Ray33/readme.md

## readme.md

      
    Raw
  

              readme.md
            
          
    Create letsencrypt SSL (ECDSA) + Ngnix configuration

Verify dependencies prerequisites

Update OS

sudo yum update && sudo yum upgrade
Git Version update

Verify git version is more than 2
git --version
If git version below 2.* , upgrade git :
yum install http://opensource.wandisco.com/centos/7/git/x86_64/wandisco-git-release-7-2.noarch.rpm
yum install git #Or yum update git
#verify git is 2.*
git --version
Python version

Verify python version is 2.7.*
python --version
Update open SSL Start

update openssl (based on: https://www.howtoforge.com/tutorial/how-to-install-openssl-from-source-on-linux/)
yum group install 'Development Tools'
yum install perl-core zlib-devel -y
See latest openssl release on: https://github.com/openssl/openssl/releases, at this writing time it is: OpenSSL_1_1_1g
cd /tmp
curl -O -L https://github.com/openssl/openssl/archive/OpenSSL_1_1_1g.tar.gz
tar -zxvf OpenSSL_1_1_1g.tar.gz
cd openssl-OpenSSL_1_1_1g
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib
make
make test
sudo make install
vi /etc/ld.so.conf.d/OpenSSL_1_1_1g.conf
paste in the file:
/usr/local/ssl/lib
Save and quit
Backup existing openssl:
mv /bin/openssl /bin/openssl.BEKUP
vi /etc/profile.d/openssl.sh
Paste in the file
#Set OPENSSL_PATH
OPENSSL_PATH="/usr/local/ssl/bin"
export OPENSSL_PATH
PATH=$PATH:$OPENSSL_PATH
export PATH
Save and quit
mv /usr/local/ssl /usr/local/ssl_backup
mv /usr/local/openssl /usr/local/ssl
chmod +x /etc/profile.d/openssl.sh
source /etc/profile.d/openssl.sh

#verify:
openssl version -a
Install or update letsencrypt

export LC_ALL="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"
cd /opt
#If certbot directory Not exist:
git clone https://github.com/certbot/certbot.git
#If certbot directory exist:
cd /opt/certbot
git pull
yum install letsencrypt
Create certificate signed with ECDSA

FIXME: Need to be re-test - SKIP START

cd /tmp
openssl ecparam -genkey -name secp384r1 | openssl ec -out ec.key
vi cert.conf
Adjust the below according to your domain and paste it in the file:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = 2_LETTER_COUNTRY (e.g US)
ST = 2_LETTER_STATE (e.g NY)
L = CITY_NAME (e.g New York)
O = ORGANIZATION_NAME (e.g ACME inc.)
OU = ORGANIZATION_UNIT (e.g Sales)
CN = DOMAIN (e.g acme.com)
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.domain1.com
DNS.2 = *.domain2.com
DNS.3 = ....
DNS.N = *.domainN.com
 openssl req -new -sha256 -key ec.key -nodes -out ec.csr -outform pem -config cert.conf
Create certification signed with Letsencrypt on ECDSA

./certbot-auto certonly --manual --preferred-challenges=dns --email support@YOUR_DOMAIN.COM ---csr /tmp/ec.csr  -server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.domain1.com -d *.domain2.com -d *.domainN.com
FIXME: SKIP END

Create certification signed with Letsencrypt NO ECDSA

./certbot-auto certonly --manual --preferred-challenges=dns --email support@YOUR_DOMAIN.COM --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.DOMAIN1.COM -d *.DOMAIN2.com -d *.DOMAINN.com
Take the path of the domain
Ngnix configuration

inside the "server" section:

ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem;
ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem;
ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on; 
  
 server_name domain1.com  domain2.com domainN.com;