Trying to automate certs from bash script


#1

My domain is: www.sysonline.fr

My web server is (include version): apache

The operating system my web server runs on is (include version): debian 9

My hosting provider, if applicable, is: scaleway

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I ran this commands to issue certificates from a script :

apt-get install python-certbot-apache -t stretch-backports
service apache2 stop
certbot certonly --standalone --preferred-challenges http -d example.com
service apache2 start

then i configured the virtualhost this way

<IfModule mod_ssl.c>

<VirtualHost *:443>
ServerName www.sysonline.fr
ServerAlias sysonline.fr
ServerAdmin webmaster@sysonline.fr
DocumentRoot “/home/usr/sysonline/web”
ErrorLog /home/usr/sysonline/error.log
CustomLog /home/usr/sysonline/access.log combined
<Directory /home/usr/sysonline/web>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/sysonline.fr-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sysonline.fr-0001/privkey.pem


/etc/letsencrypt/live/www.sysonline.fr-0001/fullchain.pem

Here are the problems.
When issuing certificates this way, ssl labs tells me that i have a grade B certificate.
When issuing with certbot automating install, there is auto-redirect from domain.com to www.domain.com,
and auto redirect from http to https
and i have grade A certificate.

So what is the difference?
Right now the domain is unavailable cause i am reinstalling the server and will retry to install manually but properly.

PS : the end tags / Directory> etc didn’t past above


#2

Hi,

The grade B from ssllabs.com does not mean there is a trouble with the cert, but means the server does not configured in it’s best condition.

If you are done with reinstall the server, I can help you to see what else is left to improve.

Thank you


#3

yes, thank you verymuch done.
So i now am about to install certbot and try to issue a cert my way.
What should I change in the process?


#4

Hi,

I personally don’t think you need to change anything in this process.

Since ssllabs letter grade mainly focus on server and domain setup, not the quality of your certificate.

Thank you


#5

ok,
i’m actualling installing a second server, i’ll install another domain on it following the certbot auto install
And on the other server i’ll install it my way and will try to check differences.

I noticed that with the certbot auto install they issues only one certificate for domain.com and www.domain.com
My way i have to deal with two certs.
I’ll let you know as soon as i finish installing both certs and we’ll check it out


#6

If you want to include both example.com (root domain) and www.example.com (www version) in one certificate. Just run the program with both domain in arguments.

E.g. certbot -d example.com -d www.example.com will gave you one certificate include both domains.

However, I don’t think this would impact letter rating in ssllabs.com

Thank you


#7

ok here is the certbot auto install
https://www.ssllabs.com/ssltest/analyze.html?d=www.ocmail.fr&hideResults=on

and here the manual install
https://www.ssllabs.com/ssltest/analyze.html?d=www.sysonline.fr&hideResults=on


#8

I did it !

Ok i just installe with certbot, normal installation

then on the manual installation server, i did a manual install + i copy pasted the apache configuration file in lets encrypt folder than certbot left and now I am grade A that’s cool ^^
so now i can use that file to issue certs from bash script!


#9

The Apache TLS settings “certbot --apache” sets up are derived from Mozilla’s “intermediate compatibility” configuration, for what it’s worth.

https://wiki.mozilla.org/Security/Server_Side_TLS
https://mozilla.github.io/server-side-tls/ssl-config-generator/


#10

thanks.
One question remains.
Where are stored rules that says to redirect http to https so that i can do the same from a manual install without needing an htaccess file?


#11

found it, that was actually htaccess rules in the no-ssl virtualhost


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.