Installare Let's Encrypt in Apache e Debian 10
Ultimamente mi è capitato di dover configurare diversi server Debian 10 con Apache e Let's Encrypt.
Questi sono i passi che ho seguito nell'ultima installazione.
Partiamo con l'installare certbot:
# aptitude update
# aptitude install certbot
Adesso tramite openssl generiamo una chiave DH (Diffie-Hellman):
# openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Possiamo procedere con il certificato SSL:
# mkdir -p /var/lib/letsencrypt/.well-known
# chgrp www-data /var/lib/letsencrypt
# chmod g+s /var/lib/letsencrypt
Adesso create due file di configurazione.
Il primo /etc/apache2/conf-available/letsencrypt.conf:
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
Il secondo /etc/apache2/conf-available/ssl-params.conf:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
Carichiamo questi moduli:
# a2enmod ssl
# a2enmod headers
# a2enmod http2
E queste configurazioni:
# a2enconf letsencrypt
# a2enconf ssl-params
Riavviamo il server:
# systemctl reload apache2
Infine lanciamo certbot per ottenere il certificato:
# certbot certonly --agree-tos --email admin@dominio.com --webroot -w /var/lib/letsencrypt/ -d dominio.com -d www.dominio.com
Infine la configurazione di Apache per il sito /etc/apache2/sites-available/dominio.conf:
<VirtualHost *:80>
ServerName dominio.com
ServerAlias www.dominio.com
Redirect permanent / https://dominio.com/
</VirtualHost>
<VirtualHost *:443>
ServerName dominio.com
ServerAlias www.dominio.com
Protocols h2 http/1.1
<If "%{HTTP_HOST} == 'www.dominio.com'">
Redirect permanent / https://dominio.com/
</If>
DocumentRoot /var/www/dominio.com/public_html
ErrorLog ${APACHE_LOG_DIR}/dominio.com-error.log
CustomLog ${APACHE_LOG_DIR}/dominio.com-access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/dominio.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dominio.com/privkey.pem
# Other Apache Configuration
</VirtualHost>
Riavviate Apache di nuovo e provate a navigare.
Enjoy!
server apache debian10 letencrypt certbot ssl
Commentami!