[Gandi] Installation d’un certificat Let’s Encrypt sur une instance Simple Hosting

[Gandi] Installation d’un certificat Let’s Encrypt sur une instance Simple Hosting

Par Larry Basin

Prérequis :

– créer une instance Simple Hosting de taille M :
https://wiki.gandi.net/fr/simple/create-instance

– créer votre vhost sur cette instance :
https://wiki.gandi.net/fr/simple/shs-dns_config/instance

– créer un serveur Ubuntu 16.04 LTS :
https://wiki.gandi.net/fr/iaas/references/server/create

– récupérer sa clé API :
https://wiki.gandi.net/fr/xml-api/activate

1. Configuration et mise à jour de votre serveur Ubuntu 16.04 LTS que vous aurez préalablement créé :

# apt-get update && apt-get upgrade

2. Installation du paquet de développement Python :

# apt-get install python-dev

3. Modification des locales :

# export LC_ALL=C
# dpkg-reconfigure locales

====
Generating locales (this might take a while)...
fr_FR.ISO-8859-1... done
Generation complete.
====

4. Installation de Python pip :

# apt-get install python-pip

# pip install --upgrade pip

====
Collecting pip
  Downloading pip-9.0.1-py2.py3-none-any.whl (1.3MB)
    100% |################################| 1.3MB 631kB/s 
Installing collected packages: pip
  Found existing installation: pip 8.1.1
    Not uninstalling pip at /usr/lib/python2.7/dist-packages, outside environment /usr
Successfully installed pip-9.0.1
====

# exit

5. Génération des clés SSH

$ ssh-keygen -t rsa -b 4096 -C "xxx.yyy@gmail.com"

Generating public/private rsa key pair.
Enter file in which to save th
e key (/home/larry/.ssh/id_rsa): press [Entrée]
Enter passphrase (empty for no passphrase): 
[Entrée]
Enter same passphrase again: [Entrée]
Your identification has been saved in /home/larry/.ssh/id_rsa1.
Your public key has been saved in /home/larry/.ssh/id_rsa1.pub.
The key fingerprint is:
SHA256:OL4RumkfhCjrQFzUlG/GgLqw14G64iANLE5t1Ka9goE larry.basin@gmail.com
The key's randomart image is:
+---[RSA 4096]----+
|   .+..          |
|  ...+           |
|  .+ o+          |
|=.=.=. *         |
|EOo=.oB S        |
|B*= .+.o         |
|==....+          |
|B   oo +         |
|oo .o.o          |
+----[SHA256]-----+

6. Vérifier que les clés ont bien été générées et se trouvent dans le bon répertoire :

$ ls -l ~/.ssh/

7. Ajout de la clé publique sur l’instance Simple Hosting

Copier et coller la clé qui se trouve dans le fichier « id_rsa.pub ». Vous pourrez l’afficher avec cette commande :

$ cat ~/.ssh/id_rsa.pub

Les instructions pour ajouter cette clé SSH sur votre instance se trouveront ici :

https://wiki.gandi.net/fr/simple/ssh_key

8. Test de connexion à l’instance en SFTP

$ sftp 1073382@sftp.dc2.gpaas.net
The authenticity of host 'sftp.dc2.gpaas.net (2001:4b98:dc2:950::99)' can't be established.
RSA key fingerprint is SHA256:1Tpwj0UT92ARAGczV2ha6tBE3lQz0uLvBRWCaIPmh6I.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'sftp.dc2.gpaas.net,2001:4b98:dc2:950::99' (RSA) to the list of known hosts.
Connected to sftp.dc2.gpaas.net.
sftp> exit

9. Ajout de la clé ‘ssh-agent’

$ eval $(ssh-agent)
Agent pid 16139
$ ssh-add
Identity added: /home/admin/.ssh/id_rsa (/home/admin/.ssh/id_rsa)

10. Installation de Certbot

$ mkdir CERTBOT

$ cd CERTBOT/

$ wget https://dl.eff.org/certbot-auto

====
--2017-05-19 09:40:53--  https://dl.eff.org/certbot-auto
Résolution de dl.eff.org (dl.eff.org)… 173.239.79.196
Connexion à dl.eff.org (dl.eff.org)|173.239.79.196|:443… connecté.
requête HTTP transmise, en attente de la réponse… 200 OK
Taille : 47361 (46K) [application/octet-stream]
Enregistre : «certbot-auto»

certbot-auto                 100%[=============================================>]  46,25K   296KB/s    in 0,2s    

2017-05-19 09:40:55 (296 KB/s) - «certbot-auto» enregistré [47361/47361]
====

$ chmod a+x certbot-auto

Ajout de l’utilisateur « admin » dans le groupe sudo :

# adduser admin sudo

Adding user `admin' to group `sudo' ...
Adding user admin to group sudo
Done.

Ajout de la variable « Defaults env_keep+=SSH_AUTH_SOCK » dans le fichier « /etc/sudoers »

$ ./certbot-auto

Après exécution de cette commande, j’ai obtenu ce type de message :

=====
Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
[sudo] password for admin: 
Sorry, try again.
[sudo] password for admin: 
admin is not in the sudoers file.  This incident will be reported.
apt-get update hit problems but continuing anyway...
=====

Pour corriger cette erreur :

ouvrir /etc/sudoers
et ajouter : admin ALL=(ALL:ALL) ALL
sous # User privilege specification

J’exécute à nouveau :

$ ./certbot-auto

Cette fois j’ai obtenu :

====
OSError: Command /home/admin/.local/s...ncrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 1
====

Solution :


# pip install setuptools

====
Collecting setuptools
  Downloading setuptools-35.0.2-py2.py3-none-any.whl (390kB)
    100% |################################| 399kB 1.5MB/s 
Collecting appdirs>=1.4.0 (from setuptools)
  Downloading appdirs-1.4.3-py2.py3-none-any.whl
Collecting packaging>=16.8 (from setuptools)
  Downloading packaging-16.8-py2.py3-none-any.whl
Collecting six>=1.6.0 (from setuptools)
  Downloading six-1.10.0-py2.py3-none-any.whl
Collecting pyparsing (from packaging>=16.8->setuptools)
  Downloading pyparsing-2.2.0-py2.py3-none-any.whl (56kB)
    100% |################################| 61kB 4.2MB/s 
Installing collected packages: appdirs, pyparsing, six, packaging, setuptools
Successfully installed appdirs-1.4.3 packaging-16.8 pyparsing-2.2.0 setuptools-35.0.2 six-1.10.0
====
$ export LC_ALL="C"

Et enfin, j’exécute à nouveau la commande :

$ ./certbot-auto

====
.....
Failed to find executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot-auto certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
====

Ne vous inquiétez pas pour ce message.

Utilisez la commande « cd » pour revenir dans votre dossier personnel.

11. Téléchargement du plugin « Let’s encrypt Gandi »

Au préalable, pensez à installer « git » :

# apt-get install git

$ mkdir LETSENCRYPT

$ cd LETSENCRYPT/

$ git clone https://github.com/Gandi/letsencrypt-gandi.git

====
Cloning into 'letsencrypt-gandi'...
remote: Counting objects: 82, done.
remote: Total 82 (delta 0), reused 0 (delta 0), pack-reused 82
Unpacking objects: 100% (82/82), done.
Checking connectivity... done.
====

$ cd letsencrypt-gandi/

Mise à jour de « Python-pip » :

$ ~/.local/share/letsencrypt/bin/pip install --upgrade pip

====
Collecting pip
  Using cached pip-9.0.1-py2.py3-none-any.whl
Installing collected packages: pip
  Found existing installation: pip 8.0.3
    Uninstalling pip-8.0.3:
      Successfully uninstalled pip-8.0.3
Successfully installed pip-9.0.1
====

Installation du plugin :

$ ~/.local/share/letsencrypt/bin/pip install -e .

====
Obtaining file:///home/admin/CERTBOT/LETSENCRYPT/letsencrypt-gandi
Requirement already satisfied: setuptools in /home/admin/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt-gandi==0.0.1.dev0)
Requirement already satisfied: mock in /home/admin/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt-gandi==0.0.1.dev0)
Installing collected packages: letsencrypt-gandi
  Running setup.py develop for letsencrypt-gandi
Successfully installed letsencrypt-gandi
====

12. Création et Installation du certificat sur l’instance

# .local/share/letsencrypt/bin/certbot run \
                                                                                                --domains git.belette.space  \
                                                                                                --authenticator letsencrypt-gandi:gandi-shs \
                                                                                                --letsencrypt-gandi:gandi-shs-name encrypt \
                                                                                                --letsencrypt-gandi:gandi-shs-vhost git.belette.space \
                                                                                                --letsencrypt-gandi:gandi-shs-api-key 7es2Es8OCdRG6UH8I8li0CCC \
                                                                                                --installer letsencrypt-gandi:gandi-shs

====
You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
_api_key_from_args

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):larry.basin@gmail.com

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel:A

 -------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o:N

......

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://git.belette.space

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=git.belette.space
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/git.belette.space/fullchain.pem. Your cert
   will expire on 2017-08-20. To obtain a new or tweaked version of
   this certificate in the future, simply run letsencrypt-auto again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "letsencrypt-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
====