• Applications

  • [Discussion] Certificat SSL signé et gratuit avec Let's Encrypt

Et du coup où sont tes paramètres SSL ?

    Aerya les paramètres sont dans /etc/nginx/ssl/params.conf comme indiqué dans le tuto et dans le vhost /etc/nginx/sites-enabled/rutorrent.conf j'ai effacer les deux lignes :
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;

    et remplacer par celle de letsencrypt, ce qui n'est pas trop clair dans le tuto. Le tout fonctionne avec le https en vert.

        Ha je vois, je n'avais pas capter qu'il y avait ce genre de différence entre le script et le tuto manuel. Il serais peut-être bien d'ajouter une note ? Car je ne dois être le seul dans ce cas.

          ben47955
          c'est vrai une petit note "que si on utilise le script modifié que les 2 linges.."
          non tu es pas le seule déjà vu

            5 jours plus tard

            Bonjour,
            Je possède une erreur lors de la mise à jour du certificat.
            Lors de la commande : ./certbot-auto renew , j'ai l'erreur suivante :

             File "/tmp/tmp.HoZg3F9gOk/pipstrap.py", line 165, in <module>
    exit(main())
  File "/tmp/tmp.HoZg3F9gOk/pipstrap.py", line 152, in main
    shell=True)
  File "/usr/local/lib/python2.7/subprocess.py", line 219, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command 'pip install --no-index --no-deps -U /tmp/pipstrap-1XIQ67/pip-9.0.1.tar.gz /tmp/pipstrap-1XIQ67/setuptools-20.2.2.tar.gz /tmp/pipstrap-1XIQ67/wheel-0.29.0.tar.gz' returned non-zero exit status 1

            J'ai parcouru les forums, mais rien ne fonctionne. Une idée?
            Merci

            Certbot est à jour ?

            Bon bah du coup reste que pip (?)

            sudo pip install --upgrade pip

            Réponse : Requirement already up-to-date: pip in /usr/local/lib/python2.7/dist-packages/pi p-9.0.1-py2.7.egg

            Version python : 2.7.9
            Version pip : 9.0.1

            un mois plus tard

            Bonjour,

            Après l'installation d'une seedbox chez kimsufi version exrat en debian 9 et php 7.
            Dès que je mets en place les certificats ssl avec let's encrypt, Seedbox manager ne fonctionne plus.
            Au niveau conf, je dois modifier quoi ?

            Merci
            Balbao.

              balbao
              Salut
              tu dois juste modifié ces 2 lignes

                  ssl_certificate /etc/letsencrypt/live/www.votresite.fr/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.votresite.fr/privkey.pem;

                  xavier

                  C'est déjà fait. Et tout fonctionne sauf seedbox manager.

                  server {
                  listen 80;
                  server_name monsite.com;

                  location / {
    rewrite ^ https://$server_name$request_uri? permanent;
}

	location = /favicon.ico {
	access_log off;
	log_not_found off;
}

location = /50x.html {
	root /usr/share/nginx/html;
}

location ~ \.php$ {
	fastcgi_index index.php;
	include /etc/nginx/fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}

location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ {
	expires 30d;
	access_log off;
}

                  }

                  server {
                  listen 443 ssl;
                  server_name monsite.com;
                  index index.html index.php;
                  charset utf-8;

                  ssl on;
                  ssl_certificate /etc/letsencrypt/live/monsite.com/fullchain.pem;
                  ssl_certificate_key /etc/letsencrypt/live/monsite.com/privkey.pem;
                  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                  ssl_ciphers "EECDH+AESGCM:AES128+EECDH:AES256+EECDH";

                  ssl_prefer_server_ciphers on;
                  ssl_ecdh_curve secp384r1;

                  ssl_session_cache shared:SSL:10m;
                  ssl_session_timeout 10m;

                  ssl_stapling on;
                  ssl_stapling_verify on;

                  resolver 8.8.4.4 8.8.8.8 valid=300s;
                  resolver_timeout 10s;

                  add_header X-Frame-Options "SAMEORIGIN";
                  add_header X-Content-Type-Options "nosniff";

                  access_log /var/log/nginx/rutorrent-access.log combined;
                  error_log /var/log/nginx/rutorrent-error.log error;

                  error_page 500 502 503 504 /50x.html;
                  location = /50x.html { root /usr/share/nginx/html; }

                  auth_basic "seedbox";
auth_basic_user_file "/etc/nginx/passwd/rutorrent_passwd";

location = /favicon.ico {
	access_log off;
	log_not_found off;
}

   ## debut config accueil serveur ##

location ^~ / {
    root /var/www/base;
    include /etc/nginx/conf.d/php.conf;
    include /etc/nginx/conf.d/cache.conf;
    satisfy any;
    allow all;
}

## fin config accueil serveur ##


## début config proxy ##

location ^~ /proxy {
    root /var/www;
    include /etc/nginx/conf.d/php.conf;
    include /etc/nginx/conf.d/cache.conf;
}

## fin config proxy ##

## début config rutorrent ##

location ^~ /rutorrent {
    root /var/www;
    include /etc/nginx/conf.d/php.conf;
    include /etc/nginx/conf.d/cache.conf;

    location ~ /\.svn {
	    deny all;
    }

    location ~ /\.ht {
	    deny all;
    }
}

location ^~ /rutorrent/conf/ {
	deny all;
}

location ^~ /rutorrent/share/ {
	deny all;
}

## fin config rutorrent ##

## début config munin ##

location ^~ /graph {
    root /var/www;
    include /etc/nginx/conf.d/php.conf;
    include /etc/nginx/conf.d/cache.conf;
}

location ^~ /graph/img {
    root /var/www;
    include /etc/nginx/conf.d/php.conf;
    include /etc/nginx/conf.d/cache.conf;
    error_log /dev/null crit;
}

location ^~ /monitoring {
    root /var/www;
    include /etc/nginx/conf.d/php.conf;
    include /etc/nginx/conf.d/cache.conf;
}

## fin config munin ##

 
## début config seedbox-manager ##

location ^~ /seedbox-manager {
alias /var/www/seedbox-manager/public;
    include /etc/nginx/conf.d/php-manager.conf;
    include /etc/nginx/conf.d/cache.conf;
}

    ## fin config seedbox-manager ##

    ## config utilisateurs  ##

    location /BALBAO {
        include scgi_params;
        scgi_pass 127.0.0.1:5001; #ou socket : unix:/home/username/.session/username.socket
        auth_basic "seedbox";
        auth_basic_user_file "/etc/nginx/passwd/rutorrent_passwd_balbao";
    }

    location /USER1 {
        include scgi_params;
        scgi_pass 127.0.0.1:5003; #ou socket : unix:/home/username/.session/username.socket
        auth_basic "seedbox";
        auth_basic_user_file "/etc/nginx/passwd/rutorrent_passwd_user1";
    }

    location /USER2 {
        include scgi_params;
        scgi_pass 127.0.0.1:5004; #ou socket : unix:/home/username/.session/username.socket
        auth_basic "seedbox";
        auth_basic_user_file "/etc/nginx/passwd/rutorrent_passwd_user2";
    }

    location /USER3 {
        include scgi_params;
        scgi_pass 127.0.0.1:5005; #ou socket : unix:/home/username/.session/username.socket
        auth_basic "seedbox";
        auth_basic_user_file "/etc/nginx/passwd/rutorrent_passwd_user3";
    }

                  }

                      balbao
                      Salut
                      si tu as utilisé le derniere version de manager ta conf doit pas du tout ressemblé a ça.
                      deja il te manque
                      root /var/www;
                      je vais essaye de tant faire un.

                        balbao
                        si tu veux test cette version de conf.

                        server {
	listen 80 default_server;
	listen 443 default_server ssl http2;
	server_name _;

	index index.html index.php;
	charset utf-8;
	client_max_body_size 10M;

	ssl_certificate /etc/letsencrypt/live/monsite.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/monsite.com/privkey.pem;

	include /etc/nginx/conf.d/ciphers.conf;

	access_log /var/log/nginx/rutorrent-access.log combined;
	error_log /var/log/nginx/rutorrent-error.log error;

	error_page 500 502 503 504 /50x.html;

	auth_basic "seedbox";
	auth_basic_user_file "/etc/nginx/passwd/rutorrent_passwd";

	root /var/www;

	location = /favicon.ico {
		access_log off;
		log_not_found off;
	}

	location = /50x.html {
		root /usr/share/nginx/html;
	}

	location ~ \.php$ {
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
	}

	location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ {
		expires 30d;
		access_log off;
	}

	location ~* \.(eot|ttf|woff|svg)$ {
		add_header Acccess-Control-Allow-Origin *;
	}

	## Config accueil serveur ##

	location ^~ / {
		root /var/www/base;
		include /etc/nginx/conf.d/php.conf;
		include /etc/nginx/conf.d/cache.conf;
		satisfy any;
		allow all;
	}

	## Config rutorrent ##

	location /rutorrent {
		try_files $uri $uri/ /index.html;
	}

	location ~ ^/rutorrent/(conf|share)/(.+)$ {
		deny all;
	}

	## Config seedbox-manager ##

	location /seedbox-manager {
		try_files /seedbox-manager/$uri /seedbox-manager/index.php$is_args$args;
	}

	## Config utilisateurs ##

            location /BALBAO {
            include scgi_params;
            scgi_pass 127.0.0.1:5001; #ou socket : unix:/home/username/.session/username.socket
            auth_basic "seedbox";
            auth_basic_user_file "/etc/nginx/passwd/rutorrent_passwd_balbao";
        }

        location /USER1 {
            include scgi_params;
            scgi_pass 127.0.0.1:5003; #ou socket : unix:/home/username/.session/username.socket
            auth_basic "seedbox";
            auth_basic_user_file "/etc/nginx/passwd/rutorrent_passwd_user1";
        }

        location /USER2 {
            include scgi_params;
            scgi_pass 127.0.0.1:5004; #ou socket : unix:/home/username/.session/username.socket
            auth_basic "seedbox";
            auth_basic_user_file "/etc/nginx/passwd/rutorrent_passwd_user2";
        }

        location /USER3 {
            include scgi_params;
            scgi_pass 127.0.0.1:5005; #ou socket : unix:/home/username/.session/username.socket
            auth_basic "seedbox";
            auth_basic_user_file "/etc/nginx/passwd/rutorrent_passwd_user3";
        }

    }

                          Au final de l'installation du script j'ai ce message d'erreur au redémarrage de nginx :

                          service nginx restart

                          Erreur >
                          Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details

                          J'ai fait: service nginx status -l

                           nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled)
   Active: failed (Result: exit-code) since Tue 2017-10-10 17:07:50 CEST; 18min ago
     Docs: man:nginx(8)
  Process: 1450 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
 Main PID: 4695 (code=exited, status=0/SUCCESS)

Oct 10 17:07:50 113500HD010180 nginx[1450]: nginx: [emerg] invalid number of arguments in "ssl_certificate" directive in /etc/nginx/sites-enabled/seedbox.conf:4
Oct 10 17:07:50 113500HD010180 nginx[1450]: nginx: configuration file /etc/nginx/nginx.conf test failed
Oct 10 17:07:50 113500HD010180 systemd[1]: nginx.service: control process exited, code=exited status=1
Oct 10 17:07:50 113500HD010180 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Oct 10 17:07:50 113500HD010180 systemd[1]: Unit nginx.service entered failed state.
Oct 10 17:26:10 113500HD010180 systemd[1]: Stopped A high performance web server and a reverse proxy server.

                          @xavier

                          Merci pour cette conf. Cela fonctionne très bien

                            balbao
                            Après a toi de mettre ton nom de domaine et faire une redirection automatique sur le https .

                              Oui c'est ce que j'ai fait. J'ai pas utilisé la config exactement comme ça. Mais tout fonctionne maintenant.