tachtler:let_s_encrypt_-_wildcard_zertifikat
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
tachtler:let_s_encrypt_-_wildcard_zertifikat [2018/08/30 08:52] – klaus | tachtler:let_s_encrypt_-_wildcard_zertifikat [2018/08/30 12:52] (aktuell) – [Generierung] klaus | ||
---|---|---|---|
Zeile 6: | Zeile 6: | ||
[[https:// | [[https:// | ||
- | :!: **WICHTIG** - **Das Ausstellen von Wildcard-Zertifikaten durch [[https:// | + | :!: **WICHTIG** - **Das Ausstellen von Wildcard-Zertifikaten durch [[https:// |
+ | * **__zeitnah__ | ||
+ | * **__auf__ | ||
+ | **durchgeführt werden | ||
===== Vorbereitung ===== | ===== Vorbereitung ===== | ||
Zeile 145: | Zeile 149: | ||
Nachfolgendes '' | Nachfolgendes '' | ||
< | < | ||
- | # cp -a / | + | # cp -a / |
</ | </ | ||
Zeile 364: | Zeile 368: | ||
**__Erklärungen__**: | **__Erklärungen__**: | ||
+ | |||
+ | * <code bash># Tachtler | ||
+ | echo "" | ||
+ | echo "Add the following to the zone definition of ${DOMAIN}:" | ||
+ | echo " | ||
+ | echo "" | ||
+ | echo -n "Press enter to continue..." | ||
+ | read tmp | ||
+ | echo ""</ | ||
+ | |||
+ | Im Bereich **'' | ||
+ | |||
+ | :!: **HINWEIS** - **Dies ist das Zeitfenster, | ||
+ | |||
+ | * <code bash># Tachtler | ||
+ | echo "" | ||
+ | echo "Now you can remove the following from the zone definition of ${DOMAIN}:" | ||
+ | echo " | ||
+ | echo "" | ||
+ | echo -n "Press enter to continue..." | ||
+ | read tmp | ||
+ | echo ""</ | ||
+ | |||
+ | Im Bereich **'' | ||
+ | |||
+ | :!: **HINWEIS** - **Dies ist das Zeitfenster, | ||
+ | |||
+ | ==== / | ||
+ | |||
+ | Nachfolgende Konfigurationsdatei muss durch kopieren einer der in der Installation mitgelieferten Beispiel Konfigurationsdatei erstellt werden, was mit nachfolgendem Befehl durchgeführt werden kann: | ||
+ | < | ||
+ | # cp -a / | ||
+ | </ | ||
+ | |||
+ | Anschließend muss die Konfigurationsdatei wie folgt angepasst werden, damit diese, hier beschriebene Installation und Konfiguration, | ||
+ | |||
+ | **(Komplette Konfigurationsdatei)** | ||
+ | |||
+ | <code bash> | ||
+ | ######################################################## | ||
+ | # This is the main config file for dehydrated | ||
+ | # # | ||
+ | # This file is looked for in the following locations: | ||
+ | # $SCRIPTDIR/ | ||
+ | # / | ||
+ | # / | ||
+ | # ${PWD}/ | ||
+ | # # | ||
+ | # Default values of this config are in comments | ||
+ | ######################################################## | ||
+ | |||
+ | # Which user should dehydrated run as? This will be implictly enforced when running as root | ||
+ | # | ||
+ | |||
+ | # Which group should dehydrated run as? This will be implictly enforced when running as root | ||
+ | # | ||
+ | |||
+ | # Resolve names to addresses of IP version only. (curl) | ||
+ | # supported values: 4, 6 | ||
+ | # default: < | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | IP_VERSION=4 | ||
+ | |||
+ | # Path to certificate authority (default: https:// | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | # | ||
+ | # Tachtler - TESTING without LIMITATION - IMPORTANT !!! | ||
+ | CA=" | ||
+ | |||
+ | # Path to old certificate authority | ||
+ | # Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint. | ||
+ | # If dehydrated detects an account-key for the old CA it will automatically reuse that key | ||
+ | # instead of registering a new one. | ||
+ | # default: https:// | ||
+ | # | ||
+ | |||
+ | # Which challenge should be used? Currently http-01, dns-01 and tls-alpn-01 are supported | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | CHALLENGETYPE=" | ||
+ | |||
+ | # Path to a directory containing additional config files, allowing to override | ||
+ | # the defaults found in the main configuration file. Additional config files | ||
+ | # in this directory needs to be named with a ' | ||
+ | # default: < | ||
+ | #CONFIG_D= | ||
+ | |||
+ | # Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined) | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | BASEDIR=" | ||
+ | |||
+ | # File containing the list of domains to request certificates for (default: $BASEDIR/ | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | DOMAINS_TXT=" | ||
+ | |||
+ | # Output directory for generated certificates | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | CERTDIR=" | ||
+ | |||
+ | # Output directory for alpn verification certificates | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | ALPNCERTDIR=" | ||
+ | |||
+ | # Directory for account keys and registration information | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | ACCOUNTDIR=" | ||
+ | |||
+ | # Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: / | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | WELLKNOWN=" | ||
+ | |||
+ | # Default keysize for private keys (default: 4096) | ||
+ | # | ||
+ | |||
+ | # Path to openssl config file (default: < | ||
+ | # | ||
+ | |||
+ | # Path to OpenSSL binary (default: " | ||
+ | # | ||
+ | |||
+ | # Extra options passed to the curl binary (default: < | ||
+ | #CURL_OPTS= | ||
+ | |||
+ | # Program or function called in certain situations | ||
+ | # | ||
+ | # After generating the challenge-response, | ||
+ | # Given arguments: clean_challenge|deploy_challenge altname token-filename token-content | ||
+ | # | ||
+ | # After successfully signing certificate | ||
+ | # Given arguments: deploy_cert domain path/ | ||
+ | # | ||
+ | # BASEDIR and WELLKNOWN variables are exported and can be used in an external program | ||
+ | # default: < | ||
+ | # Tachtler | ||
+ | # default: #HOOK= | ||
+ | HOOK=" | ||
+ | |||
+ | # Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no) | ||
+ | # | ||
+ | |||
+ | # Minimum days before expiration to automatically renew certificate (default: 30) | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | RENEW_DAYS=" | ||
+ | |||
+ | # Regenerate private keys instead of just signing new certificates on renewal (default: yes) | ||
+ | # Tachtler | ||
+ | # See: https:// | ||
+ | # default: # | ||
+ | PRIVATE_KEY_RENEW=" | ||
+ | |||
+ | # Create an extra private key for rollover (default: no) | ||
+ | # | ||
+ | |||
+ | # Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1 | ||
+ | # | ||
+ | |||
+ | # E-mail to use during the registration (default: < | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | CONTACT_EMAIL=hostmaster@tachtler.net | ||
+ | |||
+ | # Lockfile location, to prevent concurrent access (default: $BASEDIR/ | ||
+ | # | ||
+ | |||
+ | # Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no) | ||
+ | # | ||
+ | |||
+ | # Fetch OCSP responses (default: no) | ||
+ | # | ||
+ | |||
+ | # OCSP refresh interval (default: 5 days) | ||
+ | # | ||
+ | |||
+ | # Issuer chain cache directory (default: $BASEDIR/ | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | CHAINCACHE=" | ||
+ | |||
+ | # Automatic cleanup (default: no) | ||
+ | # | ||
+ | |||
+ | # ACME API version (default: auto) | ||
+ | #API=auto | ||
+ | </ | ||
+ | |||
+ | **__Erklärungen__**: | ||
+ | |||
+ | * <code bash> | ||
+ | |||
+ | Die Kommunikation mit den [[https:// | ||
+ | |||
+ | * <code bash># Tachtler | ||
+ | # default: # | ||
+ | # | ||
+ | # Tachtler - TESTING without LIMITATION - IMPORTANT !!! | ||
+ | CA=" | ||
+ | |||
+ | Während der Einrichtung und **Test**-Phase, | ||
+ | |||
+ | * <code bash> | ||
+ | |||
+ | Ändern des **Anforderungstyps** auf '' | ||
+ | |||
+ | * <code bash> | ||
+ | # Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined) | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | BASEDIR=" | ||
+ | |||
+ | # File containing the list of domains to request certificates for (default: $BASEDIR/ | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | DOMAINS_TXT=" | ||
+ | |||
+ | # Output directory for generated certificates | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | CERTDIR=" | ||
+ | |||
+ | # Output directory for alpn verification certificates | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | ALPNCERTDIR=" | ||
+ | |||
+ | # Directory for account keys and registration information | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | ACCOUNTDIR=" | ||
+ | |||
+ | # Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: / | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | WELLKNOWN=" | ||
+ | </ | ||
+ | |||
+ | Anpassung der einzelnen Pfade bzw. Verzeichnisse, | ||
+ | |||
+ | :!: **HINWEIS** - Diese Konfiguration entspricht der zuvor angelegten Verzeichnisstruktur! | ||
+ | |||
+ | * <code bash> | ||
+ | |||
+ | Ausführung des Skriptes, welche die Änderungen für den **DNS**-Server ausgibt! | ||
+ | |||
+ | :!: **HINWEIS** - Diese Konfiguration entspricht der zuvor angelegten Verzeichnisstruktur! | ||
+ | |||
+ | * <code bash> | ||
+ | |||
+ | Leufzeit bzw. Gültigkeit durch [[https:// | ||
+ | |||
+ | :!: **HINWEIS** - Hier können **maximal 90 Tage** eingestellt werden! | ||
+ | |||
+ | * <code bash> | ||
+ | |||
+ | **Deaktiviert** die Erstellung eines **__neuen__ privaten Schlüssels**, | ||
+ | |||
+ | :!: **HINWEIS** - Der private Schlüssel sollte trotzdem von Zeit zu Zeit z.B. **1 x Jahr** erneuert werden! | ||
+ | |||
+ | * <code bash> | ||
+ | |||
+ | E-Mail-Adresse welche als Kontakt dienen soll. | ||
+ | |||
+ | * <code bash> | ||
+ | # Issuer chain cache directory (default: $BASEDIR/ | ||
+ | # Tachtler | ||
+ | # default: # | ||
+ | CHAINCACHE=" | ||
+ | |||
+ | Anpassung der einzelnen Pfade bzw. Verzeichnisse, | ||
+ | |||
+ | ==== / | ||
+ | |||
+ | Nachfolgende Konfigurationsdatei muss mit nachfolgendem Befehl, **neu** angelegt werden und enthält die bis zu **100 Subject Alternative Name (SAN)**, als **Liste** durch **Leerzeichen getrennt**: | ||
+ | < | ||
+ | # touch / | ||
+ | </ | ||
+ | |||
+ | Nachfolgendes Beispiel, zeigt einen möglichen Inhalt der Konfigurationsdatei | ||
+ | * ''/ | ||
+ | < | ||
+ | tachtler.net *.tachtler.net www.dokuwiki.tachtler.net | ||
+ | </ | ||
+ | |||
+ | ===== Konfiguration: | ||
+ | |||
+ | ==== / | ||
+ | |||
+ | Um das erstellte **Zertifikate** und den dazugehörigen **Schlüssel** auch in der Web-Server-Konfiguration einzubinden, | ||
+ | |||
+ | **(Nur relevanter Ausschnitt)**: | ||
+ | |||
+ | <code apache> | ||
+ | ... | ||
+ | # | ||
+ | # Point SSLCertificateFile at a PEM encoded certificate. | ||
+ | # the certificate is encrypted, then you will be prompted for a | ||
+ | # pass phrase. | ||
+ | # | ||
+ | # Tachtler | ||
+ | #default: # SSLCertificateFile / | ||
+ | SSLCertificateFile / | ||
+ | |||
+ | # | ||
+ | # If the key is not combined with the certificate, | ||
+ | # | ||
+ | # | ||
+ | # both in parallel (to also allow the use of DSA ciphers, etc.) | ||
+ | # Tachtler | ||
+ | #default: # SSLCertificateKeyFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | |||
+ | # | ||
+ | # Point SSLCertificateChainFile at a file containing the | ||
+ | # | ||
+ | # | ||
+ | # the referenced file can be the same as SSLCertificateFile | ||
+ | # when the CA certificates are directly appended to the server | ||
+ | # | ||
+ | # Tachtler | ||
+ | #default: # | ||
+ | SSLCertificateChainFile / | ||
+ | |||
+ | # | ||
+ | # Set the CA certificate verification path where to find CA | ||
+ | # | ||
+ | # huge file containing all of them (file must be PEM encoded) | ||
+ | # Tachtler | ||
+ | #default: # | ||
+ | SSLCACertificateFile / | ||
+ | ... | ||
+ | </ | ||
+ | |||
+ | Abschließend ist ein Neustart des Web-Servers, | ||
+ | < | ||
+ | # systemctl restart httpd.service | ||
+ | </ | ||
+ | |||
+ | ===== Generierung: | ||
+ | |||
+ | Durch nachfolgenden Befehl, wird die Erstellung eines | ||
+ | * **privaten Schlüssels** | ||
+ | * **Zertifikast-Requests** | ||
+ | * **Zertifikats** | ||
+ | und einer | ||
+ | * **einfachen Zertifikatskette** | ||
+ | * **vollständigen Zertifikatskette** | ||
+ | für die Verwendung mit einem Web-Server durchgeführt werden. | ||
+ | |||
+ | :!: **WICHTIG** - Während der Einrichtung und **Test**-Phase, | ||
+ | |||
+ | Deshalb sollte in der Konfigurationsdatei | ||
+ | * ''/ | ||
+ | nachfolgende Einstellung **erst geändert werden, wenn die Test-Phase erfolgreich abgeschlossen ist!** | ||
+ | * <code bash># Tachtler | ||
+ | # default: # | ||
+ | # | ||
+ | # Tachtler - TESTING without LIMITATION - IMPORTANT !!! | ||
+ | CA=" | ||
+ | |||
+ | < | ||
+ | # / | ||
+ | </ | ||
+ | |||
+ | Hier die Ausgaben, welche durch den Skript lauf erzeugt werden: | ||
+ | < | ||
+ | # / | ||
+ | # INFO: Using main config file / | ||
+ | Processing tachtler.net with alternative names: *.tachtler.net www.dokuwiki.tachtler.net | ||
+ | + Checking domain name(s) of existing cert... changed! | ||
+ | + Domain name(s) are not matching! | ||
+ | + Names in old certificate: | ||
+ | + Configured names: *.tachtler.net tachtler.net www.dokuwiki.tachtler.net | ||
+ | + Forcing renew. | ||
+ | + Checking expire date of existing cert... | ||
+ | + Valid till Oct 2 12:21:13 2018 GMT (Less than 90 days). Renewing! | ||
+ | + Signing domains... | ||
+ | + Generating signing request... | ||
+ | + Requesting new certificate order from CA... | ||
+ | + Received 3 authorizations URLs from the CA | ||
+ | + Handling authorization for tachtler.net | ||
+ | + Handling authorization for tachtler.net | ||
+ | + Handling authorization for www.dokuwiki.tachtler.net | ||
+ | + 3 pending challenge(s) | ||
+ | + Deploying challenge tokens... | ||
+ | |||
+ | Add the following to the zone definition of tachtler.net: | ||
+ | _acme-challenge.tachtler.net. 60 IN TXT " | ||
+ | |||
+ | Press enter to continue... | ||
+ | |||
+ | |||
+ | Add the following to the zone definition of tachtler.net: | ||
+ | _acme-challenge.tachtler.net. 60 IN TXT " | ||
+ | |||
+ | Press enter to continue... | ||
+ | |||
+ | |||
+ | Add the following to the zone definition of www.dokuwiki.tachtler.net: | ||
+ | _acme-challenge.www.dokuwiki.tachtler.net. 60 IN TXT " | ||
+ | |||
+ | Press enter to continue... | ||
+ | |||
+ | + Responding to challenge for tachtler.net authorization... | ||
+ | + Challenge is valid! | ||
+ | + Responding to challenge for tachtler.net authorization... | ||
+ | + Challenge is valid! | ||
+ | + Responding to challenge for www.dokuwiki.tachtler.net authorization... | ||
+ | + Challenge is valid! | ||
+ | + Cleaning challenge tokens... | ||
+ | |||
+ | Now you can remove the following from the zone definition of tachtler.net: | ||
+ | _acme-challenge.tachtler.net. 60 IN TXT " | ||
+ | |||
+ | Press enter to continue... | ||
+ | |||
+ | |||
+ | Now you can remove the following from the zone definition of tachtler.net: | ||
+ | _acme-challenge.tachtler.net. 60 IN TXT " | ||
+ | |||
+ | Press enter to continue... | ||
+ | |||
+ | |||
+ | Now you can remove the following from the zone definition of www.dokuwiki.tachtler.net: | ||
+ | _acme-challenge.www.dokuwiki.tachtler.net. 60 IN TXT " | ||
+ | |||
+ | Press enter to continue... | ||
+ | |||
+ | + Requesting certificate... | ||
+ | + Checking certificate... | ||
+ | + Done! | ||
+ | + Creating fullchain.pem... | ||
+ | + Done! | ||
+ | </ | ||
+ | |||
+ | ^ :!: **WICHTIG** :!: ^ | ||
+ | | **__Immer__** wenn während der **Ausführung des Skripts** nachfolgender Text erscheint: | ||
+ | |||
+ | Anschließend kann mit nachfolgendem Befehl überprüft werden, ob alle benötigten Komponenten, | ||
+ | * **privaten Schlüssels** | ||
+ | * **Zertifikast-Requests** | ||
+ | * **Zertifikat** | ||
+ | * **einfachen Zertifikatskette** | ||
+ | * **vollständigen Zertifikatskette** | ||
+ | erzeugt worden sind: | ||
+ | < | ||
+ | # ls -l / | ||
+ | / | ||
+ | total 24 | ||
+ | -rw------- 1 root root 1704 Aug 30 09:12 cert-1535613155.csr | ||
+ | -rw------- 1 root root 2508 Aug 30 09:12 cert-1535613155.pem | ||
+ | lrwxrwxrwx 1 root root 19 Aug 30 09:12 cert.csr -> cert-1535613155.csr | ||
+ | lrwxrwxrwx 1 root root 19 Aug 30 09:12 cert.pem -> cert-1535613155.pem | ||
+ | -rw------- 1 root root 1680 Aug 30 09:12 chain-1535613155.pem | ||
+ | lrwxrwxrwx 1 root root 20 Aug 30 09:12 chain.pem -> chain-1535613155.pem | ||
+ | -rw------- 1 root root 4188 Aug 30 09:12 fullchain-1535613155.pem | ||
+ | lrwxrwxrwx 1 root root 24 Aug 30 09:12 fullchain.pem -> fullchain-1535613155.pem | ||
+ | -rw------- 1 root root 3243 Aug 30 09:12 privkey-1535613155.pem | ||
+ | lrwxrwxrwx 1 root root 22 Aug 30 09:12 privkey.pem -> privkey-1535613155.pem | ||
+ | </ | ||
+ | |||
+ | :!: **HINWEIS** - Hier ist ebenfalls schön zu sehen, da jeweils **symbolische Links** erstellt wurden, was bei einer erneuten Generierung **__keine__** Konfiguration in den Web-Server Konfigurationsdateien nach sich zieht, da nur die symblischen Links angepasst werden! | ||
+ | |||
+ | ===== Generierung ===== | ||
+ | |||
+ | Wie auch bei der Generierung des Zertifikas gegen die [[https:// | ||
+ | |||
+ | :!: **WICHTIG** - Während der Einrichtung und **Test**-Phase, | ||
+ | |||
+ | Deshalb sollte in der Konfigurationsdatei | ||
+ | * ''/ | ||
+ | nachfolgende Einstellung **jetzt geändert werden, wenn die Test-Phase erfolgreich abgeschlossen ist!** | ||
+ | * <code bash># Tachtler | ||
+ | # default: # | ||
+ | CA=" | ||
+ | # Tachtler - TESTING without LIMITATION - IMPORTANT !!! | ||
+ | # | ||
+ | |||
+ | < | ||
+ | # / | ||
+ | </ | ||
+ | |||
+ | Nach dem ersten Versuch die Erstellung des Zertifikats durchzuführen, | ||
+ | < | ||
+ | # / | ||
+ | # INFO: Using main config file / | ||
+ | |||
+ | To use dehydrated with this certificate authority you have to agree to their terms of service which you can find here: https:// | ||
+ | |||
+ | To accept these terms of service run `/ | ||
+ | </ | ||
+ | |||
+ | Hier ist, wie angegeben die **Registrierung** und das Akzeptieren der **Bedingungen** von [[https:// | ||
+ | < | ||
+ | # / | ||
+ | </ | ||
tachtler/let_s_encrypt_-_wildcard_zertifikat.1535611939.txt.gz · Zuletzt geändert: 2018/08/30 08:52 von klaus