Installare Let's Encrypt in Apache e Debian 10

Mattepuffo's logo
Installare Let's Encrypt in Apache e Debian 10

Installare Let's Encrypt in Apache e Debian 10

Ultimamente mi è capitato di dover configurare diversi server Debian 10 con Apache e Let's Encrypt.

Questi sono i passi che ho seguito nell'ultima installazione.

Partiamo con l'installare certbot:

# aptitude update
# aptitude install certbot

Adesso tramite openssl generiamo una chiave DH (Diffie-Hellman):

# openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Possiamo procedere con il certificato SSL:

# mkdir -p /var/lib/letsencrypt/.well-known
# chgrp www-data /var/lib/letsencrypt
# chmod g+s /var/lib/letsencrypt

Adesso create due file di configurazione.

Il primo /etc/apache2/conf-available/letsencrypt.conf:

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

Il secondo /etc/apache2/conf-available/ssl-params.conf:

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

Carichiamo questi moduli:

# a2enmod ssl
# a2enmod headers
# a2enmod http2

E queste configurazioni:

# a2enconf letsencrypt
# a2enconf ssl-params

Riavviamo il server:

# systemctl reload apache2

Infine lanciamo certbot per ottenere il certificato:

# certbot certonly --agree-tos --email admin@dominio.com --webroot -w /var/lib/letsencrypt/ -d dominio.com -d www.dominio.com

Infine la configurazione di Apache per il sito /etc/apache2/sites-available/dominio.conf:

<VirtualHost *:80> 
  ServerName dominio.com
  ServerAlias www.dominio.com

  Redirect permanent / https://dominio.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName dominio.com
  ServerAlias www.dominio.com

  Protocols h2 http/1.1

  <If "%{HTTP_HOST} == 'www.dominio.com'">
    Redirect permanent / https://dominio.com/
  </If>

  DocumentRoot /var/www/dominio.com/public_html
  ErrorLog ${APACHE_LOG_DIR}/dominio.com-error.log
  CustomLog ${APACHE_LOG_DIR}/dominio.com-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/dominio.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/dominio.com/privkey.pem

  # Other Apache Configuration

</VirtualHost>

Riavviate Apache di nuovo e provate a navigare.

Enjoy!


Condividi

Commentami!