The massive transition of sites to work on an encrypted protocol is gaining momentum day after day. And if before working with certificates was a rather routine task, today you can easily and free get a certificate with a basic verification of ownership of the owner.
And this will help us cool service Let's Encrypt . This certification center began to work in beta mode on December 3, 2015. And during this time the number of its users is growing.
Let's Encrypt issue certificates with a validity of 90 days. At the same time, certificate renewal is fully automated. At this point, you can install the certbot package in Debian from the backports repository, which makes it easy to get certificates and automatically update them, which is done twice a day for each krone.
First of all, we connect the backports repository . with a fresh version of nginx compiled with ALPN support.
And then install certbot:
aptitude install -t jessie-backports certbot
The content of the article:
We receive the certificate for Nginx
To obtain a certificate for this web server, the webroot plugin will be used, which is suitable for use with any server. Even if it is lighttpd.
The command to get the certificate looks like this:
certbot certonly --webroot -w /var/www/example.com -d example.com -d www.example.com
Here, after the -w switch, we specify the full path to the directory with the site on the server. After the -d key is the name of the domain for which you want to get a certificate. At the same time, you can get certificates for five domains. Do not forget to specify the domain with www and without. ;)
The folder with the site must exist and be accessible from the Internet, so that certbot can confirm the identity of the site and its correct operation.
The received certificates should be searched in the /etc/letsencrypt/live/yourdomain.com/ directory. As a certificate, you need to register the fullchain.pem file in the server config, and privkey.pem as the key. Example:
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
What about Apache?
For him, too, you can get a certificate. It suits both the above described method and the specially designed plugin for apache. Only in this case will have to install a different package.
aptitude install -t jessie-backports python-certbot-apache
And the certificate itself is installed by a simpler command:
certbot - apache
Or, if you want to manually configure apache:
certbot - apache certonly
Naturally, the site in this case should already be configured. Unfortunately, I will not be able to describe my experience with certbot for apache, since I have not used this web server for a long time. Therefore, I recommend reading the official documentation in English.
Like nginx, the path to the certificates and the key should be specified in the virtual host configuration file.
SSLCertificateFile "/etc/letsencrypt/live/yourdomain.com/fullchain.pem" SSLCertificateKeyFile "/etc/letsencrypt/live/yourdomain.com/privkey.pem"
Automatic renewal of certificates for krone
As mentioned earlier, during installation a task is created for the update in the /etc/cron.d/certbot directory, which is performed twice a day. The content of the task is as follows:
0 * / 12 * * * root test -x / usr / bin / certbot && perl -e 'sleep int (rand (3600))' && certbot -q renew
At the same time, all certbot work is recorded and its logs can be found in the / var / log / letsencrypt / directory . This can help if you have problems. However, from my experience I can see that they have not arisen, so far. :)