Nous allons voir comment utiliser certbot pour obtenir gratuitement un certificat ssl.
1 / installer suivant votre plateforme via le domaine suivant l'utilitaire certbot https://certbot.eff.org
l'exemple que nous allons voir est fait avec nginx et debian 8.
sudo apt-get install certbot -t jessie-backports
2 - Récupérer le certificat ssl du domaine
sudo certbot certonly --webroot -w /var/host/www -d example.com -d www.example.com
3 - generer les clés
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
4 - configurer le nginx pour intégrer les certificats
4.1 - création du fichier de configuration
sudo vi /etc/nginx/snippets/ssl-example.com.conf
à l'intérieur y insérer les lignes suivantes :
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/fexample.com/privkey.pem;
4.2 - creation fichier configuration nginx ssl
sudo vi /etc/nginx/snippets/ssl-params.conf
y insérer ces lignes
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
5 - configurer votre nginx pour rediriger le domaine http vers https
server {
listen 80;
server_name ~^www\.example\.(.*)$ ~^example\.(?!com).*$;
return 301 https://example.com$request_uri;
}
server {
listen 443;
server_name ~^www\.example\.(.*)$ ~^example\.(?!com).*$;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
server_name example.com;
root /var/host/www;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /app.php$is_args$args;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
# When you are using symlinks to link the document root to the
# current version of your application, you should pass the real
# application path instead of the path to the symlink to PHP
# FPM.
# Otherwise, PHP's OPcache may not properly detect changes to
# your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
# for more information).
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/index.php/some-path
# Remove the internal directive to allow URIs like this
internal;
}
# return 404 for all other php files not matching the front controller
# this prevents access to other php files you don't want to be accessible.
location ~ \.php$ {
return 404;
}
error_log /var/log/nginx/example_error.log;
access_log /var/log/nginx/example_access.log;
}
6 - Mettre en place une crontab pour renouveler le certificat
crontab -e
y insérer cette ligne
30 2 * * * sudo /usr/bin/certbot renew --noninteractive --post-hook "/bin/systemctl reload nginx" >> /var/log/le-renew.log