Letsencrypt Wildcard SSL-Zertifikate mit Cloudflare-DNS-Challenge und dynamischen Nginx-vHosts (Debian 8/ Jessie)
Überblick:
- certbot-auto
- dns-cloudflare plugin
- CloudFlare API
- nginx dynamische vhosts
Schritt 1 – certbot deinstallieren
Wenn installiert, certbot deinstallieren
sudo apt-get remove certbotSchritt 2 – certbot-auto installieren (https://certbot.eff.org/)
https://certbot.eff.org/lets-encrypt/debianjessie-nginx
cd /root
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-autoSchritt 3 – certbot plugin installieren (certbot-dns-cloudflare)
Details: https://devops.stackexchange.com/questions/3757/how-to-install-certbot-plugins
Plugins checken:
./certbot-auto pluginsZu certbot-auto Installationsort wechseln und mit pip Plugin installieren
cd /opt/eff.org/certbot/venv
source bin/activate
pip install certbot-dns-cloudflare
deactivatePlugins erneut kontrollieren:
./certbot-auto plugins- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
* dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using Cloudflare for DNS).
....
* nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Schritt 4 – Cloudflare API Zugangsdaten
Details:https://bjornjohansen.no/wildcard-certificate-letsencrypt-cloudflare
Datei erstellen mit API Key:
dns_cloudflare_email = "youremail@example.com"
dns_cloudflare_api_key = "4jg3252352sfsdffghfjghfjg6252522352cbcab4"
zb /root/.secrets/cloudflare.ini
Berechtigungen:
$ sudo chmod 0700 /root/.secrets/
$ sudo chmod 0400 /root/.secrets/cloudflare.ini
Schritt 5 – Zertifikat anlegen
cd /root
./certbot-auto certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d *.example.com --preferred-challenges dns-01Schritt 5 – nginx vHosts (dynamisch)
Ordnerstruktur für *.example.com
/var/www/example.com/subdomain/*/public
server {
listen 80;
#listen [::]:80;
server_name *.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
ssl on;
#listen [::]:443 ssl spdy;
server_name ~^(?<subdomain>[^.]+).example.com;
# Letsencrypt
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Cipher
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_dhparam /etc/ssl/private/dhparam.pem;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
#OSCP
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
#Document-Root
root /var/www/example.com/subdomain/$subdomain/public;
index index.html index.htm index.php;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME
$document_root/$fastcgi_script_name;
fastcgi_intercept_errors on;
}