starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Text for new file, docs/CertDeployment #576

New Issue
Open
opened 2025-12-29 01:27:26 +01:00 by adam · 0 comments
adam commented 2025-12-29 01:27:26 +01:00
Owner
Copy Link

Originally created by @ZjYwMj on GitHub (Jul 3, 2022).

I suggest to add the following text as docs/CertDeployment. To help those without the full picture of what should be done.

There is a similar, more terse, suggestion for nginx at the comments of the deploy-cert hook.

Apache 2.4 on Debian 11 (bullseye) cert deploymemnt suggestion:

Referring to cert.pem, chain.pem, fullchain.pem and privkey.pem:
By default, on Debian 11 (bullseye), those files are at /var/lib/dehydrated/certs/domain/ . It could be noticed that

# cat cert.pem chain.pem | diff - fullchain.pem

shows the concatenation of cert.pem and chain.pem results in fullchain.pem.

  1. cp cert.pem domain.crt. Its permission can be world readable.
  2. Copy and paste the first certificate section of chain.pem, that is the first "-----BEGIN CERTIFICATE-----" section, into a text file named intermediate.pem.
  3. mv domain.crt intermediate.pem /etc/ssl/certs/. Their permissions can be world readable.
  4. cp privkey.pem /etc/ssl/private/domain.key. Its permissions should keep it private.
  5. Adjust your web server config to something like
<VirtualHost _default_:443>
        ServerName me.tld:443
        ServerAlias www.me.tld
        DocumentRoot /var/www/me.tld/html
        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/domain.crt
        SSLCertificateKeyFile /etc/ssl/private/domain.key
        SSLCertificateChainFile /etc/ssl/certs/intermediate.pem
        SSLProtocol TLSv1.2
        SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        SSLHonorCipherOrder on
        <Directory /var/www/me.tld/html>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>
  1. Restart the web server service.

Test at https://www.ssllabs.com/ssltest/analyze.html?d=me.tld

This procedure can be fully, or partially, automated by the deploy_cert hook.

Originally created by @ZjYwMj on GitHub (Jul 3, 2022). I suggest to add the following text as `docs/CertDeployment`. To help those without the full picture of what should be done. > There is a similar, more terse, suggestion for nginx at the comments of the deploy-cert hook. > > Apache 2.4 on Debian 11 (bullseye) cert deploymemnt suggestion: > > Referring to cert.pem, chain.pem, fullchain.pem and privkey.pem: > By default, on Debian 11 (bullseye), those files are at /var/lib/dehydrated/certs/domain/ . It could be noticed that > > # cat cert.pem chain.pem | diff - fullchain.pem > > shows the concatenation of cert.pem and chain.pem results in fullchain.pem. > > 1. `cp cert.pem domain.crt`. Its permission can be world readable. > 2. Copy and paste the first certificate section of chain.pem, that is the first "-----BEGIN CERTIFICATE-----" section, into a text file named intermediate.pem. > 3. `mv domain.crt intermediate.pem /etc/ssl/certs/`. Their permissions can be world readable. > 4. `cp privkey.pem /etc/ssl/private/domain.key`. Its permissions should keep it private. > 5. Adjust your web server config to something like > > <VirtualHost _default_:443> > ServerName me.tld:443 > ServerAlias www.me.tld > DocumentRoot /var/www/me.tld/html > SSLEngine on > SSLCertificateFile /etc/ssl/certs/domain.crt > SSLCertificateKeyFile /etc/ssl/private/domain.key > SSLCertificateChainFile /etc/ssl/certs/intermediate.pem > SSLProtocol TLSv1.2 > SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 > SSLHonorCipherOrder on > <Directory /var/www/me.tld/html> > Options Indexes FollowSymLinks MultiViews > AllowOverride All > Order allow,deny > allow from all > </Directory> > </VirtualHost> > > 6. Restart the web server service. > > Test at https://www.ssllabs.com/ssltest/analyze.html?d=me.tld > > This procedure can be fully, or partially, automated by the deploy_cert hook.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#576
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?