Par Larry Basin Prérequis :
# apt-get update && apt-get upgrade
# apt-get install python-dev
# export LC_ALL=C
# dpkg-reconfigure locales
====
Generating locales (this might take a while)...
fr_FR.ISO-8859-1... done
Generation complete.
====
# apt-get install python-pip
# pip install --upgrade pip
====
Collecting pip
Downloading pip-9.0.1-py2.py3-none-any.whl (1.3MB)
100% |################################| 1.3MB 631kB/s
Installing collected packages: pip
Found existing installation: pip 8.1.1
Not uninstalling pip at /usr/lib/python2.7/dist-packages, outside environment /usr
Successfully installed pip-9.0.1
====
# exit
$ ssh-keygen -t rsa -b 4096 -C "xxx.yyy@gmail.com"
Generating public/private rsa key pair.
Enter file in which to save th
e key (/home/larry/.ssh/id_rsa): press [Entrée]
Enter passphrase (empty for no passphrase):
[Entrée]
Enter same passphrase again: [Entrée]
Your identification has been saved in /home/larry/.ssh/id_rsa1.
Your public key has been saved in /home/larry/.ssh/id_rsa1.pub.
The key fingerprint is:
SHA256:OL4RumkfhCjrQFzUlG/GgLqw14G64iANLE5t1Ka9goE larry.basin@gmail.com
The key's randomart image is:
+---[RSA 4096]----+
| .+.. |
| ...+ |
| .+ o+ |
|=.=.=. * |
|EOo=.oB S |
|B*= .+.o |
|==....+ |
|B oo + |
|oo .o.o |
+----[SHA256]-----+
$ ls -l ~/.ssh/
$ cat ~/.ssh/id_rsa.pub
Les instructions pour ajouter cette clé SSH sur votre instance se trouveront ici : https://wiki.gandi.net/fr/simple/ssh_key
$ sftp 1073382@sftp.dc2.gpaas.net
The authenticity of host 'sftp.dc2.gpaas.net (2001:4b98:dc2:950::99)' can't be established.
RSA key fingerprint is SHA256:1Tpwj0UT92ARAGczV2ha6tBE3lQz0uLvBRWCaIPmh6I.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'sftp.dc2.gpaas.net,2001:4b98:dc2:950::99' (RSA) to the list of known hosts.
Connected to sftp.dc2.gpaas.net.
sftp> exit
$ eval $(ssh-agent)
Agent pid 16139
$ ssh-add
Identity added: /home/admin/.ssh/id_rsa (/home/admin/.ssh/id_rsa)
$ mkdir CERTBOT
$ cd CERTBOT/
$ wget https://dl.eff.org/certbot-auto
====
--2017-05-19 09:40:53-- https://dl.eff.org/certbot-auto
Résolution de dl.eff.org (dl.eff.org)… 173.239.79.196
Connexion à dl.eff.org (dl.eff.org)|173.239.79.196|:443… connecté.
requête HTTP transmise, en attente de la réponse… 200 OK
Taille : 47361 (46K) [application/octet-stream]
Enregistre : «certbot-auto»
certbot-auto 100%[=============================================>] 46,25K 296KB/s in 0,2s
2017-05-19 09:40:55 (296 KB/s) - «certbot-auto» enregistré [47361/47361]
====
$ chmod a+x certbot-auto
Ajout de l'utilisateur "admin" dans le groupe sudo :
# adduser admin sudo
Adding user `admin' to group `sudo' ...
Adding user admin to group sudo
Done.
Ajout de la variable "Defaults env_keep+=SSH_AUTH_SOCK" dans le fichier "/etc/sudoers"
$ ./certbot-auto
Après exécution de cette commande, j'ai obtenu ce type de message :
=====
Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
[sudo] password for admin:
Sorry, try again.
[sudo] password for admin:
admin is not in the sudoers file. This incident will be reported.
apt-get update hit problems but continuing anyway...
=====
Pour corriger cette erreur : ouvrir /etc/sudoers et ajouter : admin ALL=(ALL:ALL) ALL sous # User privilege specification J'exécute à nouveau :
$ ./certbot-auto
Cette fois j'ai obtenu :
====
OSError: Command /home/admin/.local/s...ncrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 1
====
Solution :
# pip install setuptools
====
Collecting setuptools
Downloading setuptools-35.0.2-py2.py3-none-any.whl (390kB)
100% |################################| 399kB 1.5MB/s
Collecting appdirs>=1.4.0 (from setuptools)
Downloading appdirs-1.4.3-py2.py3-none-any.whl
Collecting packaging>=16.8 (from setuptools)
Downloading packaging-16.8-py2.py3-none-any.whl
Collecting six>=1.6.0 (from setuptools)
Downloading six-1.10.0-py2.py3-none-any.whl
Collecting pyparsing (from packaging>=16.8->setuptools)
Downloading pyparsing-2.2.0-py2.py3-none-any.whl (56kB)
100% |################################| 61kB 4.2MB/s
Installing collected packages: appdirs, pyparsing, six, packaging, setuptools
Successfully installed appdirs-1.4.3 packaging-16.8 pyparsing-2.2.0 setuptools-35.0.2 six-1.10.0
====
$ export LC_ALL="C"
Et enfin, j'exécute à nouveau la commande :
$ ./certbot-auto
====
.....
Failed to find executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot-auto certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
====
Ne vous inquiétez pas pour ce message. Utilisez la commande "cd" pour revenir dans votre dossier personnel.
# apt-get install git
$ mkdir LETSENCRYPT
$ cd LETSENCRYPT/
$ git clone https://github.com/Gandi/letsencrypt-gandi.git
====
Cloning into 'letsencrypt-gandi'...
remote: Counting objects: 82, done.
remote: Total 82 (delta 0), reused 0 (delta 0), pack-reused 82
Unpacking objects: 100% (82/82), done.
Checking connectivity... done.
====
$ cd letsencrypt-gandi/
Mise à jour de "Python-pip" :
$ ~/.local/share/letsencrypt/bin/pip install --upgrade pip
====
Collecting pip
Using cached pip-9.0.1-py2.py3-none-any.whl
Installing collected packages: pip
Found existing installation: pip 8.0.3
Uninstalling pip-8.0.3:
Successfully uninstalled pip-8.0.3
Successfully installed pip-9.0.1
====
Installation du plugin :
$ ~/.local/share/letsencrypt/bin/pip install -e .
====
Obtaining file:///home/admin/CERTBOT/LETSENCRYPT/letsencrypt-gandi
Requirement already satisfied: setuptools in /home/admin/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt-gandi==0.0.1.dev0)
Requirement already satisfied: mock in /home/admin/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt-gandi==0.0.1.dev0)
Installing collected packages: letsencrypt-gandi
Running setup.py develop for letsencrypt-gandi
Successfully installed letsencrypt-gandi
====
# .local/share/letsencrypt/bin/certbot run \
--domains git.belette.space \
--authenticator letsencrypt-gandi:gandi-shs \
--letsencrypt-gandi:gandi-shs-name encrypt \
--letsencrypt-gandi:gandi-shs-vhost git.belette.space \
--letsencrypt-gandi:gandi-shs-api-key 7es2Es8OCdRG6UH8I8li0CCC \
--installer letsencrypt-gandi:gandi-shs
====
You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
_api_key_from_args
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):larry.basin@gmail.com
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel:A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o:N
......
-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://git.belette.space
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=git.belette.space
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/git.belette.space/fullchain.pem. Your cert
will expire on 2017-08-20. To obtain a new or tweaked version of
this certificate in the future, simply run letsencrypt-auto again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "letsencrypt-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
====