Установка SSL-сертификата Let’s Encrypt на nic.ru

Здравствуйте!

На хостинге Ру-Центра есть акция «SSL-сертификат в подарок» — можно бесплатно получить SSL-сертификат на год. Если за этот год Яндекс успел изменить главное зеркало вашего сайта на https-протокол или вы сами через 301-ый редирект попросили поисковые системы индексировать ваш сайт по https, возникает проблема — либо платить за продление сертификата, либо терять посетителей. Ни того, ни другого не хочется. Поэтому, выбор пал на бесплатный SSL-сертификат Let’s Encrypt. К тому же, ACME протокол стал стандартом RFC 8555.

Решено было пойти по прямому пути, а именно использовать certbot-auto. Для этого понадобится Linux, желательно работающий с USB-накопителя. В качестве такого был выбран Knoppix.

Скачиваем дистрибутив KNOPPIX_V8.2-2018-05-10-EN с зеркала или через torrent. Записываем на DVD диск, загружаемся с DVD диска. Теперь запускаем flash-knoppix и получаем, практически, Debian на USB.

Осталось скачать certbot-auto и можно получать SSL-сертификат. Открываем shell.

knoppix@Microknoppix:~$ wget https://dl.eff.org/certbot-auto
knoppix@Microknoppix:~$ sudo mv certbot-auto /usr/local/bin/certbot-auto
knoppix@Microknoppix:~$ sudo chown root /usr/local/bin/certbot-auto
knoppix@Microknoppix:~$ sudo chmod 0755 /usr/local/bin/certbot-auto

Запускаем certbot-auto и… (пропустить установку пакетов)

knoppix@Microknoppix:~$ sudo /usr/local/bin/certbot-auto certonly
Bootstrapping dependencies for Debian-based OSes… (you can skip this with --no-bootstrap)
--- пропущено обновление репозиториев ---
Reading package lists… Done
Building dependency tree       
Reading state information… Done
python is already the newest version (2.7.13-2).
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 ca-certificates : Depends: openssl (>= 1.1.1) but 1.1.0j-1~deb9u1 is to be installed
 python-dev : Depends: libpython-dev (= 2.7.13-2) but it is not going to be installed
              Depends: python2.7-dev (>= 2.7.13-1~) but it is not going to be installed
E: Unable to correct problems, you have held broken packages.

… не тут то было. Пакеты немного не те.

Начнем с openssl.

knoppix@Microknoppix:~$ apt list -a openssl
Listing… Done
openssl/testing,unstable 1.1.1b-2 i386
openssl/stable,stable 1.1.0j-1~deb9u1 i386 [upgradable from: 1.1.0g-2]
openssl/now 1.1.0g-2 i386 [installed,upgradable to: 1.1.0j-1~deb9u1]

Для ca-certificates нужна версия 1.1.1 или выше. Ставим openssl/testing.

knoppix@Microknoppix:~$ sudo apt install openssl/testing
--- пропущено обновление репозиториев ---
Reading package lists… Done
Building dependency tree       
Reading state information… Done
Selected version '1.1.1b-2' (Debian:testing, Debian:unstable [i386]) for 'openssl'
Selected version '1.1.1b-2' (Debian:testing, Debian:unstable [i386]) for 'libssl1.1' because of 'openssl'
Selected version '2.28-10' (Debian:testing, Debian:unstable [i386]) for 'libc6' because of 'libssl1.1'
The following additional packages will be installed:
   libc-bin libc-dev-bin libc-l10n libc6 libc6-amd64 libc6-dev libc6-dev-amd64 libc6-dev-x32 libc6-x32
   libidn2-0 libnih-dbus1 libnih1 libssl1.1 locales
Suggested packages:
   glibc-doc
The following packages will be REMOVED:
   libssl-dev
The following packages will be upgraded:
   libc-bin libc-dev-bin libc-l10n libc6 libc6-amd64 libc6-dev libc6-dev-amd64 libc6-dev-x32 libc6-x32
   libidn2-0 libnih-dbus1 libnih1 libssl1.1 locales openssl
15 upgraded, 0 newly installed, 1 to remove and 1946 not upgraded.
Need to get 27.2 MB of archives.
After this operation, 4,543 kB of additional disk space will be used.
Do you want to continue? [Y/n]

Y — без вариантов. Скачивается, устанавливается. Проверяем.

knoppix@Microknoppix:~$ /usr/bin/openssl version
OpenSSL 1.1.1b 26 Feb 2019

Посмотрим, что осталось ещё. Запускаем certbot-auto.

knoppix@Microknoppix:~$ sudo /usr/local/bin/certbot-auto certonly
--- пропущено обновление репозиториев ---
Reading package lists… Done
Building dependency tree       
Reading state information… Done
python is already the newest version (2.7.13-2).
openssl is already the newest version (1.1.1b-2).
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
  libssl-dev : Depends: libssl1.1 (= 1.1.0j-1~deb9u1) but 1.1.1b-2 is to be installed
  python-dev : Depends: libpython-dev (= 2.7.13-2) but it is not going to be installed
               Depends: python2.7-dev (>= 2.7.13-1~) but it is not going to be installed
E: Unable to correct problems, you have held broken packages.

libssl-dev был удален при обновлении openssl. Установим заново.

knoppix@Microknoppix:~$ apt list -a libssl-dev
Listing… Done
libssl-dev/testing,unstable 1.1.1b-2 i386
libssl-dev/stable,stable 1.1.0j-1~deb9u1 i386

knoppix@Microknoppix:~$ sudo apt install libssl-dev/testing
Reading package lists… Done
Building dependency tree       
Reading state information… Done
Selected version '1.1.1b-2' (Debian:testing, Debian:unstable [i386]) for 'libssl-dev'
The following NEW packages will be installed:
   libssl-dev
0 upgraded, 1 newly installed, 0 to remove and 1946 not upgraded.
Need to get 1,821 kB of archives.
After this operation, 7,011 kB of additional disk space will be used.
Get:1 http://ftp.de.debian.org/debian testing/main i386 libssl-dev i386 1.1.1b-2 [1,821 kB]
Fetched 1,821 kB in 1s (1,295 kB/s)   
Selecting previously unselected package libssl-dev:i386.
(Reading database … 468148 files and directories currently installed.)
Preparing to unpack …/libssl-dev_1.1.1b-2_i386.deb …
Unpacking libssl-dev:i386 (1.1.1b-2) …
Setting up libssl-dev:i386 (1.1.1b-2) …

Установился. Разбираемся с зависимостями python-dev.

knoppix@Microknoppix:~$ apt list -a libpython-dev
Listing… Done
libpython-dev/testing,unstable 2.7.16-1 i386
libpython-dev/stable 2.7.13-2 i386

knoppix@Microknoppix:~$ apt list -a python2.7-dev
Listing… Done
python2.7-dev/testing,unstable 2.7.16-2 i386
python2.7-dev/stable,stable 2.7.13-2+deb9u3 i386

knoppix@Microknoppix:~$ sudo apt install libpython-dev/testing python2.7-dev/testing
Reading package lists… Done
Building dependency tree       
Reading state information… Done
Selected version '2.7.16-1' (Debian:testing, Debian:unstable [i386]) for 'libpython-dev'
Selected version '2.7.16-2' (Debian:testing, Debian:unstable [i386]) for 'libpython2.7-dev' because of 'libpython-dev'
Selected version '2.7.16-2' (Debian:testing, Debian:unstable [i386]) for 'libpython2.7-stdlib' because of 'libpython2.7-dev'
Selected version '2.7.16-2' (Debian:testing, Debian:unstable [i386]) for 'libpython2.7' because of 'libpython2.7-dev'
Selected version '2.7.16-1' (Debian:testing, Debian:unstable [i386]) for 'libpython2-dev' because of 'libpython-dev'
Selected version '2.7.16-2' (Debian:testing, Debian:unstable [i386]) for 'python2.7-dev'
Selected version '2.7.16-2' (Debian:testing, Debian:unstable [i386]) for 'python2.7' because of 'python2.7-dev'
Selected version '2.7.16-2' (Debian:testing, Debian:unstable [i386]) for 'python2.7-minimal' because of 'python2.7'
The following additional packages will be installed:
   libpython2-dev libpython2.7 libpython2.7-dev libpython2.7-minimal libpython2.7-stdlib python2.7
   python2.7-minimal
Suggested packages:
   python2.7-doc
The following NEW packages will be installed:
   libpython-dev libpython2-dev libpython2.7-dev python2.7-dev
The following packages will be upgraded:
   libpython2.7 libpython2.7-minimal libpython2.7-stdlib python2.7 python2.7-minimal
5 upgraded, 4 newly installed, 0 to remove and 1941 not upgraded.
Need to get 36.8 MB of archives.
After this operation, 49.1 MB of additional disk space will be used.
Do you want to continue? [Y/n] 

Соглашаемся. Скачивается, устанавливается. Продолжаем.

knoppix@Microknoppix:~$ sudo /usr/local/bin/certbot-auto certonly
 …
The following packages have unmet dependencies:
  python-dev : Depends: libpython-dev (= 2.7.13-2) but 2.7.16-1 is to be installed
E: Unable to correct problems, you have held broken packages.

python-dev зависит от libpython-dev версии 2.7.13-2, а у нас уже новее. Обновляем python-dev.

knoppix@Microknoppix:~$ sudo apt install python-dev/testing
Reading package lists… Done
Building dependency tree       
Reading state information… Done
Selected version '2.7.16-1' (Debian:testing, Debian:unstable [i386]) for 'python-dev'
Selected version '2.7.16-1' (Debian:testing, Debian:unstable [i386]) for 'python' because of 'python-dev'
Selected version '2.7.16-1' (Debian:testing, Debian:unstable [i386]) for 'python-minimal' because of 'python'
Selected version '2.7.16-1' (Debian:testing, Debian:unstable [i386]) for 'python2-minimal' because of 'python-minimal'
Selected version '2.7.16-1' (Debian:testing, Debian:unstable [i386]) for 'libpython-stdlib' because of 'python'
Selected version '2.7.16-1' (Debian:testing, Debian:unstable [i386]) for 'libpython2-stdlib' because of 'libpython-stdlib'
Selected version '2.7.16-1' (Debian:testing, Debian:unstable [i386]) for 'python2' because of 'python'
Selected version '2.7.16-1' (Debian:testing, Debian:unstable [i386]) for 'python2-dev' because of 'python-dev'
The following additional packages will be installed:
   libpython-stdlib libpython2-stdlib python python-minimal python2 python2-dev python2-minimal
Suggested packages:
   python-doc python-tk python2-doc
The following NEW packages will be installed:
   libpython2-stdlib python-dev python2 python2-dev python2-minimal
The following packages will be upgraded:
   libpython-stdlib python python-minimal
3 upgraded, 5 newly installed, 0 to remove and 1941 not upgraded.
Need to get 171 kB of archives.
After this operation, 341 kB disk space will be freed.
Do you want to continue? [Y/n] 

Соглашаемся. Скачивается, устанавливается. Запускаем certbot-auto.

knoppix@Microknoppix:~$ sudo /usr/local/bin/certbot-auto
…
Reading package lists… Done
Building dependency tree
Reading state information… Done
libssl-dev is already the newest version (1.1.1b-2).
openssl is already the newest version (1.1.1b-2).
python is already the newest version (2.7.16-1).
python-dev is already the newest version (2.7.16-1).
The following additional packages will be installed:
  binutils binutils-common binutils-i686-linux-gnu binutils-multiarch cpp cpp-8 gcc-8 gcc-8-base
  lib64atomic1 lib64gcc1 lib64gomp1 lib64itm1 lib64mpx2 lib64quadmath0 lib64stdc++6 libasan5 libatomic1
  libbinutils libcc1-0 libgcc-8-dev libgcc1 libgomp1 libisl19 libitm1 libmpx2 libobjc4 libquadmath0
  libstdc++6 libubsan1 libx32atomic1 libx32gcc1 libx32gomp1 libx32itm1 libx32quadmath0 libx32stdc++6
  python3-virtualenv
Suggested packages:
  augeas-doc binutils-doc cpp-doc gcc-8-locales flex bison gcc-doc gcc-8-multilib gcc-8-doc libgcc1-dbg
  libgomp1-dbg libitm1-dbg libatomic1-dbg libasan5-dbg liblsan0-dbg libtsan0-dbg libubsan1-dbg libmpx2-dbg
  libquadmath0-dbg augeas-tools
The following NEW packages will be installed:
  augeas-lenses cpp-8 gcc-8 libasan5 libaugeas0 libffi-dev libgcc-8-dev libisl19 libubsan1 python-virtualenv
  python3-virtualenv virtualenv
The following packages will be upgraded:
  binutils binutils-common binutils-i686-linux-gnu binutils-multiarch ca-certificates cpp gcc gcc-8-base
  lib64atomic1 lib64gcc1 lib64gomp1 lib64itm1 lib64mpx2 lib64quadmath0 lib64stdc++6 libatomic1 libbinutils
  libcc1-0 libgcc1 libgomp1 libitm1 libmpx2 libobjc4 libquadmath0 libstdc++6 libx32atomic1 libx32gcc1
  libx32gomp1 libx32itm1 libx32quadmath0 libx32stdc++6
31 upgraded, 12 newly installed, 0 to remove and 1910 not upgraded.
Need to get 32.1 MB of archives.
After this operation, 77.4 MB of additional disk space will be used.
Do you want to continue? [Y/n]

Так, broken packages уже нет — это хорошо. Соглашаемся, ждем пока всё скачается и установится.

done.
done.

Два раза done! Сейчас точно заработает!

Creating virtual environment…
Traceback (most recent call last):
   File "/usr/bin/virtualenv", line 11, in 
     load_entry_point('virtualenv==15.1.0', 'console_scripts', 'virtualenv')()
   File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 572, in load_entry_point
     return get_distribution(dist).load_entry_point(group, name)
   File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 2755, in load_entry_point
     return ep.load()
   File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 2408, in load
     return self.resolve()
   File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 2414, in resolve
     module = import(self.module_name, fromlist=['name'], level=0)
   File "/usr/lib/python3/dist-packages/virtualenv.py", line 25, in 
     import distutils.sysconfig
ModuleNotFoundError: No module named 'distutils.sysconfig'
Traceback (most recent call last):
   File "", line 27, in 
   File "", line 19, in create_venv
   File "/usr/lib/python2.7/subprocess.py", line 190, in check_call
     raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['virtualenv', '--no-site-packages', '--python', '/usr/bin/python2.7', '/opt/eff.org/certbot/venv']' returned non-zero exit status 1

Проблема с модулем distutils.sysconfig. Ищем в интернете. Находится bugreport. Нужно установить вручную.

knoppix@Microknoppix:~$ apt list -a python3-distutils
Listing… Done
python3-distutils/experimental 3.8.0~a3-1 all
python3-distutils/unstable 3.7.3-1 all
python3-distutils/testing 3.7.3~rc1-1 all

knoppix@Microknoppix:~$ sudo apt install python3-distutils/testing
Reading package lists… Done
Building dependency tree       
Reading state information… Done
Selected version '3.7.3~rc1-1' (Debian:testing [all]) for 'python3-distutils'
Selected version '3.7.2-1' (Debian:testing [i386]) for 'python3' because of 'python3-distutils'
Selected version '3.7.2-1' (Debian:testing [i386]) for 'python3-minimal' because of 'python3'
Selected version '3.7.3~rc1-1' (Debian:testing [i386]) for 'python3.7-minimal' because of 'python3-minimal'
Selected version '3.7.3~rc1-1' (Debian:testing [i386]) for 'libpython3.7-minimal' because of 'python3.7-minimal'
Selected version '3.7.3~rc1-1' (Debian:testing [i386]) for 'python3.7' because of 'python3'
Selected version '3.7.3~rc1-1' (Debian:testing [i386]) for 'libpython3.7-stdlib' because of 'python3.7'
Selected version '3.7.2-1' (Debian:testing [i386]) for 'libpython3-stdlib' because of 'python3'
Selected version '3.7.3~rc1-1' (Debian:testing [all]) for 'python3-lib2to3' because of 'python3-distutils'
The following packages were automatically installed and are no longer required:
   dh-python gir1.2-harfbuzz-0.0 hplip-data icu-devtools libcairo-script-interpreter2 libfontconfig1-dev
   libfreetype6-dev libglib2.0-dev-bin libgraphite2-dev libharfbuzz-gobject0 libicu-dev libopenshot-audio6
   libopenshot14 libpcre16-3 libpcre3-dev libpcre32-3 libpixman-1-dev libpng-dev libqt5designer5
   libsane-hpaio libxcb-shm0-dev libxcomposite-dev libxcursor-dev libxft-dev libxi-dev libxinerama-dev
   libxkbcommon-dev libxrandr-dev libxrender-dev libxtst-dev python-apt-common python3-apt python3-debian
   python3-httplib2 python3-ptyprocess python3-sip python3-zmq wayland-protocols x11proto-composite-dev
   x11proto-record-dev x11proto-render-dev x11proto-xinerama-dev
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
   gir1.2-atk-1.0 gir1.2-atspi-2.0 gir1.2-harfbuzz-0.0 hplip-data libapt-inst2.0 libapt-pkg5.0
   libatk-bridge2.0-0 libatk1.0-0 libatk1.0-data libatspi2.0-0 libboost-python1.62.0 libcairo-gobject2
   libcairo-script-interpreter2 libcairo2 libfreetype6 libfreetype6-dev libglib2.0-0 libglib2.0-bin
   libglib2.0-dev-bin libgpgmepp6 libharfbuzz-gobject0 libharfbuzz-icu0 libharfbuzz0b libicu63 libimagequant0
   libpython3-stdlib libpython3.7-minimal libpython3.7-stdlib printer-driver-postscript-hp python3
   python3-apt python3-brlapi python3-cairo python3-cups python3-dbus python3-gi python3-gi-cairo
   python3-lib2to3 python3-minimal python3-pil python3-pyatspi python3-renderpm python3-reportlab-accel
   python3-sip python3-smbc python3-zmq python3.7 python3.7-minimal uno-libs3 ure
Suggested packages:
   hplip libgdk-pixbuf2.0-bin | libgdk-pixbuf2.0-dev python3-doc python3-tk python3-venv python3-apt-dbg
   python-apt-doc python-dbus-doc python3-dbus-dbg python-pil-doc python3-pil-dbg python3-renderpm-dbg
   python3.7-venv python3.7-doc
Recommended packages:
   apt at-spi2-core freetype2-doc python3-olefile
The following packages will be REMOVED:
   hplip libatk-bridge2.0-dev libatk1.0-dev libatspi2.0-dev libcairo2-dev libgdk-pixbuf2.0-dev libglib2.0-dev
   libgtk-3-dev libharfbuzz-dev libpango1.0-dev libreoffice libreoffice-help-de libreoffice-help-en-us
   libreoffice-java-common libreoffice-l10n-de openshot openshot-qt python3-debianbts python3-openshot
   python3-pexpect python3-pycurl python3-pyqt5 python3-pyqt5.qtsvg python3-pyqt5.qtwebkit
   python3-pysimplesoap python3-reportbug python3-uno reportbug
The following NEW packages will be installed:
   libicu63 libimagequant0 libpython3.7-minimal libpython3.7-stdlib python3-distutils python3-lib2to3
   python3.7 python3.7-minimal
The following packages will be upgraded:
   gir1.2-atk-1.0 gir1.2-atspi-2.0 gir1.2-harfbuzz-0.0 hplip-data libapt-inst2.0 libapt-pkg5.0
   libatk-bridge2.0-0 libatk1.0-0 libatk1.0-data libatspi2.0-0 libboost-python1.62.0 libcairo-gobject2
   libcairo-script-interpreter2 libcairo2 libfreetype6 libfreetype6-dev libglib2.0-0 libglib2.0-bin
   libglib2.0-dev-bin libgpgmepp6 libharfbuzz-gobject0 libharfbuzz-icu0 libharfbuzz0b libpython3-stdlib
   printer-driver-postscript-hp python3 python3-apt python3-brlapi python3-cairo python3-cups python3-dbus
   python3-gi python3-gi-cairo python3-minimal python3-pil python3-pyatspi python3-renderpm
   python3-reportlab-accel python3-sip python3-smbc python3-zmq uno-libs3 ure
43 upgraded, 8 newly installed, 28 to remove and 1843 not upgraded.
Need to get 34.9 MB of archives.
After this operation, 146 MB disk space will be freed.
Do you want to continue? [Y/n] 

Да… Не зря умные люди придумали Docker! Выбора нет — соглашаемся. Скачивается, устанавливается. Запускаем certbot-auto.

knoppix@Microknoppix:~$ sudo /usr/local/bin/certbot-auto certonly
Bootstrapping dependencies for Debian-based OSes… (you can skip this with --no-bootstrap)
 …
0 upgraded, 0 newly installed, 0 to remove and 1852 not upgraded.
Creating virtual environment…
Installing Python packages…
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Заработала!

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel):

Выбираем пункт 3.

Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' 
to cancel):

Вводим свой адрес электронной почты.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: 

Читаем условия и принимаем, если согласны.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(Y)es/(N)o:

Если интересно почитать новости, то можно согласиться.

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):

Вводим доменное имя для которого выпускается сертификат.

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain_name
Input the webroot for domain_name: (Enter 'c' to cancel):

Так, webroot на USB-накопителе нет. Отказываемся.

Cleaning up challenges
Every requested domain must have a webroot when using the webroot plugin.
IMPORTANT NOTES:
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

Выпуск сертификата

Запускаем certbot-auto с подтверждением в ручном режиме.

knoppix@Microknoppix:~$ sudo /usr/local/bin/certbot-auto certonly -a manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):

Authenticator manual — то что нужно. Вводим доменное имя.

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain_name

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: 

IP не мой, а провайдера — соглашаемся.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

Данные acme-challenge

And make it available on your web server at this URL:

http://domain_name/.well-known/acme-challenge/challenge_filename

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

С помощью файлового менеджера создаем папку .well-known в корневой папке сайта. В этой папке создаем папку acme-challenge и создаем файл с нужным именем и нужной строкой внутри.

Waiting for verification…
Cleaning up challenges
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domain_name/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/domain_name/privkey.pem
   Your cert will expire on 2019-mm-dd. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le 

Вот. Сертификат выпущен. Удаляем папку .well-known на сайте. Смотрим файлы.

knoppix@Microknoppix:~$ ls -l /etc/letsencrypt/live/domain_name
lrwxrwxrwx 1 root root  36 cert.pem -> ../../archive/domain_name/cert1.pem
lrwxrwxrwx 1 root root  37 chain.pem -> ../../archive/domain_name/chain1.pem
lrwxrwxrwx 1 root root  41 fullchain.pem -> ../../archive/domain_name/fullchain1.pem
lrwxrwxrwx 1 root root  39 privkey.pem -> ../../archive/domain_name/privkey1.pem
-rw-r--r-- 1 root root 692 README

Устанавливаем сертификат на сайт. Для этого выведем текстовое представление сертификата и приватного ключа.

knoppix@Microknoppix:~$ sudo cat /etc/letsencrypt/live/domain_name/cert.pem
knoppix@Microknoppix:~$ sudo cat /etc/letsencrypt/live/domain_name/privkey.pem

Промежуточный сертификат можно загрузить только в виде файла. Скопируем chain.pem в папку пользователя.

knoppix@Microknoppix:~$ sudo cp /etc/letsencrypt/live/domain_name/chain.pem .
knoppix@Microknoppix:~$ sudo chown knoppix:knoppix chain.pem

Загрузим chain.pem в панель управления и нажимаем Установить.

Всё! Сертификат установлен на хостинг.

Один комментарий к “Установка SSL-сертификата Let’s Encrypt на nic.ru

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *