Apache + HTTPS на FreeBSD 11.0

Опубликовано Igor - сб, 06/17/2017 - 19:18

Конспективный набор команд для получения и настройки сертификатов, обеспечивающих корректную работу веб-сайта по протоколу HTTPS. Операционная система FreeBSD 11, веб-сервер Apache 24.

С появление сервиса Let's Encrypt возможность использования защищенного протокола HTTPS стала бесплатной, простой и доступной. Для получения сертификатов для сервера Apache на платформе FreeBSD-11 вместе с установкой пакета требуется ввести всего две команды и ответить на три вопроса.

И так - ищем название пакета:

root@bsd # pkg search certbot
py27-certbot-0.12.0,1          Let's Encrypt client
root@bsd #

Первая команда - устанавливаем пакет:

root@bsd # pkg install py27-certbot
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 30 package(s) will be affected (of 0 checked):
 
New packages to be INSTALLED:
        py27-certbot: 0.12.0,1
        py27-psutil: 5.2.1
        py27-openssl: 16.2.0
        py27-cryptography: 1.7.2
 
... ... ...
 
Message from py27-certbot-0.12.0,1:
=========================================================================
 
This port installs the "standalone" Python client only, which does not use and
is not the certbot-auto bootstrap/wrapper script.
 
To obtain certificates, use the 'certonly' command as follows:
 
 # sudo certbot certonly --standalone -d [server FQDN]
 
Note: The client currently requires the ability to bind on TCP port 80. If
you have a server running on this port, it will need to be temporarily stopped
so that the standalone server can listen on that port to complete
authentication.
 
The certbot plugins to support apache and nginx certificate installation
will be made available soon in the following ports:
 
 * Apache plugin: security/py-certbot-apache
 * Nginx plugin: security/py-certbot-nginx
 
=========================================================================
root@bsd #

После установки пакета надо остановить веб-сервер и выполнить вторую команду:

root@bsd # certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
 
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):admin@example.com
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
 
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
 
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):example.com
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /usr/local/etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /usr/local/etc/letsencrypt/csr/0000_csr-certbot.pem
 
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /usr/local/etc/letsencrypt/live/example.com/fullchain.pem. Your cert
   will expire on 2017-09-15. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /usr/local/etc/letsencrypt. You should
   make a secure backup of this folder now. This configuration
   directory will also contain certificates and private keys obtained
   by Certbot so making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
 
root@bsd #

Осталось добавить две строки в файл конфигурации HTTPS сервера и запустить его:

root@bsd #  cat /usr/local/etc/apache24/extra/httpd-ssl.conf | grep "^SSLCert"
SSLCertificateFile "/usr/local/etc/letsencrypt/live/example.com/fullchain.pem"
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/keys/0000_key-certbot.pem"
root@bsd #

Это ВСЕ - наслаждаемся результатом!

Теги