... | @@ -82,6 +82,43 @@ server { |
... | @@ -82,6 +82,43 @@ server { |
|
|
|
|
|
# TLS / Let's Encrypt
|
|
# TLS / Let's Encrypt
|
|
|
|
|
|
|
|
Wir nutzen `acme_tiny` für Let's Encrypt. Zertifikate sind in `/etc/ssl/letsencrypt`. Dort gibt es auch ein `renew.sh` Script zum automatischen Erneuern der Domains, was man in die `crontab` packen kann.
|
|
|
|
|
|
|
|
## Zertifikat für Domain erstellen.
|
|
|
|
|
|
|
|
[Ausführliche Dokumentation auf GitHub](https://github.com/drdaeman/acme-tiny/blob/f995b09b67498ef6fc538867eeeb63643cba5702/README.md)
|
|
|
|
|
|
|
|
```
|
|
|
|
# cd /etc/ssl/letsencrypt
|
|
|
|
// Private Key für Domain erstellen (RSA)
|
|
|
|
# openssl genrsa 4096 > subdomain.bau-ha.us.key
|
|
|
|
|
|
|
|
// CSR Request erstellen
|
|
|
|
# openssl req -new -sha256 -key subdomain.bau-ha.us.key -subj "/CN=subdomain.bau-ha.us" > subdomain.bau-ha.us.csr
|
|
|
|
|
|
|
|
// mehrere Domains in einem Zertikat (www.meinedomain.de, meinedomain.de, foobar.meinedomain.de..)
|
|
|
|
# openssl req -new -sha256 -key subdomain.bau-ha.us.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:subdomain.bau-ha.us,DNS:www.subdomain.de")) > subdomain.bau-ha.us.csr
|
|
|
|
|
|
|
|
// Challenges Verzeichnis in nginx Konfiguration einbinden
|
|
|
|
// /etc/nginx/sites-available/subdomain.bau-ha.us
|
|
|
|
server {
|
|
|
|
listen 80;
|
|
|
|
server_name subdomain.bau-ha.us foobarbaz.subdomain.bau-ha.us;
|
|
|
|
|
|
|
|
location /.well-known/acme-challenge/ {
|
|
|
|
alias /var/www/challenges/;
|
|
|
|
try_files $uri =404;
|
|
|
|
}
|
|
|
|
|
|
|
|
location / {
|
|
|
|
return 301 https://$host$request_uri;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Zertifikat abholen
|
|
|
|
# acme_tiny --account-key ./account.key --csr ./subdomain.bau-ha.us.csr --acme-dir /var/www/challenges/ > ./subdomain.bau-ha.us.crt
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Datenbank
|
|
# Datenbank
|
... | | ... | |