- Supprimer l'addons Lets Encrypt si c'est bien installé
- Installer l'addons ROOT Access
- Se connecter en WebSSH et lancer les commandes suivantes
yum install certbot
certbot certonly -m hello@test.com -d *.yourdomain.fr -d yourdomain.fr --manual --preferred-challenges dns --agree-tos --config-dir /var/lib/jelastic/SSL/
# Ajouter l'entrée DNS comme indiqué dans le prompt
- Configurez le fichier
/etc/nginx/conf.d/ssl.conf afin qu'il puisse être comme ceci :
Modifier le chemin de configuration de ssl_certificate et ssl_certificate_key
#
# HTTPS server configuration
#
server {
listen 443 quic reuseport;
listen 443 http2 ssl;
listen [::]:443 quic reuseport;
listen [::]:443 http2 ssl;
server_name _;
ssl_certificate /var/lib/jelastic/SSL/live/yourdomain.fr/fullchain.pem;
ssl_certificate_key /var/lib/jelastic/SSL/live/yourdomain.fr/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
add_header alt-svc 'h3=":443"; ma=86400';
access_log /var/log/nginx/localhost.access_log main;
error_log /var/log/nginx/localhost.error_log info;
proxy_temp_path /var/nginx/tmp/;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location / {
set $upstream_name common;
include conf.d/ssl.upstreams.inc;
proxy_pass http://$upstream_name;
proxy_next_upstream error;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-URI $request_uri;
proxy_set_header X-ARGS $args;
proxy_set_header Refer $http_refer;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Ssl-Offloaded "1";
}
}
- Mettez en place un cron avec le user root qui va faire un test de renouvellement du certificat chaque 5 du mois.
00 5 1 * * /usr/bin/certbot renew >> /var/log/letsencrypt/renew.log
5 5 1 * * service nginx reload