FAQ SSL

07/04/20 danny

Documentation

Protocoles de sécurisation des échanges

  • SSL (Secure Sockets Layer)
  • TLS (Transport Layer Security) 


Let's Encrypt

  • Autorité de certification.
  • Fournit des certificats gratuits pour le protocole TLS

Installation

Installation des outils Let's Encrypt.

sudo add-apt-repository ppa:certbot/certbot

sudo apt-get update

sudo apt install python-certbot-nginx --yes

# Installation sous Ubuntu 20.4
sudo apt install certbot python3-certbot-nginx

Création d'un certificat

# Création d'un certificat pour le nom de domaine my-domain.com
sudo certbot --nginx -d my-domain.com www.my-domain.com

# Validation des étapes
Indiquer adresse email
(A)gree
(N)o
2 (Redirect)

Version modifiée par Let's Encrypt

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
}

http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    gzip on;

    server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/html;

        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
            try_files $uri /index.html;
        }
    }


    server {

        root /var/www/html;

        index index.html index.htm index.nginx-debian.html;
        server_name wosiris.com www.wosiris.com;

        location / {
            try_files $uri /index.html;
        }

        listen [::]:443 ssl ipv6only=on;
        listen 443 ssl;
        ssl_certificate /etc/letsencrypt/live/wosiris.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/wosiris.com/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    }

    server {
        if ($host = www.wosiris.com) {
            return 301 https://$host$request_uri;
            }
            if ($host = wosiris.com) {
                return 301 https://$host$request_uri;
                }


                listen 80 ;
                listen [::]:80 ;
                server_name wosiris.com www.wosiris.com;
                return 404; # managed by Certbot


        }
    }


}

Version améliorée.

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
}

http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    gzip on;

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
        server_name _;
        location / {
            try_files $uri /index.html;
        }
    }


    server {
        listen 80;
        server_name wosiris.com;
        return 301 https://$host$request_uri;
    }

    server {
        listen 80;
        server_name www.wosiris.com;
        return 301 https://$host$request_uri;
    }


    server {
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
        server_name wosiris.com www.wosiris.com;
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name www.wosiris.com;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_certificate ssl/wosiris.com/fullchain.pem;
        ssl_certificate_key ssl/wosiris.com/privkey.pem;
        location / {
            try_files $uri /index.html;
        }
    }

}


Vérification de certificats

On peut vérifier un cerificat SSL

https://www.ssllabs.com/ssltest