Melalui tulisan ini, ane mau share knowlegde aja nih tentang Letsecrypt, salah satu penyedia sertifikat SSL gratis namun Trusted di berbagai macam browser baik itu Google Chrome, Mozilla Firefox dll. Letsencrypt ini bisa ente install di server Linux ente (Debian, Ubuntu, Redhat, CentOS, SUSE dll). Dijamin https domain ente akan berwana hijau kinclong
Quote:
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the Internet Security Research Group (ISRG). ISRG is a California public benefit corporation, and is recognized by the IRS as a tax-exempt organization under Section 501(c)(3) of the Internal Revenue Code.
Trus cara installasi nya gimana gan?
Cara installasinya sedikit berbeda dengan SSL pada umumnya, biasa nya kan kita generate CSR nya terlebih dahulu kemudian kita proses di SSL penyedianya kemudian baru kita dapat sertifikat SSL nya (root, intermediate dan CA). Tapi kalau letsencrypt ini kita cukup install aplikasinya di server kita kemudian arahkan konfigurasi SSL di web server ke lokasi hasil generate SSL Letsencryptnya.
Berikut hasil uji coba ane gan:
Server yang ane gunakan adalah CentOS 7 dengan minimal installasi.
Pastikan server CentOS sudah mempunyai git dan repositori epel. Kalau belum install terlebih dahulu:
Nanti akan muncul tampilan seperti berikut kemudian masukkan alamat email kita untuk kebutuhan recovery letencrypt:
Spoiler for :
Tekan Enter untuk melanjutkan proses nya
Spoiler for :
Setelah proses selesai akan muncul notifikasi seperti berikut:
Code:
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to [email]support@linboxs.net[/email].
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/enzu02.linboxs.net/fullchain.pem. Your cert
will expire on 2016-04-01. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
File sertifikat akan tersimpan di :
Code:
/etc/letsencrypt/live/enzu02.linboxs.net/
Edit file ssl.conf:
Code:
# vim /etc/httpd/conf.d/ssl.conf
Rubah letak file SSLCertificateFile, SSLCertificateKeyFile dan SSLCertificateChainFile seperti berikut:
root@djaja:~# bash -x gen-le-ssl.sh
+ '[' -d ./acme-tiny ']'
+ mkdir ./acme-tiny
+ curl https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 9150 100 9150 0 0 37979 0 --:--:-- --:--:-- --:--:-- 47409
+ echo -n 'Enter DN or FQDN: '
Enter DN or FQDN: + read domain
[url=http://www.abc.com]www.abc.com[/url]
+ echo -n 'Enter Full Path www: '
Enter Full Path www: + read fullpath
/srv/st
+ echo [url=http://www.abc.com]www.abc.com[/url]
[url=http://www.abc.com]www.abc.com[/url]
+ echo /srv/st
/srv/st
+ rm -rf [url=http://www.abc.com]www.abc.com[/url]
+ echo 'mkdir working directory...'
mkdir working directory...
+ mkdir [url=http://www.abc.com]www.abc.com[/url]
++ pwd
+ workdir=/root/www.abc.com/
+ echo 'generate account key for [url=http://www.abc.com]www.abc.com[/url] ..'
generate account key for [url=http://www.abc.com]www.abc.com[/url] ..
+ openssl genrsa 4096
Generating RSA private key, 4096 bit long modulus
.........................................................................................................................................................................................++
........................................................................................++
e is 65537 (0x10001)
+ echo 'generate domain private key....'
generate domain private key....
+ openssl genrsa 4096
Generating RSA private key, 4096 bit long modulus
................................................++
...........................++
e is 65537 (0x10001)
+ echo 'generate csr..'
generate csr..
+ openssl req -new -sha256 -key /root/www.abc.com//www.abc.com.key -subj /CN=www.abc.com
+ echo 'create directory acmi at /srv/st..'
create directory acmi at /srv/st..
+ mkdir -p /srv/st/.well-known/acme-challenge
+ echo 'create file verification at /srv/st/.well-known/acme-challenge/..'
create file verification at /srv/st/.well-known/acme-challenge/..
+ echo 'Get a signed certificate..'
Get a signed certificate..
+ python acme-tiny/acme_tiny.py --account-key /root/www.abc.com//www.abc.com_account.key --csr /root/www.abc.com//www.abc.com.csr --acme-dir /srv/st/.well-known/acme-challenge/
Parsing account key...
Parsing CSR...
Registering account...
Registered!
Verifying [url=http://www.abc.com...]www.abc.com...[/url]
[url=http://www.abc.com]www.abc.com[/url] verified!
Signing certificate...
Certificate signed!
+ wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
--2016-01-06 03:07:05-- https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
Resolving letsencrypt.org (letsencrypt.org)... 23.195.140.215, 2a02:26f0:b7:188::2a1f, 2a02:26f0:b7:187::2a1f
Connecting to letsencrypt.org (letsencrypt.org)S E N S O R3.195.140.215|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1675 (1.6K) [application/x-x509-ca-cert]
Saving to: `STDOUT'
100%[==============================================================================================================================>] 1,675 --.-K/s in 0s
2016-01-06 03:07:08 (19.1 MB/s) - written to stdout [1675/1675]
Original Posted By linboxs►Di CentOS versi 6 hanya tersedia Python versi 2.6 dan Letsencrypt membutuhkan python versi 2.7 maka ada beberapa langkah yang harus di lakukan: