getssl einrichten
Achtung: DNS-Einrichtung muss schon funktionieren, damit getssl funktioniert.
- für einen (Web-)Host mit eigenem SSL-Cert:
- in das Verzeichnis
~root/.getsslwechseln - Host-/Domain-Verzeichnis anlegen:
mkdir twiki.mtronig.de - Konfigurationsdatei
twiki.mtronig.de/getssl.cfgerstellen:# Uncomment and modify any variables you need # see https://github.com/srvrco/getssl/wiki/Config-variables for details # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs # # The staging server is best for testing #CA="https://acme-staging-v02.api.letsencrypt.org/directory" # This server issues full certificates, however has rate limits #CA="https://acme-v02.api.letsencrypt.org" #PRIVATE_KEY_ALG="rsa" # Additional domains - this could be multiple domains / subdomains in a comma separated list # Note: this is Additional domains - so should not include the primary domain. #SANS="trac.mtronig.de" # Acme Challenge Location. The first line for the domain, the following ones for each additional domain. # If these start with ssh: then the next variable is assumed to be the hostname and the rest the location. # An ssh key will be needed to provide you with access to the remote server. # Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign. # If left blank, the username on the local server will be used to authenticate against the remote server. # If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location # These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge" # where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain. #ACL=('/var/www/twiki.mtronig.de/web/.well-known/acme-challenge' # 'ssh:server5:/var/www/usvn.vpn21.net/web/.well-known/acme-challenge' # 'ssh:sshuserid@server5:/var/www/usvn.vpn21.net/web/.well-known/acme-challenge' # 'ftp:ftpuserid:ftppassword:usvn.vpn21.net:/web/.well-known/acme-challenge') #Set USE_SINGLE_ACL="true" to use a single ACL for all checks #USE_SINGLE_ACL="false" # Location for all your certs, these can either be on the server (full path name) # or using ssh /sftp as for the ACL DOMAIN_CERT_LOCATION="/var/www/twiki.mtronig.de/ssl/server.crt" DOMAIN_KEY_LOCATION="/var/www/twiki.mtronig.de/ssl/server.key_decrypted" CA_CERT_LOCATION="/var/www/twiki.mtronig.de/ssl/ca-bundle.pem" #DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert #DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert # The command needed to reload apache / nginx or whatever you use #RELOAD_CMD="" # Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp, # smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which # will be checked for certificate expiry and also will be checked after # an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true #SERVER_TYPE="https" #CHECK_REMOTE="true" getsslKonfiguration testen:getssl twiki.mtronig.de;
ggf. den Test forcieren:getssl -f twiki.mtronig.de
Das Ergebnis soll so aussehen:# getssl -f twiki.mtronig.de Registering account Verify each domain Verifying twiki.mtronig.de twiki.mtronig.de is already validated Verification completed, obtaining certificate. Requesting Finalize Link Requesting Order Link Requesting certificate Full certificate saved in /root/.getssl/twiki.mtronig.de/fullchain.crt Certificate saved in /root/.getssl/twiki.mtronig.de/twiki.mtronig.de.crt copying domain certificate to /var/www/twiki.mtronig.de/ssl/server.crt copying private key to /var/www/twiki.mtronig.de/ssl/server.key_decrypted copying CA certificate to /var/www/twiki.mtronig.de/ssl/ca-bundle.pem reloading SSL services * Gracefully restarting apache2 ... [ ok ] twiki.mtronig.de - certificate installed OK on server certificate obtained for twiki.mtronig.de # _
- "staging"-Konfiguration auf volle Konfiguration umstellen, indem die Zeile
CA="https://acme-staging-v02.api..."deaktiviert wird (darf schon inaktiv sein, weil die globale Konfiguration für getssl diese CA vorgibt) und stattdessen die ZeileCA="https://acme-v02.api.letsencrypt.org"aktiviert wird. - Produktiv-Zertifikat holen:
getssl twiki.mtronig.de
Das Ergebnis soll etwa so aussehen:# getssl twiki.mtronig.de Registering account Verify each domain Verifying twiki.mtronig.de copying challenge token to /var/www/letsencrypt/Yfh65tFtentC8QnrHM3eSH3WFfOmmcVTNlJk3XGYaRk sending request to ACME server saying we're ready for challenge checking if challenge is complete Pending checking if challenge is complete Verified twiki.mtronig.de Verification completed, obtaining certificate. Requesting Finalize Link Requesting Order Link Requesting certificate Full certificate saved in /root/.getssl/twiki.mtronig.de/fullchain.crt Certificate saved in /root/.getssl/twiki.mtronig.de/twiki.mtronig.de.crt copying domain certificate to /var/www/twiki.mtronig.de/ssl/server.crt copying private key to /var/www/twiki.mtronig.de/ssl/server.key_decrypted copying CA certificate to /var/www/twiki.mtronig.de/ssl/ca-bundle.pem reloading SSL services * Gracefully restarting apache2 ... [ ok ] twiki.mtronig.de - certificate installed OK on server certificate obtained for twiki.mtronig.de # _
- fertig - freu!
- in das Verzeichnis
- für einen Service-Host: tbd.
- für einen Host in einem Sammel-Cert (
SANS): tbd.
Last modified 5 years ago
Last modified on Aug 1, 2020, 5:00:15 PM
