Outils pour utilisateurs

Outils du site


pub:tls

Sécurisation des connexions avec OpenSSL/LibreSSL

OpenSSL semble déprécié au profit de LibreSSL. Cependant il reste encore dans le circuit à ce jour (dec.2015)

Installation

Il suffit d'installer le paquet éponyme ou de compliler le port si besoin.

> dakota ~ % sudo pkg install openssl

> dakota /usr/ports/security/openssl % sudo make install clean

Création de certificats auto-signés

La procédure pour monter une CA locale et créer des certificats serveur/client auto-signés est bien décrite dans le Handbook FreeBSD, au chapitre traitant de la mise en place d'un serveur OpenLDAP "over TLS".

Création de certificats CACert.org & Gandi.net

Commençons par générer la clé privée et la demande certificat (publique) :

root@dakota:~ # openssl req -nodes -newkey rsa:2048 -sha256 -keyout fr-salin.eu.key -out fr-salin.eu.csr
Generating a 2048 bit RSA private key
..............................+++
..................................................................................+++
writing new private key to 'fr-salin.eu.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:Rennes
Organization Name (eg, company) [Internet Widgits Pty Ltd]:fr-salin.eu
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:fr-salin.eu
Email Address []:hostmaster@fr-salin.eu

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

root@dakota:~ # ls -l fr-salin.eu.*
-rw-r--r--  1 root  wheel  1033 11 oct 17:51 fr-salin.eu.csr
-rw-r--r--  1 root  wheel  1704 11 oct 17:51 fr-salin.eu.key

Il faut maintenant communiquer la CSR (la demande) à (Gandi|CACert) puis récupérer le CRT (le certificat) via l'interface WEB.

Spécificité Gandi.net

La méthode de validation par DNS implique une modification de la zone DNS du domaine concerné.
La méthode de validation par email implique de créer une adresse admin@modomaine.tld.

Création de certificats "Let's Encrypt"

https://medium.com/chris-opperwall/using-acme-client-for-letsencrypt-on-freebsd-db0ee643ef1f

> sd-83258 ~ % sudo pkg install acme-client
...
WARNING: The default configuration paths have changed, rename :
/usr/local/www/letsencrypt to /usr/local/www/acme
/usr/local/etc/letsencrypt to /usr/local/etc/acme
/usr/local/etc/ssl/letsencrypt to /usr/local/etc/ssl/acme
and verify paths in your scripts
...
There are example scripts in : /usr/local/etc/acme
that you can use for renewing and deploying multiple certificates
...
In order to run the script regularly to update the certificates add this line to /etc/periodic.conf
weekly_acme_client_enable="YES"
...
Additionally the following parameters can be added to /etc/periodic.conf (showing default values):
To specify the domain name(s) to include in the certificate
	weekly_acme_client_domains="$(hostname -f)"
To specify the .well-known/acme-challenge directory (full path)
	weekly_acme_client_challengedir="/usr/local/www/acme"
To set additional acme-client arguments (see acme-client(1))
	weekly_acme_client_args="-b"
To run a specific script for the renewal (ignore previously set variables) allows generating/renewing multiple keys/certificates
	weekly_acme_client_renewscript=""/usr/local/etc/acme/acme-client.sh"
To run a script after the renewal to deploy changed certs
	weekly_acme_client_deployscript="/usr/local/etc/acme/deploy.sh

Avant de créer le certificat il est nécessaire de mettre en palce un vhost nginx provisoire:

pre_ssl.wezee.eu.conf
server {
  listen  80;
  server_name wiki.wezee.eu;
  index index.html;
  root /usr/local/www/wezee/dokuwiki;
  access_log  /var/log/nginx/wiki.wezee.eu.log  main;
  location ^~ /.well-known/acme-challenge {
   alias /usr/local/www/acme;
      try_files $uri =404;
  }
}

Après avoir fait prendre en compte ce vhost par le serveur WEB il ne reste plus qu'a lancer la création du certificat:

> sd-83258 /usr/local/etc/ssl % sudo acme-client -v -e -m -b -n -N wiki.wezee.eu
Mot de passe : 
acme-client: /usr/local/etc/ssl/acme/wiki.wezee.eu: creating directory
acme-client: /usr/local/etc/ssl/acme/private/wiki.wezee.eu: creating directory
acme-client: /usr/local/etc/acme/wiki.wezee.eu: creating directory
acme-client: acme-client: /usr/local/etc/acme/wiki.wezee.eu/privkey.pem: generating RSA account key/usr/local/etc/ssl/acme/private/wiki.wezee.eu/privkey.pem: generating RSA domain key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 2.18.117.197
acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:2d:180::3d5
acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:2d:19b::3d5
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: wiki.wezee.eu
acme-client: /usr/local/www/acme/Lj0ML5yBVHwP3j0XJU9r6QRBwuM8jxnpcXHl6cfHkiA: created
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/V0hy_ZRUh8kDhitU55BgXWQ4QwoakR2oeLBeATR2W5I/1285691726: challenge
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/V0hy_ZRUh8kDhitU55BgXWQ4QwoakR2oeLBeATR2W5I/1285691726: status
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
acme-client: http://cert.int-x3.letsencrypt.org/: full chain
acme-client: cert.int-x3.letsencrypt.org: DNS: 95.101.72.210
acme-client: cert.int-x3.letsencrypt.org: DNS: 95.101.72.218
acme-client: cert.int-x3.letsencrypt.org: DNS: 2a02:26f0:2d::216:30a2
acme-client: cert.int-x3.letsencrypt.org: DNS: 2a02:26f0:2d::216:30a8
acme-client: /usr/local/etc/ssl/acme/wiki.wezee.eu/cert.pem: linked to cert-1496692785.pem
acme-client: /usr/local/etc/ssl/acme/wiki.wezee.eu/chain.pem: linked to chain-1496692785.pem
acme-client: /usr/local/etc/ssl/acme/wiki.wezee.eu/fullchain.pem: linked to fullchain-1496692785.pem
acme-client: /usr/local/etc/ssl/acme/wiki.wezee.eu/chain.pem: created
acme-client: /usr/local/etc/ssl/acme/wiki.wezee.eu/cert.pem: created
acme-client: /usr/local/etc/ssl/acme/wiki.wezee.eu/fullchain.pem: created
Le script de renew fournit par ce tuto ne fonctionne pas OFB chez moi. j'ai donc commis celui-ci:
#!/bin/sh -e
DOMAINSFILE="/usr/local/etc/acme/domains.txt"
ACME_FLAGS="-v -m"
while read domain ; do
   acme-client ${ACME_FLAGS} ${domain}
done < ${DOMAINSFILE}
pub/tls.txt · Dernière modification: 2017/12/17 18:18 par loran42o