diff options
author | nodiscc <nodiscc@gmail.com> | 2020-05-18 21:07:32 +0200 |
---|---|---|
committer | nodiscc <nodiscc@gmail.com> | 2020-09-12 14:31:45 +0200 |
commit | c84d1430472bac5c8f437f41b8e845b808acfdd2 (patch) | |
tree | b1bd3b615a38e5ae8c08be93087f4405004d7b17 | |
parent | 30255b794ab3ddfaf2e813d173b445800102d748 (diff) | |
download | Shaarli-c84d1430472bac5c8f437f41b8e845b808acfdd2.tar.gz Shaarli-c84d1430472bac5c8f437f41b8e845b808acfdd2.tar.zst Shaarli-c84d1430472bac5c8f437f41b8e845b808acfdd2.zip |
apache: fix let's encrypt configuration , copy it directly from reference file
including options-ssl-apache.conf requires python3-certbot-apache which pulls a lot of dependencies
-rw-r--r-- | doc/md/Server-configuration.md | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/doc/md/Server-configuration.md b/doc/md/Server-configuration.md index b4dfc53d..70ae087a 100644 --- a/doc/md/Server-configuration.md +++ b/doc/md/Server-configuration.md | |||
@@ -77,7 +77,6 @@ sudo systemctl stop apache2 | |||
77 | sudo systemctl stop nginx | 77 | sudo systemctl stop nginx |
78 | 78 | ||
79 | # generate initial certificates - Let's Encrypt ACME servers must be able to access your server! | 79 | # generate initial certificates - Let's Encrypt ACME servers must be able to access your server! |
80 | # (DNS records must be correctly pointing to it, firewall/NAT on port 80/443 must be open) | ||
81 | sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org | 80 | sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org |
82 | # this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem | 81 | # this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem |
83 | 82 | ||
@@ -150,7 +149,13 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf | |||
150 | SSLEngine on | 149 | SSLEngine on |
151 | SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem | 150 | SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem |
152 | SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem | 151 | SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem |
153 | Include /etc/letsencrypt/options-ssl-apache.conf | 152 | |
153 | # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf | ||
154 | SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | ||
155 | SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | ||
156 | SSLHonorCipherOrder off | ||
157 | SSLSessionTickets off | ||
158 | SSLOptions +StrictRequire | ||
154 | 159 | ||
155 | # SSL/TLS configuration (for self-signed certificates) | 160 | # SSL/TLS configuration (for self-signed certificates) |
156 | #SSLEngine on | 161 | #SSLEngine on |