{"id":4868,"date":"2021-10-28T14:03:57","date_gmt":"2021-10-28T12:03:57","guid":{"rendered":"https:\/\/www.laurentmarot.fr\/wordpress\/?p=4868"},"modified":"2021-10-28T14:14:02","modified_gmt":"2021-10-28T12:14:02","slug":"elements-de-conf-pour-tp-tls","status":"publish","type":"post","link":"https:\/\/www.laurentmarot.fr\/wordpress\/?p=4868","title":{"rendered":"El\u00e9ments de conf pour TP TLS"},"content":{"rendered":"

1- Etape 1 avec un certificat autosign\u00e9 :<\/strong><\/p>\n

root@debian:\/home\/ensibs# apt-get install apache2
\n<\/span><\/p>\n

Reading package lists… Done<\/p>\n

Building dependency tree… Done<\/p>\n

Reading state information… Done<\/p>\n

The following additional packages will be installed:<\/p>\n

apache2-data apache2-utils ssl-cert<\/p>\n

Suggested packages:<\/p>\n

apache2-doc apache2-suexec-pristine | apache2-suexec-custom<\/p>\n

The following NEW packages will be installed:<\/p>\n

apache2 apache2-data apache2-utils ssl-cert<\/p>\n

0 upgraded, 4 newly installed, 0 to remove and 1 not upgraded.<\/p>\n

Need to get 706 kB of archives.<\/p>\n

After this operation, 2,057 kB of additional disk space will be used.<\/p>\n

Do you want to continue? [Y\/n] Y<\/p>\n

Get:1 http:\/\/deb.debian.org\/debian bullseye\/main amd64 ssl-cert all 1.1.0+nmu1 [21.0 kB]<\/p>\n

Get:2 http:\/\/security.debian.org\/debian-security bullseye-security\/main amd64 apache2-data all 2.4.51-1~deb11u1 [160 kB]<\/p>\n

Get:3 http:\/\/security.debian.org\/debian-security bullseye-security\/main amd64 apache2-utils amd64 2.4.51-1~deb11u1 [255 kB]<\/p>\n

Get:4 http:\/\/security.debian.org\/debian-security bullseye-security\/main amd64 apache2 amd64 2.4.51-1~deb11u1 [270 kB]<\/p>\n

Fetched 706 kB in 1s (1,332 kB\/s)<\/p>\n

Preconfiguring packages …<\/p>\n

Selecting previously unselected package apache2-data.<\/p>\n

(Reading database … 162254 files and directories currently installed.)<\/p>\n

Preparing to unpack …\/apache2-data_2.4.51-1~deb11u1_all.deb …<\/p>\n

Unpacking apache2-data (2.4.51-1~deb11u1) …<\/p>\n

Selecting previously unselected package apache2-utils.<\/p>\n

Preparing to unpack …\/apache2-utils_2.4.51-1~deb11u1_amd64.deb …<\/p>\n

Unpacking apache2-utils (2.4.51-1~deb11u1) …<\/p>\n

Selecting previously unselected package apache2.<\/p>\n

Preparing to unpack …\/apache2_2.4.51-1~deb11u1_amd64.deb …<\/p>\n

Unpacking apache2 (2.4.51-1~deb11u1) …<\/p>\n

Selecting previously unselected package ssl-cert.<\/p>\n

Preparing to unpack …\/ssl-cert_1.1.0+nmu1_all.deb …<\/p>\n

Unpacking ssl-cert (1.1.0+nmu1) …<\/p>\n

Setting up ssl-cert (1.1.0+nmu1) …<\/p>\n

Setting up apache2-data (2.4.51-1~deb11u1) …<\/p>\n

Setting up apache2-utils (2.4.51-1~deb11u1) …<\/p>\n

Setting up apache2 (2.4.51-1~deb11u1) …<\/p>\n

Enabling module mpm_event.<\/p>\n

Enabling module authz_core.<\/p>\n

Enabling module authz_host.<\/p>\n

Enabling module authn_core.<\/p>\n

Enabling module auth_basic.<\/p>\n

Enabling module access_compat.<\/p>\n

Enabling module authn_file.<\/p>\n

Enabling module authz_user.<\/p>\n

Enabling module alias.<\/p>\n

Enabling module dir.<\/p>\n

Enabling module autoindex.<\/p>\n

Enabling module env.<\/p>\n

Enabling module mime.<\/p>\n

Enabling module negotiation.<\/p>\n

Enabling module setenvif.<\/p>\n

Enabling module filter.<\/p>\n

Enabling module deflate.<\/p>\n

Enabling module status.<\/p>\n

Enabling module reqtimeout.<\/p>\n

Enabling conf charset.<\/p>\n

Enabling conf localized-error-pages.<\/p>\n

Enabling conf other-vhosts-access-log.<\/p>\n

Enabling conf security.<\/p>\n

Enabling conf serve-cgi-bin.<\/p>\n

Enabling site 000-default.<\/p>\n

Created symlink \/etc\/systemd\/system\/multi-user.target.wants\/apache2.service \u2192 \/lib\/systemd\/system\/apache2.service.<\/p>\n

Created symlink \/etc\/systemd\/system\/multi-user.target.wants\/apache-htcacheclean.service \u2192 \/lib\/systemd\/system\/apache-htcacheclean.service.<\/p>\n

Processing triggers for man-db (2.9.4-2) …<\/p>\n

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<\/p>\n

link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<\/p>\n

inet 127.0.0.1\/8 scope host lo<\/p>\n

valid_lft forever preferred_lft forever<\/p>\n

inet6 ::1\/128 scope host<\/p>\n

valid_lft forever preferred_lft forever<\/p>\n

2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<\/p>\n

link\/ether 08:00:27:0c:52:89 brd ff:ff:ff:ff:ff:ff<\/p>\n

inet 192.168.56.101\/24 brd 192.168.56.255 scope global dynamic noprefixroute enp0s3<\/p>\n

valid_lft 589sec preferred_lft 589sec<\/p>\n

inet6 fe80::a00:27ff:fe0c:5289\/64 scope link noprefixroute<\/p>\n

valid_lft forever preferred_lft forever<\/p>\n

 <\/p>\n

root@debian:\/home\/ensibs# cd \/var\/lib\/apache2\/<\/p>\n

root@debian:\/var\/lib\/apache2# ls<\/p>\n

conf module site<\/p>\n

root@debian:\/var\/lib\/apache2# cd conf<\/p>\n

root@debian:\/etc\/apache2# ls<\/p>\n

apache2.conf conf-available conf-enabled envvars magic mods-available mods-enabled ports.conf sites-available sites-enabled<\/p>\n

root@debian:\/etc\/apache2# vi apache2.conf<\/p>\n

root@debian:\/etc\/apache2# cd mods-enabled\/<\/p>\n

root@debian:\/etc\/apache2\/mods-enabled# ls<\/p>\n

access_compat.load auth_basic.load authz_core.load autoindex.conf deflate.load env.load mime.load negotiation.conf reqtimeout.load status.conf<\/p>\n

alias.conf authn_core.load authz_host.load autoindex.load dir.conf filter.load mpm_event.conf negotiation.load setenvif.conf status.load<\/p>\n

alias.load authn_file.load authz_user.load deflate.conf dir.load mime.conf mpm_event.load reqtimeout.conf setenvif.load<\/p>\n

root@debian:\/etc\/apache2\/mods-enabled# cd ..<\/p>\n

root@debian:\/etc\/apache2# cd mods-available\/<\/p>\n

root@debian:\/etc\/apache2\/mods-available# ls<\/p>\n

access_compat.load authz_core.load cgi.load expires.load ldap.conf negotiation.load proxy_uwsgi.load socache_dbm.load<\/p>\n

actions.conf authz_dbd.load charset_lite.load ext_filter.load ldap.load proxy_ajp.load proxy_wstunnel.load socache_memcache.load<\/p>\n

actions.load authz_dbm.load data.load file_cache.load log_debug.load proxy_balancer.conf ratelimit.load socache_redis.load<\/p>\n

alias.conf authz_groupfile.load dav_fs.conf filter.load log_forensic.load proxy_balancer.load reflector.load socache_shmcb.load<\/p>\n

alias.load authz_host.load dav_fs.load headers.load lua.load proxy.conf remoteip.load speling.load<\/p>\n

allowmethods.load authz_owner.load dav.load heartbeat.load macro.load proxy_connect.load reqtimeout.conf ssl.conf<\/p>\n

asis.load authz_user.load dav_lock.load heartmonitor.load md.load proxy_express.load reqtimeout.load ssl.load<\/p>\n

auth_basic.load autoindex.conf dbd.load http2.conf mime.conf proxy_fcgi.load request.load status.conf<\/p>\n

auth_digest.load autoindex.load deflate.conf http2.load mime.load proxy_fdpass.load rewrite.load status.load<\/p>\n

auth_form.load brotli.load deflate.load ident.load mime_magic.conf proxy_ftp.conf sed.load substitute.load<\/p>\n

authn_anon.load buffer.load dialup.load imagemap.load mime_magic.load proxy_ftp.load session_cookie.load suexec.load<\/p>\n

authn_core.load cache_disk.conf dir.conf include.load mpm_event.conf proxy_hcheck.load session_crypto.load unique_id.load<\/p>\n

authn_dbd.load cache_disk.load dir.load info.conf mpm_event.load proxy_html.conf session_dbd.load userdir.conf<\/p>\n

authn_dbm.load cache.load dnssd.conf info.load mpm_prefork.conf proxy_html.load session.load userdir.load<\/p>\n

authn_file.load cache_socache.load dnssd.load lbmethod_bybusyness.load mpm_prefork.load proxy_http2.load setenvif.conf usertrack.load<\/p>\n

authn_socache.load cern_meta.load dump_io.load lbmethod_byrequests.load mpm_worker.conf proxy_http.load setenvif.load vhost_alias.load<\/p>\n

authnz_fcgi.load cgid.conf echo.load lbmethod_bytraffic.load mpm_worker.load proxy.load slotmem_plain.load xml2enc.load<\/p>\n

authnz_ldap.load cgid.load env.load lbmethod_heartbeat.load negotiation.conf proxy_scgi.load slotmem_shm.load<\/p>\n

root@debian:\/etc\/apache2\/mods-available# vi ssl.conf<\/p>\n

root@debian:\/etc\/apache2\/mods-available# cd ..<\/p>\n

root@debian:\/etc\/apache2# vi apache2.conf<\/p>\n

root@debian:\/etc\/apache2# a2enmod ssl<\/span><\/p>\n

Considering dependency setenvif for ssl:<\/p>\n

Module setenvif already enabled<\/p>\n

Considering dependency mime for ssl:<\/p>\n

Module mime already enabled<\/p>\n

Considering dependency socache_shmcb for ssl:<\/p>\n

Enabling module socache_shmcb.<\/p>\n

Enabling module ssl.<\/p>\n

See \/usr\/share\/doc\/apache2\/README.Debian.gz on how to configure SSL and create self-signed certificates.<\/p>\n

To activate the new configuration, you need to run:<\/p>\n

systemctl restart apache2<\/p>\n

root@debian:\/etc\/apache2# a2ensite default-ssl<\/span><\/p>\n

Enabling site default-ssl.<\/p>\n

To activate the new configuration, you need to run:<\/p>\n

systemctl reload apache2<\/p>\n

root@debian:\/etc\/apache2# service apache2 reload<\/p>\n

root@debian:\/etc\/apache2# mkdir tls<\/p>\n

root@debian:\/etc\/apache2# cd tls<\/p>\n

root@debian:\/etc\/apache2# ls<\/p>\n

apache2.conf conf-available conf-enabled envvars magic mods-available mods-enabled ports.conf sites-available sites-enabled tls<\/p>\n

root@debian:\/etc\/apache2# chmod 600 tls\/*.*<\/p>\n

root@debian:\/etc\/apache2# ls<\/p>\n

apache2.conf conf-available conf-enabled envvars magic mods-available mods-enabled ports.conf sites-available sites-enabled tls<\/p>\n

root@debian:\/etc\/apache2# cd sites-enabled\/<\/p>\n

root@debian:\/etc\/apache2\/sites-enabled# ls<\/p>\n

000-default.conf default-ssl.conf<\/p>\n

root@debian:\/etc\/apache2\/sites-enabled# vi default-ssl.conf<\/p>\n

root@debian:\/etc\/apache2\/sites-enabled# cd \/etc\/ssl<\/p>\n

root@debian:\/etc\/ssl# ls<\/p>\n

certs openssl.cnf private<\/p>\n

root@debian:\/etc\/ssl# ls -lart<\/p>\n

total 44<\/p>\n

-rw-r–r– 1 root root 11118 Aug 24 10:28 openssl.cnf<\/p>\n

drwxr-xr-x 4 root root 4096 Oct 19 14:52 .<\/p>\n

drwx–x— 2 root ssl-cert 4096 Oct 27 18:04 private<\/p>\n

drwxr-xr-x 2 root root 12288 Oct 27 18:04 certs<\/p>\n

drwxr-xr-x 119 root root 12288 Oct 27 18:21 ..<\/p>\n

root@debian:\/etc\/ssl# vi openssl.cnf<\/p>\n

root@debian:\/etc\/ssl# cd \/etc\/apache2\/tls\/<\/p>\n

root@debian:\/etc\/apache2\/tls# cd \/etc\/ssl<\/p>\n

root@debian:\/etc\/ssl# ls<\/p>\n

certs openssl.cnf private<\/p>\n

root@debian:\/etc\/ssl# less openssl.cnf<\/p>\n

root@debian:\/etc\/ssl#<\/p>\n

root@debian:\/etc\/ssl# vi openssl.cnf<\/p>\n

root@debian:\/etc\/ssl# cd \/etc\/apache2\/sites-enabled\/<\/p>\n

root@debian:\/etc\/apache2\/sites-enabled# ls<\/p>\n

000-default.conf default-ssl.conf<\/p>\n

root@debian:\/etc\/apache2\/sites-enabled# vi default-ssl.conf<\/p>\n

root@debian:\/etc\/apache2\/sites-enabled# service apache2 restart<\/span><\/p>\n

root@debian:\/etc\/apache2\/sites-enabled# cd ..<\/p>\n

root@debian:\/etc\/apache2# ls<\/p>\n

apache2.conf conf-available conf-enabled envvars magic mods-available mods-enabled ports.conf sites-available sites-enabled tls<\/p>\n

root@debian:\/etc\/apache2# vi apache2.conf<\/p>\n

root@debian:\/etc\/apache2# cd sites-enabled\/<\/p>\n

root@debian:\/etc\/apache2\/sites-enabled# ls<\/p>\n

000-default.conf default-ssl.conf<\/p>\n

root@debian:\/etc\/apache2\/sites-enabled# vi default-ssl.conf<\/p>\n

root@debian:\/etc\/apache2\/sites-enabled# service apache2 start<\/p>\n

root@debian:\/etc\/apache2\/sites-enabled# cd \/etc\/<\/p>\n

root@debian:\/etc# ls<\/p>\n

root@debian:\/etc# cd \/etc\/apache2\/tls<\/p>\n

root@debian:\/etc\/apache2\/tls# openssl genrsa 2048 > web.key<\/p>\n

Generating RSA private key, 2048 bit long modulus (2 primes)<\/p>\n

………………………………………………………………………………………………………………..+++++<\/p>\n

…………………………………………………………………………..+++++<\/p>\n

e is 65537 (0x010001)<\/p>\n

root@debian:\/etc\/apache2\/tls# openssl req -new -key web.key > web.csr<\/p>\n

You are about to be asked to enter information that will be incorporated<\/p>\n

into your certificate request.<\/p>\n

What you are about to enter is what is called a Distinguished Name or a DN.<\/p>\n

There are quite a few fields but you can leave some blank<\/p>\n

For some fields there will be a default value,<\/p>\n

If you enter ‘.’, the field will be left blank.<\/p>\n

—–<\/p>\n

Country Name (2 letter code) [AU]:FR<\/p>\n

State or Province Name (full name) [Some-State]:BZH<\/p>\n

Locality Name (eg, city) []:Lostihuel<\/p>\n

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Minist\u00e8re d\u00e9sarm\u00e9<\/p>\n

Organizational Unit Name (eg, section) []:IT<\/p>\n

Common Name (e.g. server FQDN or YOUR name) []:127.0.0.1<\/p>\n

Email Address []:laurent@laurent.fr<\/p>\n

 <\/p>\n

Please enter the following ‘extra’ attributes<\/p>\n

to be sent with your certificate request<\/p>\n

A challenge password []:<\/p>\n

An optional company name []:<\/p>\n

root@debian:\/etc\/apache2\/tls# openssl genrsa 2048 > ca.key<\/p>\n

Generating RSA private key, 2048 bit long modulus (2 primes)<\/p>\n

..+++++<\/p>\n

……………………………………………………………+++++<\/p>\n

e is 65537 (0x010001)<\/p>\n

root@debian:\/etc\/apache2\/tls# openssl req -new -x509 -days 365 -key ca.key > ca.crt<\/p>\n

You are about to be asked to enter information that will be incorporated<\/p>\n

into your certificate request.<\/p>\n

What you are about to enter is what is called a Distinguished Name or a DN.<\/p>\n

There are quite a few fields but you can leave some blank<\/p>\n

For some fields there will be a default value,<\/p>\n

If you enter ‘.’, the field will be left blank.<\/p>\n

—–<\/p>\n

Country Name (2 letter code) [AU]:FR<\/p>\n

State or Province Name (full name) [Some-State]:BZH<\/p>\n

Locality Name (eg, city) []:Lostihuel<\/p>\n

Organization Name (eg, company) [Internet Widgits Pty Ltd]:BZH CA<\/p>\n

Organizational Unit Name (eg, section) []:IT<\/p>\n

Common Name (e.g. server FQDN or YOUR name) []:BZH CA<\/p>\n

Email Address []:lm@lm.fr<\/p>\n

root@debian:\/etc\/apache2\/tls# openssl x509 -req -in web.csr -out web.crt -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.srl<\/p>\n

Signature ok<\/p>\n

subject=C = FR, ST = BZH, L = Lostihuel, O = Minist\\C3\\83\\C2\\A8re d\\C3\\83\\C2\\A9sarm\\C3\\83\\C2\\A9, OU = IT, CN = 127.0.0.1, emailAddress = laurent@laurent.fr<\/p>\n

Getting CA Private Key<\/p>\n

root@debian:\/etc\/apache2\/tls# ls -lart<\/p>\n

total 40<\/p>\n

-rw——- 1 root root 948 Oct 27 18:40 servwiki.crt<\/p>\n

-rw-r–r– 1 root root 887 Oct 28 11:12 macle.key<\/p>\n

drwxr-xr-x 9 root root 4096 Oct 28 11:35 ..<\/p>\n

-rw-r–r– 1 root root 1679 Oct 28 11:55 web.key<\/p>\n

-rw-r–r– 1 root root 1070 Oct 28 11:58 web.csr<\/p>\n

-rw——- 1 root root 1675 Oct 28 12:04 ca.key<\/p>\n

-rw-r–r– 1 root root 1383 Oct 28 12:06 ca.crt<\/p>\n

-rw-r–r– 1 root root 1306 Oct 28 12:07 web.crt<\/p>\n

-rw-r–r– 1 root root 41 Oct 28 12:07 ca.srl<\/p>\n

root@debian:\/etc\/apache2\/tls# chmod 600 web.*<\/p>\n

root@debian:\/etc\/apache2\/tls# ls -lart<\/p>\n

total 40<\/p>\n

-rw——- 1 root root 948 Oct 27 18:40 servwiki.crt<\/p>\n

-rw-r–r– 1 root root 887 Oct 28 11:12 macle.key<\/p>\n

drwxr-xr-x 9 root root 4096 Oct 28 11:35 ..<\/p>\n

-rw——- 1 root root 1679 Oct 28 11:55 web.key<\/p>\n

-rw——- 1 root root 1070 Oct 28 11:58 web.csr<\/p>\n

-rw——- 1 root root 1675 Oct 28 12:04 ca.key<\/p>\n

-rw-r–r– 1 root root 1383 Oct 28 12:06 ca.crt<\/p>\n

-rw——- 1 root root 1306 Oct 28 12:07 web.crt<\/p>\n

-rw-r–r– 1 root root 41 Oct 28 12:07 ca.srl<\/p>\n

drwxr-xr-x 2 root root 4096 Oct 28 12:07 .<\/p>\n

root@debian:\/etc\/apache2\/tls# rm servwiki.crt<\/p>\n

root@debian:\/etc\/apache2\/tls# rm macle.key<\/p>\n

root@debian:\/etc\/apache2\/tls# cd ..<\/p>\n

root@debian:\/etc\/apache2# ls<\/p>\n

apache2.conf conf-available conf-enabled envvars magic mods-available mods-enabled ports.conf sites-available sites-enabled tls<\/p>\n

root@debian:\/etc\/apache2# cd sites-enabled\/<\/p>\n

root@debian:\/etc\/apache2\/sites-enabled# ls<\/p>\n

000-default.conf default-ssl.conf<\/p>\n

root@debian:\/etc\/apache2\/sites-enabled# vi default-ssl.conf<\/p>\n

root@debian:\/etc\/apache2\/sites-enabled# service apache2 restart<\/p>\n

 <\/p>\n

2 – Etape 2 avec un certificat sign\u00e9 par let’s encrypt
\n<\/strong><\/p>\n

C’est plus compliqu\u00e9 car votre serveur doit avoir un nom de domaine que Let’s encrypt v\u00e9rifiera (bref ne pr\u00e9sente pas d’int\u00e9r\u00eat dans le cadre de la d\u00e9couverte de TLS)<\/p>\n\n","protected":false},"excerpt":{"rendered":"

1- Etape 1 avec un certificat autosign\u00e9 : root@debian:\/home\/ensibs# apt-get install apache2 Reading package lists… Done Building dependency tree… Done Reading state information… Done The following additional packages will be installed: apache2-data apache2-utils ssl-cert Suggested packages: apache2-doc apache2-suexec-pristine | apache2-suexec-custom The following NEW packages will be installed: apache2 apache2-data apache2-utils ssl-cert 0 upgraded, 4 newly […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[39,13],"tags":[],"_links":{"self":[{"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/4868"}],"collection":[{"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4868"}],"version-history":[{"count":4,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/4868\/revisions"}],"predecessor-version":[{"id":4872,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/4868\/revisions\/4872"}],"wp:attachment":[{"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}