Trying to automate certs from bash script

txify · May 16, 2018, 12:32pm

My web server is (include version): apache

The operating system my web server runs on is (include version): debian 9

My hosting provider, if applicable, is: scaleway

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

I ran this commands to issue certificates from a script :

apt-get install python-certbot-apache -t stretch-backports
service apache2 stop
certbot certonly --standalone --preferred-challenges http -d example.com
service apache2 start

then i configured the virtualhost this way

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.sysonline.fr
ServerAlias sysonline.fr
ServerAdmin webmaster@sysonline.fr
DocumentRoot "/home/usr/sysonline/web"
ErrorLog /home/usr/sysonline/error.log
CustomLog /home/usr/sysonline/access.log combined
<Directory /home/usr/sysonline/web>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/sysonline.fr-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sysonline.fr-0001/privkey.pem

/etc/letsencrypt/live/www.sysonline.fr-0001/fullchain.pem

Here are the problems.
When issuing certificates this way, ssl labs tells me that i have a grade B certificate.
When issuing with certbot automating install, there is auto-redirect from domain.com to www.domain.com,
and auto redirect from http to https
and i have grade A certificate.

So what is the difference?
Right now the domain is unavailable cause i am reinstalling the server and will retry to install manually but properly.

PS : the end tags / Directory> etc didn't past above

stevenzhu · May 16, 2018, 10:23pm

Hi,

The grade B from ssllabs.com does not mean there is a trouble with the cert, but means the server does not configured in it’s best condition.

If you are done with reinstall the server, I can help you to see what else is left to improve.

Thank you

txify · May 17, 2018, 12:12am

yes, thank you verymuch done.
So i now am about to install certbot and try to issue a cert my way.
What should I change in the process?

stevenzhu · May 17, 2018, 12:33am

Hi,

I personally don’t think you need to change anything in this process.

Since ssllabs letter grade mainly focus on server and domain setup, not the quality of your certificate.

Thank you

txify · May 17, 2018, 12:55am

ok,
i’m actualling installing a second server, i’ll install another domain on it following the certbot auto install
And on the other server i’ll install it my way and will try to check differences.

I noticed that with the certbot auto install they issues only one certificate for domain.com and www.domain.com
My way i have to deal with two certs.
I’ll let you know as soon as i finish installing both certs and we’ll check it out

stevenzhu · May 17, 2018, 1:10am

If you want to include both example.com (root domain) and www.example.com (www version) in one certificate. Just run the program with both domain in arguments.

E.g. certbot -d example.com -d www.example.com will gave you one certificate include both domains.

However, I don’t think this would impact letter rating in ssllabs.com

Thank you

txify · May 17, 2018, 3:18am

ok here is the certbot auto install
https://www.ssllabs.com/ssltest/analyze.html?d=www.ocmail.fr&hideResults=on

and here the manual install
https://www.ssllabs.com/ssltest/analyze.html?d=www.sysonline.fr&hideResults=on

txify · May 17, 2018, 3:27am

I did it !

Ok i just installe with certbot, normal installation

then on the manual installation server, i did a manual install + i copy pasted the apache configuration file in lets encrypt folder than certbot left and now I am grade A that’s cool ^^
so now i can use that file to issue certs from bash script!

mnordhoff · May 17, 2018, 3:29am

The Apache TLS settings “certbot --apache” sets up are derived from Mozilla’s “intermediate compatibility” configuration, for what it’s worth.

https://wiki.mozilla.org/Security/Server_Side_TLS
https://mozilla.github.io/server-side-tls/ssl-config-generator/

txify · May 17, 2018, 3:36am

thanks.
One question remains.
Where are stored rules that says to redirect http to https so that i can do the same from a manual install without needing an htaccess file?

txify · May 17, 2018, 4:22am

found it, that was actually htaccess rules in the no-ssl virtualhost

system · June 16, 2018, 4:22am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.