====== Letsencrypt sur hackstub ======


===== Objectif =====

https://hackstub.netlib.re/ n'est pas accessible

Ref: https://www.sysnove.fr/blog/2016/03/utilisation-pratique-letsencrypt-acme-tiny.html

===== Situation =====

On a déjà des sites en letsencrypt sur ce serveur. On ne fait qu'en rajouter un (des étapes vont sauter).

<code>root@web:/home/jmlibs# ll /etc/letsencrypt/
total 32
drw-r--r-x  6 root        ssl-cert 4096 Mar 28 22:22 ./
drwxr-xr-x 92 root        root     4096 May 14 20:44 ../
-rw-r--r--  1 root        root     1647 Jul 14  2017 intermediate.pem
-r--------  1 letsencrypt root     3247 Jul 11  2017 letsencrypt.key
drwxr-xr-x  2 letsencrypt root     4096 May 25 01:00 netlib.re/
drwxr-xr-x  2 letsencrypt root     4096 May 25 01:00 shaarli.arn-fai.net/
drwxr-xr-x  2 letsencrypt root     4096 Mar 28 22:57 vps.arn-fai.net/
drwxr-xr-x  2 letsencrypt root     4096 May 11 01:00 www.arn-fai.net/

/etc/cron.d/letsencrypt
0 1 11,25 * * letsencrypt /usr/local/bin/letsencrypt-auto-renew.sh</code>


===== Mise en place =====

<code>root@web:/home/jmlibs# mkdir /etc/letsencrypt/hackstub.netlib.re
root@web:/home/jmlibs# cd /etc/letsencrypt/hackstub.netlib.re
root@web:/etc/letsencrypt/hackstub.netlib.re# openssl genrsa -out hackstub.netlib.re.key 4096
Generating RSA private key, 4096 bit long modulus
...............................................................................................................................++++
.....++++
e is 65537 (0x010001)

root@web:/etc/letsencrypt/hackstub.netlib.re# openssl req -new -sha256 -key hackstub.netlib.re.key -subj "/CN=hackstub.netlib.re" -out hackstub.netlib.re.csr
root@web:/etc/letsencrypt# chown -R letsencrypt hackstub.netlib.re/

root@web:/etc/letsencrypt# chown root hackstub.netlib.re/*
root@web:/etc/letsencrypt# ll hackstub.netlib.re/
total 16
drwxr-xr-x 2 letsencrypt root     4096 Jun  8 00:19 ./
drw-r--r-x 7 root        ssl-cert 4096 Jun  8 00:14 ../
-rw-r--r-- 1 root        root     1598 Jun  8 00:19 hackstub.netlib.re.csr
-rw------- 1 root        root     3243 Jun  8 00:17 hackstub.netlib.re.key</code>

<code>root@web:/etc/letsencrypt# python /usr/local/bin/acme_tiny.py --account-key /etc/letsencrypt/letsencrypt.key --csr /etc/letsencrypt/hackstub.netlib.re/hackstub.netlib.re.csr --acme-dir /var/www/acme-challenges/ > /etc/letsencrypt/hackstub.netlib.re/hackstub.netlib.re.crt
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying hackstub.netlib.re...
hackstub.netlib.re verified!
Signing certificate...
Certificate signed!

root@web:/etc/letsencrypt# chown letsencrypt /etc/letsencrypt/hackstub.netlib.re/hackstub.netlib.re.crt
root@web:/etc/letsencrypt# ll /etc/letsencrypt/hackstub.netlib.re/
total 20
drwxr-xr-x 2 letsencrypt root     4096 Jun  8 00:32 ./
drw-r--r-x 7 root        ssl-cert 4096 Jun  8 00:14 ../
-rw-r--r-- 1 letsencrypt root     2269 Jun  8 00:32 hackstub.netlib.re.crt
-rw-r--r-- 1 root        root     1598 Jun  8 00:19 hackstub.netlib.re.csr
-rw------- 1 root        root     3243 Jun  8 00:17 hackstub.netlib.re.key

root@web:/etc/letsencrypt# cat hackstub.netlib.re/hackstub.netlib.re.crt intermediate.pem > hackstub.netlib.re/hackstub.netlib.re.crt+chain</code>

<code>root@web:/etc/letsencrypt# vi /etc/apache2/sites-enabled/hackstub.netlib.re.conf</code>
(décommenter la section ssl)

<code>root@web:/etc/letsencrypt# apachectl restart</code>

Et c'est bon, https://hackstub.netlib.re/ est accessible