• Vogliamo installare un certificato ssl con

CNAME= www.example.com

ALTN: webmail.example.com

• Il sito è servito da un webserver apache, con webroot in

/var/www/example.com/www/html/

• Il pacchetto è obsoleto, occorre installare il backport di stretch

• Installare prima il pacchetto dai backports di Jessie:

echo deb http://archive.debian.org/debian jessie-backports main contrib non-free >> /etc/apt/sources.list
echo "Acquire::Check-Valid-Until "false";" >> /etc/apt/apt.conf

apt-get update
apt-get install dehydrated dehydrated-apache2
cd /tmp
wget http://ftp.it.debian.org/debian/pool/main/d/dehydrated/dehydrated_0.6.2-2+deb10u1~bpo9+1_all.deb
dpkg -i dehydrated_0.6.2-2+deb10u1~bpo9+1_all.deb

• Verificare la versione

dehydrated --version| grep 'Dehydrated version:'

Dehydrated version: 0.6.2

• Forzare API V2

 cat << EOFile  > /etc/dehydrated/conf.d/CA.sh 
# To be acme v2 compliant
# Production
CA="https://acme-v02.api.letsencrypt.org/directory"

# Staging
#CA="https://acme-staging-v02.api.letsencrypt.org/directory"
EOFile

• Abilitare backports
• Installare

apt-get install dehydrated dehydrated-apache2 -t stretch-backports

apt-get install dehydrated dehydrated-apache2

• ATTENZIONE: se si usa una proxypass, bisogna disabilitare l'eccezione:

sudoedit /etc/apache2/conf-enabled/dehydrated.conf

<IfModule proxy_module>
   # Do not proxy ACME challenge responses
   #ProxyPass /.well-known/acme-challenge/ !
</IfModule>

systemctl restart apache2

• Configurare CONTACT_EMAIL

sudoedit /etc/dehydrated/conf.d/00-CONTACT_EMAIL.sh 

CONTACT_EMAIL=admin@example.com

• Creare hook

cd /etc/dehydrated/
 mkdir hooks
 cd hooks/
 vi deploy.sh

#!/bin/bash
#
# MUST BE RUN AS ROOT
#
#set -x
BASEDIR="/var/lib/dehydrated"
SSLDIR="/etc/ssl"
SERVICES="apache2 dovecot postfix vsftpd"

RESTART=false

CERTS=$(/bin/ls -x ${BASEDIR}/certs/)

for CERT in $CERTS
do
	# Check if CA certificate has changed
  	if !(diff -q ${BASEDIR}/certs/${CERT}/chain.pem ${SSLDIR}/certs/letsencrypt.org.pem 2>&1 > /dev/null)
	then
		cp -L ${BASEDIR}/certs/${CERT}/chain.pem /usr/local/share/ca-certificates/letsencrypt.org.crt
		/usr/sbin/update-ca-certificates > /dev/null
	fi

	# Check if the certificate has changed
  	if !(diff -q ${BASEDIR}/certs/${CERT}/fullchain.pem ${SSLDIR}/certs/${CERT}.crt > /dev/null)
	then
		echo "Certificate for ${CERT} has been renewed."
		cp -L "${BASEDIR}/certs/${CERT}/privkey.pem"   "${SSLDIR}/private/${CERT}.key"
		cp -L "${BASEDIR}/certs/${CERT}/fullchain.pem" "${SSLDIR}/certs/${CERT}.crt"
		chmod 400 "${SSLDIR}/private/${CERT}.key"
		chmod 644 "${SSLDIR}/certs/${CERT}.crt"
		RESTART=true
		# Clean up old keys and certs
		sudo /usr/bin/dehydrated --cleanup > /dev/null
	fi
done


if $RESTART
then
	for SRV in $SERVICES
	do
		echo Restart $SRV
		systemctl restart $SRV > /dev/null
	done
fi

chmod +x deploy.sh 

• Creare cron

sudoedit /etc/cron.d/dehydrated 

MAILTO=admin@example.com
01 11 * * * root /usr/bin/dehydrated --cron > /dev/null
11 11 * * * root /etc/dehydrated/hooks/deploy.sh > /dev/null

• Impostare il nome del certificato

sudoedit /etc/dehydrated/domains.txt 

www.example.com aliasname.example.com

• Impostare la modalità di staging, per richiedere un certificato di test:

sudoedit /etc/dehydrated/conf.d/00-STAGING.sh

CA="https://acme-staging-v02.api.letsencrypt.org/directory"
CA_TERMS="https://acme-staging-v02.api.letsencrypt.org/terms"

• Richiederlo

/usr/bin/dehydrated --register --accept-terms
/usr/bin/dehydrated --cron

• Certificati saranno in:

/var/lib/dehydrated/certs/www.example.com/fullchain.pem
/var/lib/dehydrated/certs/www.example.com/privkey.pem

• Disabilitare la modalità di test:

sudo rm /etc/dehydrated/conf.d/00-STAGING.sh

• Rimuovere i certificati:

sudo rm -rf /var/lib/dehydrated/certs/www.example.com

• Richiedere il vero certificato:

/usr/bin/dehydrated --register --accept-terms
/usr/bin/dehydrated --cron

• Per verificare l'attendibilità della richiesta, il server di Letsencrypt cercherà di reperire il files di verifica all'url

http://www.example.com/.well-known/acme-challenge/

• Quindi bisogna creare questa risorsa sul server apache in HTTP non in https, dove dovranno essere posizionati ifiles di verifica creati da letsencrypt.sh

• You need to make sure that all (sub-)domains that you want to sign have access to this directory! That includes rewrites etc.

• The acme validation is done only using plain http and will not honour redirects etc.

• Se fosse attivo un redirect HTTP-HTTPS, escludere il percorso di validazione dal redirect direttamente nel virtualhost (vedi Le regole di redirect globali di Apache vengono ignorate in un VirtualHost):

    RewriteEngine   on
    RewriteRule     ^/.well-known/acme-challenge/ - [L]
    RewriteCond     %{SERVER_PORT} ^80$
    RewriteRule     ^/(.*) https://%{SERVER_NAME}/$1 [L,R]

• Verificare l'accessibilità in HTTP (NON in https)) del'url

http://www.example.com/.well-known/acme-challenge/

sudoedit /etc/apache2/conf-available/dehydrated.conf

<Directory "/etc/dehydrated/.well-known/acme-challenge/">
   Options None
   AllowOverride None
   Require all granted
   Header add Content-Type text/plain
</Directory>

Alias /.well-known/acme-challenge/ /etc/dehydrated/.well-known/acme-challenge/

sudo a2enconf  dehydrated

sudoedit /etc/apache2/conf.d/letsencrypt.conf

<Directory "/etc/dehydrated/.well-known/acme-challenge/">
    Options None
    AllowOverride None
    Order deny,allow
    Allow from all
</Directory>

Alias /.well-known/acme-challenge/ /etc/dehydrated/.well-known/acme-challenge/

• Creare il file contenente i certificati da richiedere

cd /etc/dehydrated

sudoedit domains.txt

www.example.com example.com

• Testarlo:

sudo /etc/dehydrated/cron/dehydrated.cron

• Se tutto funziona, i certificati saranno in

/var/lib/dehydrated/certs/www.example.com/

privkey.pem è la private key

fullchain.pem è il certificato concatenato con le CA

cert.pem è il certificato standalone

• I certificati verranno utilizzati in apache come:

SSLCertificateKeyFile /var/lib//dehydrated/certs/www.example.com/privkey.pem
SSLCertificateFile    /var/lib//dehydrated/certs/www.example.com/fullchain.pem
SSLCertificateChainFile /var/lib/dehydrated/certs/www.example.com/fullchain.pem

• Riavviare Apache e testare l'accesso in HTTPS:

sudo /etc/init.d/apache2 restart

• Testare la qualità del certificato: https://www.ssllabs.com/ssltest/

• Copiamo i certificati manualmente per essere usati da Apache:

sudo cp -i /etc/dehydrated/certs/www.example.com/fullchain.pem /etc/ssl/certs/www.example.com.crt
sudo cp -i /etc/dehydrated/certs/www.example.com/privkey.pem   /etc/ssl/private/www.example.com.key

• Installare la CA:

sudo cp -i /etc/dehydrated/certs/www.example.com/chain.pem /usr/local/share/ca-certificates/letsencrypt.org.crt
sudo update-ca-certificates

• Verificare che sia presente:

ls /etc/ssl/certs/letsencrypt.org.pem

lrwxrwxrwx 1 root root 52 Feb 29 10:16 /etc/ssl/certs/letsencrypt.org.pem -> /usr/local/share/ca-certificates/letsencrypt.org.crt

• La definzione dei certificati sarà quindi:

SSLCertificateKeyFile /etc/ssl/private/www.example.com.key
SSLCertificateFile    /etc/ssl/certs/www.example.com.crt
SSLCertificateChainFile /etc/ssl/certs/www.example.com.crt

• Ora dehydrated provvederà rinnovare il certificato quando avrà meno di 30 giorni di validità. Dobbiamo implementare il meccanismo con cui i certificati vengono ricaricati in Apache al loro rinnovo

• Se si sono dichiarati i certificti nella posizione standard /etc/ssl, allora i certificati dovranno essere spostati nelle relative directory sotto /etc/ssl

• Creiamo un altro script, che dovrà esere eseguito come root, che confronta i certificati in uso con quelli

sudoedit /etc/letsencrypt.sh/hooks/deploy.sh

#!/bin/bash
#
# MUST BE RUN AS ROOT
#

BASEDIR="/etc/letsencrypt.sh"
SSLDIR="/etc/ssl"

CERTS=$(/bin/ls -x ${BASEDIR}/certs/)

for CERT in $CERTS
do
	# Check if the certificate has changed
  	if !(diff -q ${BASEDIR}/certs/${CERT}/fullchain.pem ${SSLDIR}/certs/${CERT}.crt > /dev/null)
	then
		echo "Certificate for ${CERT} has been renewed."
		cp -L "${BASEDIR}/certs/${CERT}/privkey.pem"   "${SSLDIR}/private/${CERT}.key"
		cp -L "${BASEDIR}/certs/${CERT}/fullchain.pem" "${SSLDIR}/certs/${CERT}.crt"
		chmod 400 "${SSLDIR}/private/${CERT}.key"
		chmod 644 "${SSLDIR}/certs/${CERT}.crt"

		# Restart relevant services
		#  [[ "${jail}" = "http" ]] && jexec ${jail} service apache24 restart
	  	#[[ "${jail}" = "mail" ]] && jexec ${jail} service smtpd    restart
		/etc/init.d/apache2 restart > /dev/null

		# Clean up old keys and certs
		sudo -u letsencrypt.sh /usr/local/bin/letsencrypt.sh --cleanup > /dev/null
	fi
done

• Renderlo eseguibile, e testarlo: non deve fare nulla:

sudo chmod a+x /etc/letsencrypt.sh/hooks/deploy.sh

sudo /etc/letsencrypt.sh/hooks/deploy.sh

• Impostarne l'esecuzione COME ROOT subito dopo il lancio di letsencrypt. Attenzione: viene usato sudo nello script:

sudoedit /etc/cron.d/letsencrypt

11 11 * * * root            /etc/letsencrypt.sh/hooks/deploy.sh

• BernardSpil/LetsEncrypt - FreeBSD Wiki

 openssl req -new -sha256 -key domain.key -subj "/CN=www.rvmgroup.it" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:www.rvmgroup.it,DNS:support.rvmgroup.it,DNS:smtp.rvmgroup.it,DNS:webmail.rvmgroup.it")) |sudo tee domain.csr

 openssl req -in domain.csr -text -noout

 sudo python /opt/acme-tiny/acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/rvmgroup.it/www/html/.well-known/acme-challenge/ | sudo tee ./signed.crt

 openssl x509 -in signed.crt -text -noout

 wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem | sudo tee intermediate.pem

 cat signed.crt intermediate.pem | sudo tee chained.pem