Apache + HTTPS на FreeBSD 11.0

Опубликовано Igor - сб, 06/17/2017 - 19:18

Конспективный набор команд для получения и настройки сертификатов, обеспечивающих корректную работу веб-сайта по протоколу HTTPS. Операционная система FreeBSD 11, веб-сервер Apache 24.

С появление сервиса Let's Encrypt возможность использования защищенного протокола HTTPS стала бесплатной, простой и доступной. Для получения сертификатов для сервера Apache на платформе FreeBSD-11 вместе с установкой пакета требуется ввести всего две команды и ответить на три вопроса.

И так - ищем название пакета:

root@bsd # pkg search certbot py27-certbot-0.12.0,1 Let's Encrypt client root@bsd #

Первая команда - устанавливаем пакет:

root@bsd # pkg install py27-certbot Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. The following 30 package(s) will be affected (of 0 checked): New packages to be INSTALLED: py27-certbot: 0.12.0,1 py27-psutil: 5.2.1 py27-openssl: 16.2.0 py27-cryptography: 1.7.2 ... ... ... Message from py27-certbot-0.12.0,1: ========================================================================= This port installs the "standalone" Python client only, which does not use and is not the certbot-auto bootstrap/wrapper script. To obtain certificates, use the 'certonly' command as follows: # sudo certbot certonly --standalone -d [server FQDN] Note: The client currently requires the ability to bind on TCP port 80. If you have a server running on this port, it will need to be temporarily stopped so that the standalone server can listen on that port to complete authentication. The certbot plugins to support apache and nginx certificate installation will be made available soon in the following ports: * Apache plugin: security/py-certbot-apache * Nginx plugin: security/py-certbot-nginx ========================================================================= root@bsd #

После установки пакета надо остановить веб-сервер и выполнить вторую команду:

root@bsd # certbot certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? ------------------------------------------------------------------------------- 1: Place files in webroot directory (webroot) 2: Spin up a temporary webserver (standalone) ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):admin@example.com Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: Y Starting new HTTPS connection (1): supporters.eff.org Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):example.com Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for example.com Waiting for verification... Cleaning up challenges Generating key (2048 bits): /usr/local/etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /usr/local/etc/letsencrypt/csr/0000_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /usr/local/etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2017-09-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /usr/local/etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le root@bsd #

Осталось добавить две строки в файл конфигурации HTTPS сервера и запустить его:

root@bsd # cat /usr/local/etc/apache24/extra/httpd-ssl.conf | grep "^SSLCert" SSLCertificateFile "/usr/local/etc/letsencrypt/live/example.com/fullchain.pem" SSLCertificateKeyFile "/usr/local/etc/letsencrypt/keys/0000_key-certbot.pem" root@bsd #

Это ВСЕ - наслаждаемся результатом!