Let’s Encrypt est une autorité de certification libre, fournissant des certificats SSL gratuits, selon la norme X.509, pour le protocole cryptographique TLS, au moyen d’un processus automatisé destiné à se passer du processus complexe actuel.
Ce processus, impliquant: la création manuelle, la validation, la signature, l’installation et le renouvellement des certificats pour sécurisation des sites internet de nouvelle génération.
En septembre 2020, plus de 20 millions de certificats ont été délivrés. Le projet vise à généra-liser l’usage de connexions sécurisées sur l’internet. Et réduire de manière très significative la complexité de mise en place et de maintenance du chiffrement TLS.
2. INSTALLATION DE CERBOT (CLIENT LET’S ENCRYPT)
su
# Mise à niveau du système
apt-get update
apt-get upgrade# Installation du client let’s encrypt (certbot)
apt-get install certbot
3. IMPORTATION DES SCRIPTS DE SERVICE
les scripts à utiliser, pour son paramétrage (config.sh), la mise à jour de la zone DNS (auth.sh) et son effacement (cleanup.sh), seront placés dans le répertoire /root (cas d’un serveur DNS local, mis à jour depuis sa propre machine).
4. CONTENU DES SCRIPTS DE SERVICE (POUR INFORMATION)
4.1 Paramètres de configuration (config.sh) pour les deux autres scripts.
# Where to find zone files
ZONEFILE_DIR=/etc/bind/zones
# Zone file filename format
# Use %s as domain name
ZONEFILE_FILENAME_FORMAT= »%s »
# Serial line comment in zone file.
# It will be used to search serial line in the zone file
SERIAL_COMMENT_STRING= »No de série«
4.2 Script d’authentification (auth.sh)
#!/bin/bash
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.BASEDIR=$(dirname $0)
if [ ! -r ${BASEDIR}/config.sh ]; then
echo « ***ERROR: Config file ${BASEDIR}/config.sh not found »
exit 1
fisource ${BASEDIR}/config.sh
ZONEFILE_FILENAME=$(printf ${ZONEFILE_FILENAME_FORMAT} ${CERTBOT_DOMAIN})
ZONE_FILE= »${ZONEFILE_DIR}/${ZONEFILE_FILENAME} »if [ ! -f ${ZONE_FILE} ]; then
echo « ***ERROR: zone file ${ZONE_FILE} not found »
exit 1
fi
CURRENT_DATE=$(date +%Y%m%d)
ZONE_SERIAL=$(grep « ${SERIAL_COMMENT_STRING} » ${ZONE_FILE} | awk ‘{ print $1 }’)
ZONE_SERIAL_DATE=${ZONE_SERIAL:0:8}
ZONE_SERIAL_INCREMENT=${ZONE_SERIAL:8:2}if [ « ${ZONE_SERIAL_DATE} » = « ${CURRENT_DATE} » ]; then
NEW_INCREMENT=$((${ZONE_SERIAL_INCREMENT} + 1))
# we limit to increment 98 because we need 2 changes to first add the challenge,
# then cleanup
if [ ${NEW_INCREMENT} -le 0 -o ${NEW_INCREMENT} -gt 98 ]; then
echo « ***ERROR: increment is too big to keep serial format »
exit 1
fi
else
NEW_INCREMENT= »01″
fi
NEW_SERIAL=$(printf « ${CURRENT_DATE}%02d » ${NEW_INCREMENT})echo « Freeze zone »
rndc freeze ${CERTBOT_DOMAIN}echo « Update serial »
sed -i -re ‘s/^([^0-9]*)([0-9]+)([^0-9]*)(‘ »${SERIAL_COMMENT_STRING} »‘)(.*)$/\1’${NEW_SERIAL}’\3\4\5/’ ${ZONE_FILE}echo « Add challenge to zone file »
echo « _acme-challenge IN TXT ${CERTBOT_VALIDATION} » >> ${ZONE_FILE}echo « Release zone »
rndc thaw ${CERTBOT_DOMAIN}echo « Wait 5 seconds for repplication to masters »
sleep 5echo « Done »
4.3 Exemple de script d’effacement (cleanup.sh)
#!/bin/bash
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.BASEDIR=$(dirname $0)
if [ ! -r ${BASEDIR}/config.sh ]; then
echo « ***ERROR: Config file ${BASEDIR}/config.sh not found »
exit 1
fisource ${BASEDIR}/config.sh
ZONEFILE_FILENAME=$(printf ${ZONEFILE_FILENAME_FORMAT} ${CERTBOT_DOMAIN})
ZONE_FILE= »${ZONEFILE_DIR}/${ZONEFILE_FILENAME} »if [ ! -f ${ZONE_FILE} ]; then
echo « ***ERROR: zone file ${ZONE_FILE} not found »
exit 1
fi
CURRENT_DATE=$(date +%Y%m%d)
ZONE_SERIAL=$(grep « ${SERIAL_COMMENT_STRING} » ${ZONE_FILE} | awk ‘{ print $1 }’)
ZONE_SERIAL_DATE=${ZONE_SERIAL:0:8}
ZONE_SERIAL_INCREMENT=${ZONE_SERIAL:8:2}if [ « ${ZONE_SERIAL_DATE} » = « ${CURRENT_DATE} » ]; then
NEW_INCREMENT=$((${ZONE_SERIAL_INCREMENT} + 1))
# we limit to increment 98 because we need 2 changes to first add the challenge,
# then cleanup
if [ ${NEW_INCREMENT} -le 0 -o ${NEW_INCREMENT} -gt 98 ]; then
echo « ***ERROR: increment is too big to keep serial format »
exit 1
fi
else
NEW_INCREMENT= »01″
fi
NEW_SERIAL=$(printf « ${CURRENT_DATE}%02d » ${NEW_INCREMENT})echo « Freeze zone »
rndc freeze ${CERTBOT_DOMAIN}echo « Update serial »
sed -i -re ‘s/^([^0-9]*)([0-9]+)([^0-9]*)(‘ »${SERIAL_COMMENT_STRING} »‘)(.*)$/\1’${NEW_SERIAL}’\3\4\5/’ ${ZONE_FILE}echo « Remove challenge from zone file »
sed -i -e ‘/^_acme-challenge\s/d’ ${ZONE_FILE}echo « Release zone »
rndc thaw ${CERTBOT_DOMAIN}echo « Done »
5. GÉNÉRER UN CERTIFICAT ‘WILDCARD’ EN MODE ‘DNS- CHALLENGE’
Pour le domaine domainepme.tld
ATTENTION : Les paramètres de l’entête SOA, placés au début de la zone détaillée du domaine (/etc/bind/zones/domainepme.com) doivent être sur des lignes séparées.
Le commentaire du No de série doit obligatoirement être ‘No de série’ (ce commentaire sert de repère aux scripts de ‘hooks’. … voir l’article sur la mise en place d’un service DNS autoritaire)
cd /root
La commande suivante doit être obligatoirement lancée en ‘root’
certbot certonly \
-d domainepme.tld -d *.domainepme.tld \
–manual \
–manual-auth-hook /root/auth.sh \
–manual-cleanup-hook /root/cleanup.sh \
–preferred-challenge=dns \
–agree-tos \
-m debian@domainepme.tld \
–server https://acme-v02.api.letsencrypt.org/directory
=> Saving debug log to /var/log/letsencrypt/letsencrypt.log
=> Plugins selected: Authenticator manual, Installer None
=> Obtaining a new certificate
=> Performing the following challenges:
=> dns-01 challenge for domainepme.tld
=> dns-01 challenge for domainepme.tld
=> – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
=> NOTE: The IP of this machine will be publicly logged as having requested this
=> certificate. If you’re running certbot in manual mode on a machine that is not
=> your server, please ensure you’re okay with that.
=>
=> Are you OK with your IP being logged?
=> – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
=> (Y)es/(N)o: Y
=>
=> Running manual-auth-hook command: /root/local-bind/auth.sh
=> Output from manual-auth-hook command auth.sh:
=> Freeze zone
=> Update serial
=> Add challenge to zone file
=> Release zone
=> A zone reload and thaw was started.
=> Check the logs to see the result.
=> Wait 5 seconds for repplication to masters
=> Done
=>
=> Waiting for verification…
=> Cleaning up challenges
=> Running manual-cleanup-hook command: /root/cleanup.sh
=> Output from manual-cleanup-hook command cleanup.sh:
=> Freeze zone
=> Update serial
=> Remove challenge from zone file
=> Release zone
=> A zone reload and thaw was started.
=> Check the logs to see the result.
=> Done
=>
=> Running manual-cleanup-hook command: /root/cleanup.sh
=> Output from manual-cleanup-hook command cleanup.sh:
=> Freeze zone
=> Update serial
=> Remove challenge from zone file
=> Release zone
=> A zone reload and thaw was started.
=> Check the logs to see the result.
=> Done
=>
=> IMPORTANT NOTES:
=> – Congratulations! Your certificate and chain have been saved at:
=> /etc/letsencrypt/live/domainepme.tld/fullchain.pem
=> Your key file has been saved at:
=> /etc/letsencrypt/live/domainepme.tld/privkey.pem
=> Your cert will expire on 2019-08-14. To obtain a new or tweaked
=> version of this certificate in the future, simply run certbot
=> again. To non-interactively renew *all* of your certificates, run
=> « certbot renew »
=> – If you like Certbot, please consider supporting our work by:
=>
=> Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
=> Donating to EFF: https://eff.org/donate-le
6. RENOUVELLEMENT TRIMESTRIEL ET MANUEL DES CERTIFICATS
certbot renew
7. RENOUVELLEMENT TRIMESTRIEL AUTOMATIQUE DES CERTIFICATS
crontab -e
Ajouter l’entrée suivante :
43 6 * * * root certbot renew -q –post-hook « systemctl reload nginx »
Ici, tous les jours à 6h43, certbot va vérifier s’il y a lieu de renouveler les certificats, et le fait si cela est le cas. L’option -q (quiet) indique à certbot de ne rien afficher, hormis les messages d’erreur. Enfin, l’option –post-hook relancera le serveur Nginx après ces opérations.