Berikut ini adalah cara memasang sertifikat SSL yang ditandatangani oleh Let’s Encrypt dengan menggunakan certbot pada Debian Wheezy. Silakan lihat cara pasang di Wheezy untuk keterangan lebih lanjut.

Aktifkan Repo Debian Wheezy Backports

Anda bisa langsung mengaktifkan repo Debian Wheezy Backports:

echo "deb http://kambing.ui.ac.id/debian-backports/ jessie-backports main" | sudo tee /etc/apt/sources.list.d/debian-backports.list
sudo apt update

Atau nanti tunggu ditanyakan pada saat menjalankan certbot.

Pasang certbot

Unduh dengan pengunduh favorit Anda.

sudo wget https://dl.eff.org/certbot-auto -O /usr/local/bin/certbot-auto
sudo chmod +x /usr/local/bin/certbot-auto

Sebelum Memasang Let’s Encrypt

Siapa tahu Anda malas tidak punya waktu untuk membaca artikel sebelumnya, perhatikanlah:

1. Pastikan semua domain yang didaftarkan sudah terdaftar di DNS publik.
2. Pastikan bahwa direktori yang memuat URL untuk sertifikasi dapat diakses.

Penulisan DNS di luar cakupan tulisan ini. Berikut contoh direktori .well-known

server {
        listen   80;
        listen  [::]:80 ipv6only=on;
        server_name  example.com www.example.com;
        server_name_in_redirect on;
        port_in_redirect on;
 
        access_log  /var/log/nginx/access.log;
        error_log  /var/log/nginx/error.log;
 
        # For ACME Let's Encrypt challenge
        location /.well-known {
                alias /var/www/html/.well-known; # have this as the webroot
        }
 
        location / {
                return 301 https://$server_name$request_uri;
        }
 
}

Mari memasang certbot.

Sertifikasi

Seperti biasa:

sudo certbot-auto certonly --webroot -w /var/www/html -d example.com -d www.example.com

Seandainya tadi Anda melewati bagian pemasangan repositori Debian Backports, maka Anda akan ditanyakan:

To use the Apache Certbot plugin, augeas needs to be installed from wheezy-backports.
Would you like to enable the wheezy-backports repository [Y/n]? y

Lalu beberapa pesan pemasangan paket Python virtualenv. Kemudian, ditanyakan alamat info:

Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):[email protected]

Lalu, ditanyakan apakah menyetujui syarat dan ketentuan yang diberikan, jawab A untuk setuju.

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at

No Title

No Description

-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

Setelah itu, tunggu beberapa saat.

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your
   cert will expire on 2017-04-19. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot-auto again.
   To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to [email protected].
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Kalau sudah sampai sini, Anda sudah selesai mendapatkan sertifikasi dari Let’s Encrypt.

Konfigurasi NGINX

Kalau mau penjelasan, lihat artikel terdahulu.

Berikut blok SSL:

ssl  on;
 
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
        
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_prefer_server_ciphers on;
ssl_session_cache   shared:SSL:20m;
ssl_session_timeout 60m;
 
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
 
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
resolver 8.8.8.8;
 
add_header Strict-Transport-Security "max-age=31536000" always;

Nah, untuk Debian Wheezy, ada tambahan yang harus dilakukan.

Penambahan Penjadwalan CRON

Pada paket Debian Jessie, jadwal CRON untuk certbot sudah dipasang pada /etc/cron.d/certbot. Mari tambahkan secara manual untuk Debian Wheezy.

Pertama-tama, coba jalankan apakah sukses.

sudo certbot-auto renew --dry-run

Kalau sudah berhasil, maka pasang pada CRON.

sudo crontab -e

Masukkan entri:

0 */12 * * * /usr/local/bin/certbot-auto renew --quiet --no-self-upgrade

Let’s Encrypt memandatkan untuk pengecekan sehari dua kali.

Terakhir

Selesai.