Различия

Показаны различия между двумя версиями страницы.

--- linux:apache:mod_md [2023/07/30 18:19] – создано dx
+++ linux:apache:mod_md [2023/07/30 18:25] (текущий) – dx
@@ Строка 1: / Строка 1: @@
+====== mod_md: сертификаты Let's Encrypt  ======
+----
+{{:linux:apache:apache_mod_md.jpg?nolink|}}
+Получаем сертификат Let's Encrypt за 5 минут с помощью модуля **mod_md**.
+Исходные данные
+  * Debian 12
+  * Apache 2.4.57-2
+  * Домен pupupu.site
+Документация
+  * https://icing.github.io/mod_md/ / https://github.com/icing/mod_md
+  * https://httpd.apache.org/docs/2.4/mod/mod_md.html
+===== Настройка mod_md =====
+Включаем модули
+<code bash>a2enmod mod_md mod_ssl</code>
+Минимальный конфиг
+  * MDCertificateAgreement accepted - принять условия LE
+  * MDContactEmail - контактный email, иначе будет использоваться из ServerAdmin
+  * MDomain foobar.com www.foobar.com - для каких доменов выпустить сертификат
+Пример виртуального хоста Apache
+<code bash>
+# mod_md
+MDCertificateAgreement accepted
+MDContactEmail [email protected]
+MDomain pupupu.site www.pupupu.site
+MDomain mail.pupupu.site admin.pupupu.site
+MDStapling on
+# md-status
+<Location "/md-status">
+  SetHandler md-status
+  Require ip 127.0.0.1 172.16.10.0/24
+</Location>
+# server-status
+<Location "/server-status">
+  SetHandler server-status
+  Require ip 127.0.0.1 172.16.10.0/24
+</Location>
+# https://github.com/icing/mod_md#certificate-status
+#<Location "/certificate-status">
+#  SetHandler certificate-status
+#  Require ip 127.0.0.1 172.16.10.0/24
+#</Location>
+# http 301 redirect
+<VirtualHost *:80>
+  ServerName pupupu.site
+  ServerAlias www.pupupu.site
+  Redirect 301 / https://pupupu.site/
+</VirtualHost>
+# https
+<VirtualHost *:443>
+    Protocols h2 http/1.1 acme-tls/1
+    DocumentRoot /srv/www/pupupu_main
+    ServerAdmin [email protected]
+    ServerName pupupu.site
+    ServerAlias www.pupupu.site
+    CustomLog "/var/log/apache2/pupupu.site_access.log" combined
+    ErrorLog  "/var/log/apache2/pupupu.site_error_log"
+    # php-fpm handler
+    <FilesMatch ".+\.ph(ar|p|tml)$">
+      SetHandler "proxy:unix:/run/php/php8.1-foobar.sock|fcgi://localhost"
+    </FilesMatch>
+    SSLEngine on
+    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    SSLHonorCipherOrder     off
+    SSLSessionTickets       off
+    # OCSP managed by mod_md, so turning off
+    #SSLUseStapling On
+    #SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
+</VirtualHost>
+<Directory /srv/www/pupupu_main>
+    # rewrite www2non-www
+    RewriteEngine On
+    RewriteCond %{HTTP_HOST} ^www.pupupu.site [NC]
+    RewriteRule ^(.*)$ https://pupupu.site/$1 [L,R=301]
+    Options -Indexes +FollowSymLinks
+    AllowOverride All
+    Require all granted
+</Directory>
+# mail vhost
+<VirtualHost *:443>
+    Protocols h2 http/1.1 acme-tls/1
+    SSLEngine on
+    DocumentRoot /srv/www/pupupu_mail
+    ServerAdmin [email protected]
+    ServerName mail.pupupu.site
+<Directory /srv/www/pupupu_mail>
+    Options -Indexes +FollowSymLinks
+    AllowOverride All
+    Require all granted
+</Directory>
+</VirtualHost>
+# admin vhost
+<VirtualHost *:443>
+    Protocols h2 http/1.1 acme-tls/1
+    SSLEngine on
+    DocumentRoot /srv/www/pupupu_admin
+    ServerAdmin [email protected]
+    ServerName admin.pupupu.site
+<Directory /srv/www/pupupu_admin>
+    Options -Indexes +FollowSymLinks
+    AllowOverride All
+    Require all granted
+</Directory>
+</VirtualHost>
+</code>
+Перезапускаем Apache
+<code bash>systemctl restart apache2</code>
+===== Проверка md-status =====
+По адресу https://pupupu.site/md-status можно посмотреть информацию о SSL сертификате.
+pupupu.site, <nowiki>www.pupupu.site</nowiki>
+{{:linux:apache:md_status_1.png?nolink|}}
+mail.pupupu.site, admin.pupupu.site
+{{:linux:apache:md_status_2.png?nolink|}}
+===== OCSP =====
+Что такое OCSP stapling
+  * [[https://dxdt.ru/2013/12/19/6420/|Техническое: OCSP stapling в Firefox]]
+  * [[http://vladimir-stupin.blogspot.com/2017/02/ocsp-nginx.html|Вшивание OCSP в nginx]]
+  * [[https://security.stackexchange.com/questions/29686/how-does-ocsp-stapling-work|How does OCSP stapling work?]]
+  * [[https://datatracker.ietf.org/doc/html/rfc2560|RFC 2560]], [[https://datatracker.ietf.org/doc/html/rfc5019|RFC 5019]]
+Как включить - [[https://github.com/icing/mod_md#just-the-stapling-mam|Just the Stapling, Mam!]]
+Информацию о OCSP можно посмотреть через [[https://httpd.apache.org/docs/2.4/mod/mod_status.html|Apache Module mod_status]]
+Пример
+{{:linux:apache:mod_md_server-status.png?nolink|}}
+Для OCSP можно использовать и mod_ssl и mod_md.
+===== Нюансы =====
+[[https://letsencrypt.org/ru/docs/challenge-types/|Виды проверок]] у Let's Encrypt.
+Для wildcard можно использовать только [[https://github.com/icing/mod_md#mdchallengedns01|dns-01]].
+Если например недоступен 80 порт извне, то может быть подобная ошибка
+<code bash>
+Error[Internal error (specific information not available)]: None of the ACME challenge methods configured for this domain are suitable. The http: challenge 'http-01' is disabled because the server seems not reachable on public port 80. The https: challenge 'tls-alpn-01' is disabled because the Protocols configuration does not include the 'acme-tls/1' protocol. The DNS challenge 'dns-01' is disabled because the directive 'MDChallengeDns01' is not configured. Next run in ~3 seconds
+</code>
+Если доступен только 443 порт, то в Protocols добавляем **acme-tls/1**
+  * [[https://github.com/icing/mod_md#tls-alpn-challenges|TLS ALPN Challenges]]
+  * [[https://github.com/icing/mod_md#mdportmap|MDPortMap]], [[https://github.com/icing/mod_md#ports-ports-ports|Ports Ports Ports]]
+EOM
+{{tag>linux debian ssl lets_encrypt apache mod_md}}