDirectory=/var/lib/dehydrated | ||
- | ExecStart=/usr/bin/dehydrated -c | ||
- | ProtectSystem=strict | ||
- | ProtectHome=yes | ||
- | ReadWritePaths=/var/lib/dehydrated | ||
- | PrivateTmp=yes | ||
- | </file> | ||
- | |||
- | Dafür sorgen, dass beim Aktualisieren der Zertifikate die Dienste neu gestartet werden: | ||
- | systemctl edit dehydrated.service | ||
- | |||
- | <file txt /etc/systemd/system/dehydrated.service.d/override.conf> | ||
- | [Service] | ||
- | ExecStartPost=+/usr/sbin/service apache2 reload | ||
- | ExecStartPost=+/usr/sbin/service dovecot reload | ||
- | ExecStartPost=+/usr/sbin/service postfix reload | ||
- | </file> | ||
- | |||
- | systemctl start dehydrated.service | ||
- | journalctl -eu dehydrated.service | ||
- | |||
- | systemctl edit --full --force dehydrated.timer | ||
- | <file txt /etc/systemd/system/dehydrated.timer> | ||
- | [Unit] | ||
- | Description=get certificates with dehydrated | ||
- | |||
- | [Timer] | ||
- | OnCalendar=*-*-21 17:45 | ||
- | Persistent=true | ||
- | |||
- | [Install] | ||
- | WantedBy=timers.target | ||
- | </file> | ||
- | systemctl enable --now dehydrated.timer | ||
- | |||
- | Apache- und OpenSSL-Version nachsehen ... | ||
- | dpkg -l apache2 | ||
- | dpkg -l openssl | ||
- | ... und Konfiguration gemäß Vorlage von https://ssl-config.mozilla.org/ erstellen. | ||
- | |||
- | Je nach gewählter Konfiguration (modern, intermediate, old) wird eine Datei mit Diffie-Hellman Parametern benötigt. | ||
- | |||
- | In den Kommentarzeilen steht falls nötig wie man die erstellen kann. Da wird je nach Auswahl vorgeschlagen, sie herunter zu laden. Alternativ kann man sie mit etwas Geduld auch selbst erstellen (hier für intermediate): | ||
- | openssl dhparam -out /etc/ssl/dhparam.pem 2048 | ||
- | |||
- | <file txt /etc/apache2/conf-available/tls.conf> | ||
- | # generated 2022-05-22, Mozilla Guideline v5.6, Apache 2.4.53, OpenSSL 1.1.1k, intermediate configuration | ||
- | # https://ssl-config.mozilla.org/#server=apache&version=2.4.53&config=intermediate&openssl=1.1.1k&guideline=5.6 | ||
- | |||
- | # this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers | ||
- | <VirtualHost *:80> | ||
- | RewriteEngine On | ||
- | RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ | ||
- | RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] | ||
- | </VirtualHost> | ||
- | |||
- | <VirtualHost *:443> | ||
- | SSLEngine on | ||
- | |||
- | # curl https://ssl-config.mozilla.org/ffdhe2048.txt >> /path/to/signed_cert_and_intermediate_certs_and_dhparams | ||
- | SSLCertificateFile /var/lib/dehydrated/certs/server.lxht.de/fullchain.pem | ||
- | SSLCertificateKeyFile /var/lib/dehydrated/certs/server.lxht.de/privkey.pem | ||
- | |||
- | # enable HTTP/2, if available | ||
- | Protocols h2 http/1.1 | ||
- | |||
- | # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds) | ||
- | Header always set Strict-Transport-Security "max-age=63072000" | ||
- | </VirtualHost> | ||
- | |||
- | # intermediate configuration | ||
- | SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 | ||
- | SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | ||
- | SSLHonorCipherOrder off | ||
- | SSLSessionTickets off | ||
- | |||
- | SSLUseStapling On | ||
- | SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" | ||
- | </file> | ||
- | a2enmod ssl | ||
- | a2enmod socache_shmcb | ||
- | a2enmod rewrite | ||
- | a2enmod headers | ||
- | a2dissite 000-default | ||
- | a2enconf tls | ||
- | |||
- | TODO: muss dhparam.pem bei jedem neuen Zertifikat erneut an fullchain.pem angehangen werden? |