Dans la suite de mon post pour pouvoir visualiser les caméras de vidéosurveillance avec zmNinja sur un mobile, je me basais sur un serveur LAMP (Linux+Apache+MariaDB+PHP) personnel accessible sur internet avec une adresse fixe fournie par No-IP. Or jusqu’à présent j’utilisais un certificat autosigné pour chiffrer la connexion avec SSL et ça me générait une exception avec le navigateur qu’il faut accepter.
Il se trouve que certains navigateurs refusent qu’on puisse accepter le risque et exige un certificat reconnu par une autorité qualifiée. Je suis donc passé par Let’s Encrypt pour bénéficier d’un certificat valide.
Pour ma mageia je me suis reposé sur cette page, on installera tout d’abord le package lib64augeas-devel et on tapera ensuite en tant que root les commandes successives :
python3 -m venv /opt/certbot/ /opt/certbot/bin/pip install --upgrade pip
Voilà le résultat :
Requirement already satisfied: pip in /opt/certbot/lib/python3.10/site-packages (23.0.1)
Collecting pip
Downloading pip-25.0-py3-none-any.whl (1.8 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.8/1.8 MB 6.9 MB/s eta 0:00:00
Installing collected packages: pip
Attempting uninstall: pip
Found existing installation: pip 23.0.1
Uninstalling pip-23.0.1:
Successfully uninstalled pip-23.0.1
Successfully installed pip-25.0puis on tape :
/opt/certbot/bin/pip install certbot certbot-apache
Voilà le résultat (extrait) :
Collecting certbot Downloading certbot-3.1.0-py3-none-any.whl.metadata (7.9 kB) Collecting certbot-apache Downloading certbot_apache-3.1.0-py3-none-any.whl.metadata (1.3 kB) Collecting acme>=3.1.0 (from certbot) Downloading acme-3.1.0-py3-none-any.whl.metadata (1.3 kB) Collecting ConfigArgParse>=1.5.3 (from certbot) Downloading ConfigArgParse-1.7-py3-none-any.whl.metadata (23 kB) (...) Downloading urllib3-2.3.0-py3-none-any.whl (128 kB) Using cached pycparser-2.22-py3-none-any.whl (117 kB) Building wheels for collected packages: python-augeas Building wheel for python-augeas (pyproject.toml) ... done Created wheel for python-augeas: filename=python_augeas-1.1.0-py3-none-any.whl size=21254 sha256=36a415257635e6d1f8c6d86e979e3942a1cff4d0582e8d7be3a55aa7be9dfa71 Stored in directory: /root/.cache/pip/wheels/b6/10/67/b10ab09e701005d015b7be1488a552f221f5e065645c6f39ee Successfully built python-augeas Installing collected packages: pytz, pyrfc3339, parsedatetime, urllib3, typing-extensions, pycparser, idna, distro, configobj, ConfigArgParse, charset-normalizer, certifi, requests, cf fi, python-augeas, cryptography, PyOpenSSL, josepy, acme, certbot, certbot-apache Successfully installed ConfigArgParse-1.7 PyOpenSSL-25.0.0 acme-3.1.0 certbot-3.1.0 certbot-apache-3.1.0 certifi-2025.1.31 cffi-1.17.1 charset-normalizer-3.4.1 configobj-5.0.9 cryptogr
On crée ensuite les liens suivants :
ln -s /opt/certbot/bin/certbot /usr/bin/certbot ln -s /usr/local/apache2/bin/httpd /usr/local/sbin ln -s /usr/local/apache2/bin/apachectl /usr/local/bin
j’ai créé le répertoire /etc/httpd/conf.d et avant d’aller plus loin le fichier de configuration d’Apache httpd.conf doit être configuré pour qu’il existe bien un hôte virtuel sur le port 80 avec l’adresse visible d’internet :
<VirtualHost 192.168.13.11:80> ServerName adresseperso.ddns.net DocumentRoot /usr/local/apache2/htdocs ErrorLog logs/ddns-error_log TransferLog logs/ddns-access_log </VirtualHost>
On tape ensuite :
certbot --apache --apache-server-root /usr/local/apache2
Voilà le résultat :
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): olivier.hoarau@funix.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Account registered. Which names would you like to activate HTTPS for? We recommend selecting either all domains, or all domains in a VirtualHost/server block. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: adresseperso.ddns.net 2: funix-mana.kervao.fr 3: hoarau-mana.kervao.fr 4: sql-mana.kervao.fr 5: mana.kervao.fr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Requesting a certificate for adresseperso.ddns.net Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/adresseperso.ddns.net/fullchain.pem Key is saved at: /etc/letsencrypt/live/adresseperso.ddns.net/privkey.pem This certificate expires on 2025-05-09. These files will be updated when the certificate renews. Deploying certificate Successfully deployed certificate for adresseperso.ddns.net to /usr/local/apache2/conf/httpd-le-ssl.conf Congratulations! You have successfully enabled HTTPS on https://adresseperso.ddns.net NEXT STEPS: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functional ity. See https://certbot.org/renewal-setup for instructions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Il va créer le fichier /usr/local/apache2/conf/httpd-le-ssl.conf qui contiendra :
<IfModule mod_ssl.c> <VirtualHost 192.168.13.11:443> ServerName adresseperso.ddns.net DocumentRoot /usr/local/apache2/htdocs ErrorLog logs/ddns-error_log TransferLog logs/ddns-access_log SSLCertificateFile /etc/letsencrypt/live/adresseperso.ddns.net/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/adresseperso.ddns.net/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule>
et il modifiera le fichier /usr/local/apache2/conf/httpd.conf qui contiendra :
LoadModule ssl_module modules/mod_ssl.so
(...)
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
(...)
<VirtualHost 192.168.13.11:80>
ServerName adresseperso.ddns.net
DocumentRoot /usr/local/apache2/htdocs
ErrorLog logs/ddns-error_log
TransferLog logs/ddns-access_log
RewriteEngine on
RewriteCond %{SERVER_NAME} =adresseperso.ddns.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
(...)
Include /usr/local/apache2/conf/httpd-le-ssl.confTous les fichiers de configuration de let’s encrypt se retrouvent sous /etc/letsencrypt, les certificats sont sous /etc/letsencrypt/live/adresseperso.ddns.net. Maintenant le certicat a une durée de vie limitée et il est possible de le renouveler automatiquement, tout est indiqué ici. Il suffit de taper simplement la commande suivante en tant que root dans un terminal :
SLEEPTIME=$(awk 'BEGIN{srand(); print int(rand()*(3600+1))}'); echo "0 0,12 * * * root sleep $SLEEPTIME && certbot renew -q" | sudo tee -a /etc/crontab > /dev/nullVoilà le contenu de mon fichier /etc/crontab :
SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root HOME=/ # run-parts 01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly 02 4 * * * root nice -n 19 run-parts --report /etc/cron.daily 22 4 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly 42 4 1 * * root nice -n 19 run-parts --report /etc/cron.monthly 0 0,12 * * * root sleep 2501 && certbot renew -q
On relance crond avec la commande systemctl restart crond
A noter qu’il est important de vérifier que cerbot est bien à jour, pour ce faire il faut taper au moins tous les mois la commande suivante :
/opt/certbot/bin/pip install --upgrade certbot certbot-apache
Voilà le résultat (extrait) :
Requirement already satisfied: certbot in /opt/certbot/lib/python3.10/site-packages (3.1.0) Requirement already satisfied: certbot-apache in /opt/certbot/lib/python3.10/site-packages (3.1.0) Requirement already satisfied: acme>=3.1.0 in /opt/certbot/lib/python3.10/site-packages (from certbot) (3.1.0) Requirement already satisfied: ConfigArgParse>=1.5.3 in /opt/certbot/lib/python3.10/site-packages (from certbot) (1.7) (...) Requirement already satisfied: typing-extensions>=4.9 in /opt/certbot/lib/python3.10/site-packages (from PyOpenSSL!=23.1.0,>=17.5.0->acme>=3.1.0->certbot) (4.12.2) Requirement already satisfied: charset-normalizer<4,>=2 in /opt/certbot/lib/python3.10/site-packages (from requests>=2.20.0->acme>=3.1.0->certbot) (3.4.1) Requirement already satisfied: idna<4,>=2.5 in /opt/certbot/lib/python3.10/site-packages (from requests>=2.20.0->acme>=3.1.0->certbot) (3.10) Requirement already satisfied: urllib3<3,>=1.21.1 in /opt/certbot/lib/python3.10/site-packages (from requests>=2.20.0->acme>=3.1.0->certbot) (2.3.0) Requirement already satisfied: certifi>=2017.4.17 in /opt/certbot/lib/python3.10/site-packages (from requests>=2.20.0->acme>=3.1.0->certbot) (2025.1.31)
le plus simple est de créer le fichier /etc/cron.monthly/certbot-update qui contiendra :
#!/bin/bash /opt/certbot/bin/pip install --upgrade certbot certbot-apache
qui fera ça en tâche de fond.