Let's Encrypt Weiterleitung auf HTTPS

Xazor · 3. Mai 2018

Guten Tag Brotfische,

ich habe heute versucht Let's Encrypt via Certbot zu installieren. Mir wird keine Fehlermeldung beim Installieren angezeigt. jedoch funktioniert https:// nun mal nicht.

Die Subdomäne habe ich jeweils durch forum.domain.de ersetzt und die Email ebenfalls durch max.mustermann@example.com

Bash

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):max.mustermann@example.com
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org


-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):forum.domain.de
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for forum.domain.de


Select the webroot for forum.domain.de:
-------------------------------------------------------------------------------
1: Enter a new webroot
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Input the webroot for forum.domain.de: (Enter 'c' to cancel):/var/www/
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem


IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/forum.domain.de/fullchain.pem. Your
   cert will expire on 2018-08-01. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to max.mustermann@example.com.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:


   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Alles anzeigen

Mit freundlichen Grüßen

Xazor

[Stone] · 3. Mai 2018

Hast du deinen Webserver auch so konfiguriert, dass die Seiten über HTTPS erreichbar sind ?

Xazor · 3. Mai 2018

Man muss das konfigurieren? Wenn ja wo:D

[Stone] · 3. Mai 2018

Erstmal wäre es interessant zu wissen, was für einen Webserver (Apache, Nginx) du benutzt, und wie du per certbot das Zertifikat geholt hast (Gibt Parameter die du mit übergeben kannst, dass Cerbot dir die Konfiguration automatisch macht, z.b. für Apache certbot --apache).

**Andosius** · 3. Mai 2018

Es kann auch sein, dass du die .conf-Dateien manuell aktivieren musst. Aber wie oben bereits geschrieben ist es so, dass man anfangs normalerweise die Websoftware angibt.

Xazor · 3. Mai 2018

Ich benutze selber Apache,

hergeholt durch folgenden Befehl:

Bash

apt-get install certbot -t jessie-backports

und dann mit

Bash

certbot certonly

jeweils gestartet.

Habe dann jeweils den webroot installiert.

Das hier hat leider nicht funktioniert:

Bash

root@Anoym:/etc/letsencrypt/live# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested apache plugin does not appear to be installed

**Andosius** · 3. Mai 2018

Lies dir mal das hier durch:

https://certbot.eff.org/lets-encrypt/debianstretch-apache

Xazor · 3. Mai 2018

Zitat von Andosius

Lies dir mal das hier durch:

https://certbot.eff.org/lets-encrypt/debianstretch-apache

Ich habe aber Debian 8

[Stone] · 3. Mai 2018

Du bräuchtest ein anderes packet um das apache flag zu benutzen.
Aber du kannst die Konfiguration auch manuell angehen.
Das wichtigste wäre erstmal deinen Server auch auf Port 443 hören zu lassen, falls noch nicht eingestellt.
Das kannst du in der ports.conf von deinem Apache machen.

Xazor · 3. Mai 2018

Bash

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf


Listen 80


<IfModule ssl_module>
        Listen 443
</IfModule>


<IfModule mod_gnutls.c>
        Listen 443
</IfModule>


# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Alles anzeigen

Ist doch eigentlich schon drinne

[Stone] · 3. Mai 2018

Du müsstest jetzt noch das SSL-Modul von Apache aktivieren mit "a2enmod ssl"
Jetzt musst du noch deinen VHost einrichten, so dass dieser auch auf HTTPS reagiert.

Code

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile Pfad zu deinem Zert
SSLCertificateKeyFile Pfad zu deinem Key


ServerName forum.deinedomäne.de


DocumentRoot Dein Pfad zu den Dateien
</VirtualHost>

Alles anzeigen

Xazor · 3. Mai 2018

Wo finde ich denn den key?

Ist das der hier oder wo finde ich diesen?

/etc/letsencrypt/csr/0000_csr-certbot.pem

// edit

Habe folgende keys liegen, welchen soll ich denn jetzt nehmen?

0000_key-certbot.pem 0001_key-certbot.pem

Und was ist jetzt der Zert?

Natron · 3. Mai 2018

Warum macht ihr euch das so schwer ?
macht es mal so wie es hier erklärt..

https://www.pcwelt.de/ratgeber…es-erstellen-9963268.html

[Stone] · 3. Mai 2018

Kommt drauf an welches Zertifikat du einbindest.
Du hast anscheinend 2, du musst den passenden key auswählen

Xazor · 3. Mai 2018

Zitat von [PX]Stone

Kommt drauf an welches Zertifikat du einbindest.
Du hast anscheinend 2, du musst den passenden key auswählen

Habe ich, bearbeite derzeit die default-ssl Datei.

Nun muss ich aber wissen was der cert ist

Bash

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost


                DocumentRoot /var/www/html


                # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
                # error, crit, alert, emerg.
                # It is also possible to configure the loglevel for particular
                # modules, e.g.
                #LogLevel info ssl:warn


                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined


                # For most configuration files from conf-available/, which are
                # enabled or disabled at a global level, it is possible to
                # include a line for only one particular virtual host. For example the
                # following line enables the CGI configuration for this host only
                # after it has been globally disabled with "a2disconf".
                #Include conf-available/serve-cgi-bin.conf


                #   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on


                #   A self-signed (snakeoil) certificate can be created by installing
                #   the ssl-cert package. See
                #   /usr/share/doc/apache2/README.Debian.gz for more info.
                #   If both key and certificate are stored in the same file, only the
                #   SSLCertificateFile directive is needed.
                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key


                #   Server Certificate Chain:
                #   Point SSLCertificateChainFile at a file containing the
                #   concatenation of PEM encoded CA certificates which form the
                #   certificate chain for the server certificate. Alternatively
                #   the referenced file can be the same as SSLCertificateFile
                #   when the CA certificates are directly appended to the server
                #   certificate for convinience.
                #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt


                #   Certificate Authority (CA):
                #   Set the CA certificate verification path where to find CA
                #   certificates for client authentication or alternatively one
                #   huge file containing all of them (file must be PEM encoded)
                #   Note: Inside SSLCACertificatePath you need hash symlinks
                #                to point to the certificate files. Use the provided
                #                Makefile to update the hash symlinks after changes.
                #SSLCACertificatePath /etc/ssl/certs/
                #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt


                #   Certificate Revocation Lists (CRL):
                #   Set the CA revocation path where to find CA CRLs for client
                #   authentication or alternatively one huge file containing all
                #   of them (file must be PEM encoded)
                #   Note: Inside SSLCARevocationPath you need hash symlinks
                #                to point to the certificate files. Use the provided
                #                Makefile to update the hash symlinks after changes.
                #SSLCARevocationPath /etc/apache2/ssl.crl/
                #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl


                #   Client Authentication (Type):
                #   Client certificate verification type and depth.  Types are
                #   none, optional, require and optional_no_ca.  Depth is a
                #   number which specifies how deeply to verify the certificate
                #   issuer chain before deciding the certificate is not valid.
                #SSLVerifyClient require
                #SSLVerifyDepth  10
                #SSLVerifyDepth  10


                #   SSL Engine Options:
                #   Set various options for the SSL engine.
                #   o FakeBasicAuth:
                #        Translate the client X.509 into a Basic Authorisation.  This means that
                #        the standard Auth/DBMAuth methods can be used for access control.  The
                #        user name is the `one line' version of the client's X.509 certificate.
                #        Note that no password is obtained from the user. Every entry in the user
                #        file needs this password: `xxj31ZMTZzkVA'.
                #   o ExportCertData:
                #        This exports two additional environment variables: SSL_CLIENT_CERT and
                #        SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
                #        server (always existing) and the client (only existing when client
                #        authentication is used). This can be used to import the certificates
                #        into CGI scripts.
                #   o StdEnvVars:
                #        This exports the standard SSL/TLS related `SSL_*' environment variables.
                #        Per default this exportation is switched off for performance reasons,
                #        because the extraction step is an expensive operation and is usually
                #        useless for serving static content. So one usually enables the
                #        exportation for CGI and SSI requests only.
                #   o OptRenegotiate:
                #        This enables optimized SSL connection renegotiation handling when SSL
                #        directives are used in per-directory context.
                #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>


                #   SSL Protocol Adjustments:
                #   The safe and default but still SSL/TLS standard compliant shutdown
                #   approach is that mod_ssl sends the close notify alert but doesn't wait for
                #   the close notify alert from client. When you need a different shutdown
                #   approach you can use one of the following variables:
                #   o ssl-unclean-shutdown:
                #        This forces an unclean shutdown when the connection is closed, i.e. no
                #        SSL close notify alert is send or allowed to received.  This violates
                #        the SSL/TLS standard but is needed for some brain-dead browsers. Use
                #        this when you receive I/O errors because of the standard approach where
                #        mod_ssl sends the close notify alert.
                #   o ssl-accurate-shutdown:
                #        This forces an accurate shutdown when the connection is closed, i.e. a
                #        SSL close notify alert is send and mod_ssl waits for the close notify
                #        alert of the client. This is 100% SSL/TLS standard compliant, but in
                #        practice often causes hanging connections with brain-dead browsers. Use
                #        this only for browsers where you know that their SSL implementation
                #        works correctly.
                #   Notice: Most problems of broken clients are also related to the HTTP
                #   keep-alive facility, so you usually additionally want to disable
                #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
                #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
                #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
                #   "force-response-1.0" for this.
                BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0
                # MSIE 7 and newer should be able to use keepalive
                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown


        </VirtualHost>
</IfModule>


# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Alles anzeigen

So ist die derzeit eingestellt.

Muss theoretisch ja nur folgendes ändern

SSLCertificateFile
SSLCertificateKeyFile

// Edit
Habe es nun editiert.
HTTPS funktioniert auch nach dem a2enmod ssl nicht

Bash

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@mtx-network.eu


                DocumentRoot /var/www/


                # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
                # error, crit, alert, emerg.
                # It is also possible to configure the loglevel for particular
                # modules, e.g.
                #LogLevel info ssl:warn


                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined


                # For most configuration files from conf-available/, which are
                # enabled or disabled at a global level, it is possible to
                # include a line for only one particular virtual host. For example the
                # following line enables the CGI configuration for this host only
                # after it has been globally disabled with "a2disconf".
                #Include conf-available/serve-cgi-bin.conf


                #   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on


                #   A self-signed (snakeoil) certificate can be created by installing
                #   the ssl-cert package. See
                #   /usr/share/doc/apache2/README.Debian.gz for more info.
                #   If both key and certificate are stored in the same file, only the
                #   SSLCertificateFile directive is needed.
                SSLCertificateFile      /etc/letsencrypt/csr/0001_csr-certbot.pem
                SSLCertificateKeyFile /etc/letsencrypt/keys/0001_key-certbot.pem

Alles anzeigen

Habe es derzeit so stehen

[Stone] · 3. Mai 2018

Irgendwo hast du ja schon nen Vhost für dein Forum eingerichtet .
Änder den mal soweit ab wie ich gepostet habe.

Xazor · 3. Mai 2018

Zitat von [PX]Stone

Irgendwo hast du ja schon nen Vhost für dein Forum eingerichtet .
Änder den mal soweit ab wie ich gepostet habe.

Negativ

Lediglich das hier vorhanden:

Bash: 000-default.conf

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com


        ServerAdmin webmaster@mtx-network.eu
        DocumentRoot /var/www/


        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn


        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined


        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>


# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Alles anzeigen

Und in der /etc/hosts:

Bash

127.0.0.1       forum.domain.de

[Stone] · 3. Mai 2018

Was benutzt du denn für ein Forum ?

Xazor · 3. Mai 2018

Das Forum ist noch nicht drauf.

Es kommt ein WBB Forum drauf.

// Edit

Kann es sein das das hier die Keys und die Certs sind:

Bash

:/etc/letsencrypt/live/forum.domain.de# ls
README  cert.pem  chain.pem  fullchain.pem  privkey.pem

// edit

Negativ funktioniert ebenso nicht...

//Update

Habe folgende config Datei gefunden. Muss ich diese evtl aktivieren oderco?
Wenn ja wie?

Bash

/etc/letsencrypt/renewal# nano forum.domain.de.conf
  GNU nano 2.2.6                                        File: forum.domain.de.conf


# renew_before_expiry = 30 days
version = 0.10.2
archive_dir = /etc/letsencrypt/archive/forum.domain.de
cert = /etc/letsencrypt/live/forum.domain.de/cert.pem
privkey = /etc/letsencrypt/live/forum.domain.de/privkey.pem
chain = /etc/letsencrypt/live/forum.domain.de/chain.pem
fullchain = /etc/letsencrypt/live/forum.domain.de/fullchain.pem


# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = *************************
[[webroot_map]]
forum.domain.de = /var/www

Alles anzeigen

// Update 2.0

Habe es nun eigenständig hingekriegt.

Musste die default ssl bearbeiten und diese dann aktivieren. Eine eigene wollte er irgendwie nicht annehmen.

Was ich gerne aber noch haben will ist eine dauerhafte https Weiterleitung auf meiner Domain.

Wie könnte ich das umsetzen?

**TobyDarkh** · 3. Mai 2018

Für wbb gibt es nen Plugin..