Let’s Encrypt
Let’s Encrypt Glossar
ZeroSSL – FREE SSL Certificate Wizard
Wie Sie ein Let’s Encrypt Zertifikat erstellen und in ein Webhosting-Produkt einbinden
Web-Server
How to Secure Apache with SSL and Let’s Encrypt in FreeBSD
NameBasedSSLVHosts
NameBasedSSLVHostsWithSNI
Mail-Server
Certbot: Let’s Encrypt TLS-Zertifikate für Mailserver (Deprecated!)
Wildcard
Generate Wildcard SSL certificate using Let’s Encrypt/Certbot
Wildcard Domain Step-By-Step
ACME v2 Production Environment & Wildcards
Weiterleitung
Weiterleitung auf HTTPS einrichten
Apache2 http zu https Umleitung
QuickTipp: Weiterleitung (redirect) von HTTP auf HTTPS via Apache oder Htaccess
Multiple SSL Certificates with One IP Address
Server Name Indication (SNI)
Using Multiple SSL Certificates in Apache with One IP Address
Apache SNI Browser Support
Multi-Domain (SAN) Certificates – Using Subject Alternative Names
Was ist Server Name Indication (SNI)?
SSL vs. TLS – Worin bestehen die Unterschiede?
SNI (Server Name Indication)
pf
py36-certbot
# pkg install py36-certbot
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 24 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
py36-certbot: 0.35.1,1
py36-openssl: 19.0.0
py36-cryptography: 2.6.1
py36-six: 1.12.0
py36-cffi: 1.12.3
py36-pycparser: 2.19
py36-asn1crypto: 0.24.0
py36-josepy: 1.2.0
py36-acme: 0.35.1,1
py36-requests-toolbelt: 0.8.0
py36-requests: 2.21.0
py36-chardet: 3.0.4_1
py36-certifi: 2019.6.16
py36-urllib3: 1.22,1
py36-pysocks: 1.7.0
py36-idna: 2.8
py36-pytz: 2019.1,1
py36-pyrfc3339: 1.1
py36-zope.interface: 4.6.0
py36-zope.component: 4.2.2
py36-zope.event: 4.1.0
py36-parsedatetime: 2.4_1
py36-configobj: 5.0.6_1
py36-configargparse: 0.14.0
Number of packages to be installed: 24
The process will require 27 MiB more space.
7 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/24] Fetching py36-certbot-0.35.1,1.txz: 100% 458 KiB 468.8kB/s 00:01
[2/24] Fetching py36-openssl-19.0.0.txz: 100% 86 KiB 87.8kB/s 00:01
[3/24] Fetching py36-cryptography-2.6.1.txz: 100% 326 KiB 334.0kB/s 00:01
[4/24] Fetching py36-six-1.12.0.txz: 100% 19 KiB 18.9kB/s 00:01
[5/24] Fetching py36-cffi-1.12.3.txz: 100% 200 KiB 205.0kB/s 00:01
[6/24] Fetching py36-pycparser-2.19.txz: 100% 164 KiB 167.6kB/s 00:01
[7/24] Fetching py36-asn1crypto-0.24.0.txz: 100% 156 KiB 159.3kB/s 00:01
[8/24] Fetching py36-josepy-1.2.0.txz: 100% 73 KiB 75.3kB/s 00:01
[9/24] Fetching py36-acme-0.35.1,1.txz: 100% 125 KiB 128.2kB/s 00:01
[10/24] Fetching py36-requests-toolbelt-0.8.0.txz: 100% 4 MiB 1.6MB/s 00:03
[11/24] Fetching py36-requests-2.21.0.txz: 100% 82 KiB 84.4kB/s 00:01
[12/24] Fetching py36-chardet-3.0.4_1.txz: 100% 154 KiB 157.9kB/s 00:01
[13/24] Fetching py36-certifi-2019.6.16.txz: 100% 145 KiB 148.0kB/s 00:01
[14/24] Fetching py36-urllib3-1.22,1.txz: 100% 157 KiB 161.1kB/s 00:01
[15/24] Fetching py36-pysocks-1.7.0.txz: 100% 23 KiB 23.8kB/s 00:01
[16/24] Fetching py36-idna-2.8.txz: 100% 76 KiB 78.2kB/s 00:01
[17/24] Fetching py36-pytz-2019.1,1.txz: 100% 157 KiB 160.4kB/s 00:01
[18/24] Fetching py36-pyrfc3339-1.1.txz: 100% 8 KiB 8.1kB/s 00:01
[19/24] Fetching py36-zope.interface-4.6.0.txz: 100% 190 KiB 194.7kB/s 00:01
[20/24] Fetching py36-zope.component-4.2.2.txz: 100% 91 KiB 93.4kB/s 00:01
[21/24] Fetching py36-zope.event-4.1.0.txz: 100% 8 KiB 7.8kB/s 00:01
[22/24] Fetching py36-parsedatetime-2.4_1.txz: 100% 57 KiB 58.3kB/s 00:01
[23/24] Fetching py36-configobj-5.0.6_1.txz: 100% 51 KiB 52.1kB/s 00:01
[24/24] Fetching py36-configargparse-0.14.0.txz: 100% 24 KiB 24.5kB/s 00:01
Checking integrity... done (0 conflicting)
[1/24] Installing py36-pycparser-2.19...
[1/24] Extracting py36-pycparser-2.19: 100%
[2/24] Installing py36-six-1.12.0...
[2/24] Extracting py36-six-1.12.0: 100%
[3/24] Installing py36-cffi-1.12.3...
[3/24] Extracting py36-cffi-1.12.3: 100%
[4/24] Installing py36-asn1crypto-0.24.0...
[4/24] Extracting py36-asn1crypto-0.24.0: 100%
[5/24] Installing py36-cryptography-2.6.1...
[5/24] Extracting py36-cryptography-2.6.1: 100%
[6/24] Installing py36-openssl-19.0.0...
[6/24] Extracting py36-openssl-19.0.0: 100%
[7/24] Installing py36-pysocks-1.7.0...
[7/24] Extracting py36-pysocks-1.7.0: 100%
[8/24] Installing py36-idna-2.8...
[8/24] Extracting py36-idna-2.8: 100%
[9/24] Installing py36-chardet-3.0.4_1...
[9/24] Extracting py36-chardet-3.0.4_1: 100%
[10/24] Installing py36-certifi-2019.6.16...
[10/24] Extracting py36-certifi-2019.6.16: 100%
[11/24] Installing py36-urllib3-1.22,1...
[11/24] Extracting py36-urllib3-1.22,1: 100%
[12/24] Installing py36-requests-2.21.0...
[12/24] Extracting py36-requests-2.21.0: 100%
[13/24] Installing py36-pytz-2019.1,1...
[13/24] Extracting py36-pytz-2019.1,1: 100%
[14/24] Installing py36-josepy-1.2.0...
[14/24] Extracting py36-josepy-1.2.0: 100%
[15/24] Installing py36-requests-toolbelt-0.8.0...
[15/24] Extracting py36-requests-toolbelt-0.8.0: 100%
[16/24] Installing py36-pyrfc3339-1.1...
[16/24] Extracting py36-pyrfc3339-1.1: 100%
[17/24] Installing py36-zope.interface-4.6.0...
[17/24] Extracting py36-zope.interface-4.6.0: 100%
[18/24] Installing py36-zope.event-4.1.0...
[18/24] Extracting py36-zope.event-4.1.0: 100%
[19/24] Installing py36-acme-0.35.1,1...
[19/24] Extracting py36-acme-0.35.1,1: 100%
[20/24] Installing py36-zope.component-4.2.2...
[20/24] Extracting py36-zope.component-4.2.2: 100%
[21/24] Installing py36-parsedatetime-2.4_1...
[21/24] Extracting py36-parsedatetime-2.4_1: 100%
[22/24] Installing py36-configobj-5.0.6_1...
[22/24] Extracting py36-configobj-5.0.6_1: 100%
[23/24] Installing py36-configargparse-0.14.0...
[23/24] Extracting py36-configargparse-0.14.0: 100%
[24/24] Installing py36-certbot-0.35.1,1...
[24/24] Extracting py36-certbot-0.35.1,1: 100%
Message from py36-urllib3-1.22,1:
Be careful, support of IPv6 is broken with PySocks 1.5.7.
Message from py36-certbot-0.35.1,1:
===========================================================================
This port installs the "standalone" client only, which does not use and
is not the certbot-auto bootstrap/wrapper script.
The simplest form of usage to obtain certificates is:
# sudo certbot certonly --standalone -d <domain>, [domain2, ... domainN]>
NOTE:
The client requires the ability to bind on TCP port 80 or 443 (depending
on the --preferred-challenges option used). If a server is running on that
port, it will need to be temporarily stopped so that the standalone server
can listen on that port to complete the challenge authentication process.
For more information on the 'standalone' mode, see:
https://certbot.eff.org/docs/using.html#standalone
The certbot plugins to support apache and nginx certificate installation
will be made available in the following ports:
* Apache plugin: security/py-certbot-apache
* Nginx plugin: security/py-certbot-nginx
===========================================================================
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No certs found.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: ns3.te-clan.ch
Domains: ns3.te-clan.ch
Expiry Date: 2019-11-17 07:43:26+00:00 (VALID: 89 days)
Certificate Path: /usr/local/etc/letsencrypt/live/ns3.te-clan.ch/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/ns3.te-clan.ch/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# certbot certonly --standalone -d XXX Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): XXX - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: a - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Obtaining a new certificate Performing the following challenges: http-01 challenge for ns3.te-clan.ch Waiting for verification... Challenge failed for domain ns3.te-clan.ch http-01 challenge for ns3.te-clan.ch Cleaning up challenges Some challenges have failed. IMPORTANT NOTES: - The following errors were reported by the server: Domain: ns3.te-clan.ch Type: connection Detail: dns :: DNS problem: NXDOMAIN looking up A for ns3.te-clan.ch To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. - Your account credentials have been saved in your Certbot configuration directory at /usr/local/etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. # ping ns3.te-clan.ch ping: cannot resolve ns3.te-clan.ch: Unknown host ### DNS CONFIG ### # ping ns3.te-clan.ch PING ns3.te-clan.ch (185.72.247.169): 56 data bytes 64 bytes from 185.72.247.169: icmp_seq=0 ttl=64 time=0.162 ms 64 bytes from 185.72.247.169: icmp_seq=1 ttl=64 time=0.159 ms # certbot certonly --standalone -d ns3.te-clan.ch Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for ns3.te-clan.ch Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /usr/local/etc/letsencrypt/live/ns3.te-clan.ch/fullchain.pem Your key file has been saved at: /usr/local/etc/letsencrypt/live/ns3.te-clan.ch/privkey.pem Your cert will expire on 2019-11-17. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
# service apache24 stop Stopping apache24. Waiting for PIDS: 46220. # certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /usr/local/etc/letsencrypt/renewal/ns3.te-clan.ch.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator standalone, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for ns3.te-clan.ch Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /usr/local/etc/letsencrypt/live/ns3.te-clan.ch/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded. The following certs have been renewed: /usr/local/etc/letsencrypt/live/ns3.te-clan.ch/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$ certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d 'domain.XXX,*.domain.XXX'
named_update
#!/usr/bin/env perl
use warnings;
use strict;
my $name = "test";
my $num_args = $#ARGV + 1;
if ($num_args != 3) {
print "\nUsage: $0 <domain> <TXT1> <TXT2>\n";
exit;
}
my ($domain, $txt1, $txt2) = @ARGV;
my @txt = ($txt1, $txt2);
my $dir = '/var/named/etc/namedb/master/';
my $filename = $dir . 'db.' . $domain;
print("${filename}:\n");
open(my $rd, "<", $filename) or die "Could not open file '$filename'";
my @lines = <$rd>;
close($rd);
open(my $wr, ">", $filename);
my $challenge = 0;
my $challenge_line = 0;
foreach my $i (0 .. $#lines) {
my $line = $lines[$i];
# overwrite the 1. and 2. line after the challenge
if ($challenge == 1 && $challenge_line > ($i - 3)) {
$wr->print("@ TXT \"" . $txt[$i - $challenge_line - 1] . "\"\n");
} else {
$wr->print($line);
}
# detect challenge
if ($line =~ /\_acme-challenge/) {
$challenge = 1;
$challenge_line = $i;
print("Found challenge!\n");
}
}
close($wr);
print("Kill named\n");
my $out = `pkill named`;
print($out);
sleep(2);
print("Start named\n");
$out = `service named start`;
print($out);