Letsencrypt Howto

From Cactus Howto
Jump to navigationJump to search

This applies to apache2 webservers running on debian and ubuntu.

Source: https://letsencrypt.org/getting-started/

Note: letsencrypt is docker-based.

The following commands are executed as root.

  • install git (necssary for downloading letsencrypt)
apt-get install git
  • optional: set proxy for https access to github:
export https_proxy=http://proxy:3128
  • download letsencrypt from github:
git clone https://github.com/letsencrypt/letsencrypt
  • setup the docker environment and display synopsis:
cd letsencrypt
./letsencrypt-auto --help
  • let letsencrypt modify the apache2 config (this will open an interactive menu allowing you to choose from various options as detailed below)
./letsencrypt-auto --apache
  • menu options
Which names would you like to activate HTTPS for?
  servername1.cactus.de  
  servername2.cactus.de  
  servername3.cactus.de  
Enter email address (used for urgent notices and lost key recovery)
  webmeister@cactus.de
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf. 
You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory.
Please choose whether HTTPS access is required or optional.
  Easy    Allow both HTTP and HTTPS access to these sites
  Secure  Make all requests redirect to secure HTTPS access 
  • Full protocol
howto:/etc/apache2# aptitude install git
The following NEW packages will be installed:
  git git-man{a} liberror-perl{a} rsync{a} 
0 packages upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 5,030 kB of archives. After unpacking 26.5 MB will be used.
Do you want to continue? [Y/n/?] 
Get: 1 http://ftp.de.debian.org/debian/ jessie/main liberror-perl all 0.17-1.1 [22.4 kB]
Get: 2 http://ftp.de.debian.org/debian-security/ jessie/updates/main git-man all 1:2.1.4-2.1+deb8u2 [1,267 kB]
Get: 3 http://ftp.de.debian.org/debian-security/ jessie/updates/main git i386 1:2.1.4-2.1+deb8u2 [3,342 kB]
Get: 4 http://ftp.de.debian.org/debian/ jessie/main rsync i386 3.1.1-3 [399 kB]
Fetched 5,030 kB in 6s (748 kB/s)                                               
Selecting previously unselected package liberror-perl.
(Reading database ... 66486 files and directories currently installed.)
Preparing to unpack .../liberror-perl_0.17-1.1_all.deb ...
Unpacking liberror-perl (0.17-1.1) ...
Selecting previously unselected package git-man.
Preparing to unpack .../git-man_1%3a2.1.4-2.1+deb8u2_all.deb ...
Unpacking git-man (1:2.1.4-2.1+deb8u2) ...
Selecting previously unselected package git.
Preparing to unpack .../git_1%3a2.1.4-2.1+deb8u2_i386.deb ...
Unpacking git (1:2.1.4-2.1+deb8u2) ...
Selecting previously unselected package rsync.
Preparing to unpack .../rsync_3.1.1-3_i386.deb ...
Unpacking rsync (3.1.1-3) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for systemd (215-17+deb8u3) ...
Setting up liberror-perl (0.17-1.1) ...
Setting up git-man (1:2.1.4-2.1+deb8u2) ...
Setting up git (1:2.1.4-2.1+deb8u2) ...
Setting up rsync (3.1.1-3) ...
Processing triggers for systemd (215-17+deb8u3) ...
howto:/etc/apache2# git clone https://github.com/letsencrypt/letsencrypt
Cloning into 'letsencrypt'...
remote: Counting objects: 33273, done.
remote: Compressing objects: 100% (31/31), done.
remote: Total 33273 (delta 13), reused 0 (delta 0), pack-reused 33242
Receiving objects: 100% (33273/33273), 8.73 MiB | 1.13 MiB/s, done.
Resolving deltas: 100% (23621/23621), done.
Checking connectivity... done.
howto:/usr/local/letsencrypt# ./letsencrypt-auto --help
Bootstrapping dependencies for Debian-based OSes...
Ign http://ftp.de.debian.org jessie InRelease
Hit http://ftp.de.debian.org jessie-updates InRelease
Hit http://ftp.de.debian.org jessie/updates InRelease
Hit http://ftp.de.debian.org jessie Release.gpg                            
Get:1 http://ftp.de.debian.org jessie-updates/main i386 Packages/DiffIndex [1,012 B]
Hit http://ftp.de.debian.org jessie-updates/contrib i386 Packages
Get:2 http://ftp.de.debian.org jessie-updates/non-free i386 Packages/DiffIndex [736 B]
Hit http://ftp.de.debian.org jessie-updates/contrib Translation-en
Get:3 http://ftp.de.debian.org jessie-updates/main Translation-en/DiffIndex [736 B]
Get:4 http://ftp.de.debian.org jessie-updates/non-free Translation-en/DiffIndex [736 B]
Hit http://ftp.de.debian.org jessie Release         
Hit http://ftp.de.debian.org jessie/updates/main i386 Packages
Hit http://ftp.de.debian.org jessie/updates/contrib i386 Packages
Hit http://ftp.de.debian.org jessie/updates/non-free i386 Packages      
Hit http://ftp.de.debian.org jessie/updates/contrib Translation-en
Hit http://ftp.de.debian.org jessie/updates/main Translation-en
Hit http://ftp.de.debian.org jessie/updates/non-free Translation-en
Hit http://ftp.de.debian.org jessie/main Sources
Hit http://ftp.de.debian.org jessie/contrib Sources               
Hit http://ftp.de.debian.org jessie/non-free Sources              
Hit http://ftp.de.debian.org jessie/main i386 Packages
Hit http://ftp.de.debian.org jessie/contrib i386 Packages
Hit http://ftp.de.debian.org jessie/non-free i386 Packages
Hit http://ftp.de.debian.org jessie/contrib Translation-en
Hit http://ftp.de.debian.org jessie/main Translation-en
Hit http://ftp.de.debian.org jessie/non-free Translation-en
Fetched 3,220 B in 5s (561 B/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree       
Reading state information... Done
ca-certificates is already the newest version.
gcc is already the newest version.
python is already the newest version.
The following extra packages will be installed:
  dh-python libexpat1-dev libmpdec2 libpython-dev libpython2.7-dev libpython3-stdlib libpython3.4-minimal libpython3.4-stdlib python-chardet-whl
  python-colorama-whl python-distlib-whl python-html5lib-whl python-pip-whl python-requests-whl python-setuptools-whl python-six-whl python-urllib3-whl
  python2.7-dev python3 python3-minimal python3-pkg-resources python3-virtualenv python3.4 python3.4-minimal zlib1g-dev
Suggested packages:
  augeas-doc augeas-tools python3-doc python3-tk python3-venv python3-setuptools python3.4-venv python3.4-doc binfmt-support
Recommended packages:
  libssl-doc
The following NEW packages will be installed:
  augeas-lenses dh-python dialog libaugeas0 libexpat1-dev libffi-dev libmpdec2 libpython-dev libpython2.7-dev libpython3-stdlib libpython3.4-minimal
  libpython3.4-stdlib libssl-dev python-chardet-whl python-colorama-whl python-dev python-distlib-whl python-html5lib-whl python-pip-whl python-requests-whl
  python-setuptools-whl python-six-whl python-urllib3-whl python-virtualenv python2.7-dev python3 python3-minimal python3-pkg-resources python3-virtualenv
  python3.4 python3.4-minimal virtualenv zlib1g-dev
0 upgraded, 33 newly installed, 0 to remove and 0 not upgraded.
Need to get 27.3 MB of archives.
After this operation, 57.5 MB of additional disk space will be used.
Get:1 http://ftp.de.debian.org/debian/ jessie/main libmpdec2 i386 2.4.1-1 [82.6 kB]
Get:2 http://ftp.de.debian.org/debian/ jessie/main libexpat1-dev i386 2.1.0-6+deb8u1 [126 kB]
Get:3 http://ftp.de.debian.org/debian/ jessie/main libpython2.7-dev i386 2.7.9-2 [18.4 MB]
Get:4 http://ftp.de.debian.org/debian/ jessie/main libpython3.4-minimal i386 3.4.2-1 [492 kB]                                                                 
Get:5 http://ftp.de.debian.org/debian/ jessie/main libpython3.4-stdlib i386 3.4.2-1 [2,092 kB]                                                                
Get:6 http://ftp.de.debian.org/debian/ jessie/main python3.4-minimal i386 3.4.2-1 [1,641 kB]                                                                  
Get:7 http://ftp.de.debian.org/debian/ jessie/main augeas-lenses all 1.2.0-0.2+deb8u1 [335 kB]                                                                
Get:8 http://ftp.de.debian.org/debian/ jessie/main python3.4 i386 3.4.2-1 [204 kB]                                                                            
Get:9 http://ftp.de.debian.org/debian/ jessie/main python3-minimal i386 3.4.2-2 [34.4 kB]                                                                     
Get:10 http://ftp.de.debian.org/debian/ jessie/main libpython3-stdlib i386 3.4.2-2 [18.1 kB]                                                                  
Get:11 http://ftp.de.debian.org/debian/ jessie/main python3 i386 3.4.2-2 [21.1 kB]                                                                            
Get:12 http://ftp.de.debian.org/debian/ jessie/main dh-python all 1.20141111-2 [66.4 kB]                                                                      
Get:13 http://ftp.de.debian.org/debian/ jessie/main dialog i386 1.2-20140911-1 [264 kB]                                                                       
Get:14 http://ftp.de.debian.org/debian/ jessie/main libaugeas0 i386 1.2.0-0.2+deb8u1 [268 kB]                                                                 
Get:15 http://ftp.de.debian.org/debian/ jessie/main libffi-dev i386 3.1-2+b2 [156 kB]                                                                         
Get:16 http://ftp.de.debian.org/debian/ jessie/main libpython-dev i386 2.7.9-1 [19.6 kB]                                                                      
Get:17 http://ftp.de.debian.org/debian/ jessie/main zlib1g-dev i386 1:1.2.8.dfsg-2+b1 [205 kB]                                                                
Get:18 http://ftp.de.debian.org/debian-security/ jessie/updates/main libssl-dev i386 1.0.1k-3+deb8u4 [1,250 kB]                                               
Get:19 http://ftp.de.debian.org/debian/ jessie/main python3-pkg-resources all 5.5.1-1 [34.2 kB]                                                               
Get:20 http://ftp.de.debian.org/debian/ jessie/main python-chardet-whl all 2.3.0-1 [170 kB]                                                                   
Get:21 http://ftp.de.debian.org/debian/ jessie/main python-colorama-whl all 0.3.2-1 [20.2 kB]                                                                 
Get:22 http://ftp.de.debian.org/debian/ jessie/main python2.7-dev i386 2.7.9-2 [278 kB]                                                                       
Get:23 http://ftp.de.debian.org/debian/ jessie/main python-dev i386 2.7.9-1 [1,178 B]                                                                         
Get:24 http://ftp.de.debian.org/debian/ jessie/main python-distlib-whl all 0.1.9-1 [141 kB]                                                                   
Get:25 http://ftp.de.debian.org/debian/ jessie/main python-html5lib-whl all 0.999-3 [112 kB]                                                                  
Get:26 http://ftp.de.debian.org/debian/ jessie/main python-six-whl all 1.8.0-1 [14.8 kB]                                                                      
Get:27 http://ftp.de.debian.org/debian/ jessie/main python-urllib3-whl all 1.9.1-3 [76.8 kB]                                                                  
Get:28 http://ftp.de.debian.org/debian/ jessie/main python-requests-whl all 2.4.3-6 [241 kB]                                                                  
Get:29 http://ftp.de.debian.org/debian/ jessie/main python-setuptools-whl all 5.5.1-1 [233 kB]                                                                
Get:30 http://ftp.de.debian.org/debian/ jessie/main python-pip-whl all 1.5.6-5 [126 kB]                                                                       
Get:31 http://ftp.de.debian.org/debian/ jessie/main python-virtualenv all 1.11.6+ds-1 [61.2 kB]                                                               
Get:32 http://ftp.de.debian.org/debian/ jessie/main python3-virtualenv all 1.11.6+ds-1 [60.5 kB]                                                              
Get:33 http://ftp.de.debian.org/debian/ jessie/main virtualenv all 1.11.6+ds-1 [17.2 kB]                                                                      
Fetched 27.3 MB in 31s (868 kB/s)                                                                                                                             
Extracting templates from packages: 100%
Selecting previously unselected package libmpdec2:i386.
(Reading database ... 67290 files and directories currently installed.)
Preparing to unpack .../libmpdec2_2.4.1-1_i386.deb ...
Unpacking libmpdec2:i386 (2.4.1-1) ...
Selecting previously unselected package libexpat1-dev:i386.
Preparing to unpack .../libexpat1-dev_2.1.0-6+deb8u1_i386.deb ...
Unpacking libexpat1-dev:i386 (2.1.0-6+deb8u1) ...
Selecting previously unselected package libpython2.7-dev:i386.
Preparing to unpack .../libpython2.7-dev_2.7.9-2_i386.deb ...
Unpacking libpython2.7-dev:i386 (2.7.9-2) ...
Selecting previously unselected package libpython3.4-minimal:i386.
Preparing to unpack .../libpython3.4-minimal_3.4.2-1_i386.deb ...
Unpacking libpython3.4-minimal:i386 (3.4.2-1) ...
Selecting previously unselected package libpython3.4-stdlib:i386.
Preparing to unpack .../libpython3.4-stdlib_3.4.2-1_i386.deb ...
Unpacking libpython3.4-stdlib:i386 (3.4.2-1) ...
Selecting previously unselected package python3.4-minimal.
Preparing to unpack .../python3.4-minimal_3.4.2-1_i386.deb ...
Unpacking python3.4-minimal (3.4.2-1) ...
Selecting previously unselected package augeas-lenses.
Preparing to unpack .../augeas-lenses_1.2.0-0.2+deb8u1_all.deb ...
Unpacking augeas-lenses (1.2.0-0.2+deb8u1) ...
Selecting previously unselected package python3.4.
Preparing to unpack .../python3.4_3.4.2-1_i386.deb ...
Unpacking python3.4 (3.4.2-1) ...
Selecting previously unselected package python3-minimal.
Preparing to unpack .../python3-minimal_3.4.2-2_i386.deb ...
Unpacking python3-minimal (3.4.2-2) ...
Selecting previously unselected package libpython3-stdlib:i386.
Preparing to unpack .../libpython3-stdlib_3.4.2-2_i386.deb ...
Unpacking libpython3-stdlib:i386 (3.4.2-2) ...
Selecting previously unselected package python3.
Preparing to unpack .../python3_3.4.2-2_i386.deb ...
Unpacking python3 (3.4.2-2) ...
Selecting previously unselected package dh-python.
Preparing to unpack .../dh-python_1.20141111-2_all.deb ...
Unpacking dh-python (1.20141111-2) ...
Selecting previously unselected package dialog.
Preparing to unpack .../dialog_1.2-20140911-1_i386.deb ...
Unpacking dialog (1.2-20140911-1) ...
Selecting previously unselected package libaugeas0.
Preparing to unpack .../libaugeas0_1.2.0-0.2+deb8u1_i386.deb ...
Unpacking libaugeas0 (1.2.0-0.2+deb8u1) ...
Selecting previously unselected package libffi-dev:i386.
Preparing to unpack .../libffi-dev_3.1-2+b2_i386.deb ...
Unpacking libffi-dev:i386 (3.1-2+b2) ...
Selecting previously unselected package libpython-dev:i386.
Preparing to unpack .../libpython-dev_2.7.9-1_i386.deb ...
Unpacking libpython-dev:i386 (2.7.9-1) ...
Selecting previously unselected package zlib1g-dev:i386.
Preparing to unpack .../zlib1g-dev_1%3a1.2.8.dfsg-2+b1_i386.deb ...
Unpacking zlib1g-dev:i386 (1:1.2.8.dfsg-2+b1) ...
Selecting previously unselected package libssl-dev:i386.
Preparing to unpack .../libssl-dev_1.0.1k-3+deb8u4_i386.deb ...
Unpacking libssl-dev:i386 (1.0.1k-3+deb8u4) ...
Selecting previously unselected package python3-pkg-resources.
Preparing to unpack .../python3-pkg-resources_5.5.1-1_all.deb ...
Unpacking python3-pkg-resources (5.5.1-1) ...
Selecting previously unselected package python-chardet-whl.
Preparing to unpack .../python-chardet-whl_2.3.0-1_all.deb ...
Unpacking python-chardet-whl (2.3.0-1) ...
Selecting previously unselected package python-colorama-whl.
Preparing to unpack .../python-colorama-whl_0.3.2-1_all.deb ...
Unpacking python-colorama-whl (0.3.2-1) ...
Selecting previously unselected package python2.7-dev.
Preparing to unpack .../python2.7-dev_2.7.9-2_i386.deb ...
Unpacking python2.7-dev (2.7.9-2) ...
Selecting previously unselected package python-dev.
Preparing to unpack .../python-dev_2.7.9-1_i386.deb ...
Unpacking python-dev (2.7.9-1) ...
Selecting previously unselected package python-distlib-whl.
Preparing to unpack .../python-distlib-whl_0.1.9-1_all.deb ...
Unpacking python-distlib-whl (0.1.9-1) ...
Selecting previously unselected package python-html5lib-whl.
Preparing to unpack .../python-html5lib-whl_0.999-3_all.deb ...
Unpacking python-html5lib-whl (0.999-3) ...
Selecting previously unselected package python-six-whl.
Preparing to unpack .../python-six-whl_1.8.0-1_all.deb ...
Unpacking python-six-whl (1.8.0-1) ...
Selecting previously unselected package python-urllib3-whl.
Preparing to unpack .../python-urllib3-whl_1.9.1-3_all.deb ...
Unpacking python-urllib3-whl (1.9.1-3) ...
Selecting previously unselected package python-requests-whl.
Preparing to unpack .../python-requests-whl_2.4.3-6_all.deb ...
Unpacking python-requests-whl (2.4.3-6) ...
Selecting previously unselected package python-setuptools-whl.
Preparing to unpack .../python-setuptools-whl_5.5.1-1_all.deb ...
Unpacking python-setuptools-whl (5.5.1-1) ...
Selecting previously unselected package python-pip-whl.
Preparing to unpack .../python-pip-whl_1.5.6-5_all.deb ...
Unpacking python-pip-whl (1.5.6-5) ...
Selecting previously unselected package python-virtualenv.
Preparing to unpack .../python-virtualenv_1.11.6+ds-1_all.deb ...
Unpacking python-virtualenv (1.11.6+ds-1) ...
Selecting previously unselected package python3-virtualenv.
Preparing to unpack .../python3-virtualenv_1.11.6+ds-1_all.deb ...
Unpacking python3-virtualenv (1.11.6+ds-1) ...
Selecting previously unselected package virtualenv.
Preparing to unpack .../virtualenv_1.11.6+ds-1_all.deb ...
Unpacking virtualenv (1.11.6+ds-1) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for mime-support (3.58) ...
Processing triggers for install-info (5.2.0.dfsg.1-6) ...
Setting up libmpdec2:i386 (2.4.1-1) ...
Setting up libexpat1-dev:i386 (2.1.0-6+deb8u1) ...
Setting up libpython2.7-dev:i386 (2.7.9-2) ...
Setting up libpython3.4-minimal:i386 (3.4.2-1) ...
Setting up libpython3.4-stdlib:i386 (3.4.2-1) ...
Setting up python3.4-minimal (3.4.2-1) ...
Setting up augeas-lenses (1.2.0-0.2+deb8u1) ...
Setting up python3.4 (3.4.2-1) ...
Setting up python3-minimal (3.4.2-2) ...
Setting up libpython3-stdlib:i386 (3.4.2-2) ...
Setting up dialog (1.2-20140911-1) ...
Setting up libaugeas0 (1.2.0-0.2+deb8u1) ...
Setting up libffi-dev:i386 (3.1-2+b2) ...
Setting up libpython-dev:i386 (2.7.9-1) ...
Setting up zlib1g-dev:i386 (1:1.2.8.dfsg-2+b1) ...
Setting up libssl-dev:i386 (1.0.1k-3+deb8u4) ...
Setting up python-colorama-whl (0.3.2-1) ...
Setting up python2.7-dev (2.7.9-2) ...
Setting up python-dev (2.7.9-1) ...
Setting up python-distlib-whl (0.1.9-1) ...
Setting up python-html5lib-whl (0.999-3) ...
Setting up python-six-whl (1.8.0-1) ...
Setting up python-urllib3-whl (1.9.1-3) ...
Setting up python-requests-whl (2.4.3-6) ...
Setting up python-setuptools-whl (5.5.1-1) ...
Setting up python3 (3.4.2-2) ...
running python rtupdate hooks for python3.4...
running python post-rtupdate hooks for python3.4...
Setting up dh-python (1.20141111-2) ...
Setting up python3-pkg-resources (5.5.1-1) ...
Setting up python-chardet-whl (2.3.0-1) ...
Setting up python-pip-whl (1.5.6-5) ...
Setting up python-virtualenv (1.11.6+ds-1) ...
Setting up python3-virtualenv (1.11.6+ds-1) ...
Setting up virtualenv (1.11.6+ds-1) ...
Processing triggers for libc-bin (2.19-18+deb8u3) ...
Checking for new version...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Requesting root privileges to run letsencrypt...
   /root/.local/share/letsencrypt/bin/letsencrypt --help

  letsencrypt-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

  (default) run        Obtain & install a cert in your current webserver
  certonly             Obtain cert, but do not install it (aka "auth")
  install              Install a previously obtained cert in a server
  renew                Renew previously obtained certs that are near expiry
  revoke               Revoke a previously obtained certificate
  rollback             Rollback server configuration changes made during install
  config_changes       Show changes made to server config during installation
  plugins              Display information about installed plugins

Choice of server plugins for obtaining and installing cert:

  --apache          Use the Apache plugin for authentication & installation
  --standalone      Run a standalone webserver for authentication
  (nginx support is experimental, buggy, and not installed by default)
  --webroot         Place files in a server's webroot folder for authentication

OR use different plugins to obtain (authenticate) the cert and then install it:

  --authenticator standalone --installer apache

More detailed help:

  -h, --help [topic]    print this message, or detailed help on a topic;
                        the available topics are:

   all, automation, paths, security, testing, or any of the subcommands or
   plugins (certonly, install, nginx, apache, standalone, webroot, etc)

howto:/usr/local/letsencrypt#