Berikut ini adalah cara memasang sertifikat SSL yang ditandatangani oleh Let’s Encrypt dengan menggunakan certbot pada Debian Wheezy. Silakan lihat cara pasang di Wheezy untuk keterangan lebih lanjut.
Aktifkan Repo Debian Wheezy Backports
Anda bisa langsung mengaktifkan repo Debian Wheezy Backports:
echo "deb http://kambing.ui.ac.id/debian-backports/ jessie-backports main" | sudo tee /etc/apt/sources.list.d/debian-backports.list sudo apt update
Atau nanti tunggu ditanyakan pada saat menjalankan certbot.
Pasang certbot
Unduh dengan pengunduh favorit Anda.
sudo wget https://dl.eff.org/certbot-auto -O /usr/local/bin/certbot-auto sudo chmod +x /usr/local/bin/certbot-auto
Sebelum Memasang Let’s Encrypt
Siapa tahu Anda malas tidak punya waktu untuk membaca artikel sebelumnya, perhatikanlah:
- Pastikan semua domain yang didaftarkan sudah terdaftar di DNS publik.
- Pastikan bahwa direktori yang memuat URL untuk sertifikasi dapat diakses.
Penulisan DNS di luar cakupan tulisan ini. Berikut contoh direktori .well-known
server { listen 80; listen [::]:80 ipv6only=on; server_name example.com www.example.com; server_name_in_redirect on; port_in_redirect on; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; # For ACME Let's Encrypt challenge location /.well-known { alias /var/www/html/.well-known; # have this as the webroot } location / { return 301 https://$server_name$request_uri; } }
Mari memasang certbot.
Sertifikasi
Seperti biasa:
sudo certbot-auto certonly --webroot -w /var/www/html -d example.com -d www.example.com
Seandainya tadi Anda melewati bagian pemasangan repositori Debian Backports, maka Anda akan ditanyakan:
To use the Apache Certbot plugin, augeas needs to be installed from wheezy-backports. Would you like to enable the wheezy-backports repository [Y/n]? y
Lalu beberapa pesan pemasangan paket Python virtualenv. Kemudian, ditanyakan alamat info:
Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):[email protected]
Lalu, ditanyakan apakah menyetujui syarat dan ketentuan yang diberikan, jawab A untuk setuju.
------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at
No Title
No Description
------------------------------------------------------------------------------- (A)gree/(C)ancel: A
Setelah itu, tunggu beberapa saat.
Obtaining a new certificate Performing the following challenges: http-01 challenge for example.com Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2017-04-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you lose your account credentials, you can recover through e-mails sent to [email protected]. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Kalau sudah sampai sini, Anda sudah selesai mendapatkan sertifikasi dari Let’s Encrypt.
Konfigurasi NGINX
Kalau mau penjelasan, lihat artikel terdahulu.
Berikut blok SSL:
ssl on; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:20m; ssl_session_timeout 60m; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem; resolver 8.8.8.8; add_header Strict-Transport-Security "max-age=31536000" always;
Nah, untuk Debian Wheezy, ada tambahan yang harus dilakukan.
Penambahan Penjadwalan CRON
Pada paket Debian Jessie, jadwal CRON untuk certbot sudah dipasang pada /etc/cron.d/certbot. Mari tambahkan secara manual untuk Debian Wheezy.
Pertama-tama, coba jalankan apakah sukses.
sudo certbot-auto renew --dry-run
Kalau sudah berhasil, maka pasang pada CRON.
sudo crontab -e
Masukkan entri:
0 */12 * * * /usr/local/bin/certbot-auto renew --quiet --no-self-upgrade
Let’s Encrypt memandatkan untuk pengecekan sehari dua kali.
Terakhir
Selesai.