Dans la suite de mon post pour pouvoir visualiser les caméras de vidéosurveillance avec zmNinja sur un mobile, je me basais sur un serveur LAMP (Linux+Apache+MariaDB+PHP) personnel accessible sur internet avec une adresse fixe fournie par No-IP. Or jusqu’à présent j’utilisais un certificat autosigné pour chiffrer la connexion avec SSL et ça me générait une exception avec le navigateur qu’il faut accepter.
Il se trouve que certains navigateurs refusent qu’on puisse accepter le risque et exige un certificat reconnu par une autorité qualifiée. Je suis donc passé par Let’s Encrypt pour bénéficier d’un certificat valide.
Pour ma mageia je me suis reposé sur cette page, on installera tout d’abord le package lib64augeas-devel et on tapera ensuite en tant que root les commandes successives :
python3 -m venv /opt/certbot//opt/certbot/bin/pip install --upgrade pip
Voilà le résultat :
Requirement already satisfied: pip in /opt/certbot/lib/python3.10/site-packages (23.0.1)Collecting pipDownloading pip-25.0-py3-none-any.whl (1.8 MB)━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.8/1.8 MB 6.9 MB/s eta 0:00:00Installing collected packages: pipAttempting uninstall: pipFound existing installation: pip 23.0.1Uninstalling pip-23.0.1:Successfully uninstalled pip-23.0.1Successfully installed pip-25.0
puis on tape :
/opt/certbot/bin/pip install certbot certbot-apache
Voilà le résultat (extrait) :
Collecting certbotDownloading certbot-3.1.0-py3-none-any.whl.metadata (7.9 kB)Collecting certbot-apacheDownloading certbot_apache-3.1.0-py3-none-any.whl.metadata (1.3 kB)Collecting acme>=3.1.0 (from certbot)Downloading acme-3.1.0-py3-none-any.whl.metadata (1.3 kB)Collecting ConfigArgParse>=1.5.3 (from certbot)Downloading ConfigArgParse-1.7-py3-none-any.whl.metadata (23 kB)(...)Downloading urllib3-2.3.0-py3-none-any.whl (128 kB)Using cached pycparser-2.22-py3-none-any.whl (117 kB)Building wheels for collected packages: python-augeasBuilding wheel for python-augeas (pyproject.toml) ... doneCreated wheel for python-augeas: filename=python_augeas-1.1.0-py3-none-any.whl size=21254 sha256=36a415257635e6d1f8c6d86e979e3942a1cff4d0582e8d7be3a55aa7be9dfa71Stored in directory: /root/.cache/pip/wheels/b6/10/67/b10ab09e701005d015b7be1488a552f221f5e065645c6f39eeSuccessfully built python-augeasInstalling collected packages: pytz, pyrfc3339, parsedatetime, urllib3, typing-extensions, pycparser, idna, distro, configobj, ConfigArgParse, charset-normalizer, certifi, requests, cffi, python-augeas, cryptography, PyOpenSSL, josepy, acme, certbot, certbot-apacheSuccessfully installed ConfigArgParse-1.7 PyOpenSSL-25.0.0 acme-3.1.0 certbot-3.1.0 certbot-apache-3.1.0 certifi-2025.1.31 cffi-1.17.1 charset-normalizer-3.4.1 configobj-5.0.9 cryptogr
On crée ensuite les liens suivants :
ln -s /opt/certbot/bin/certbot /usr/bin/certbotln -s /usr/local/apache2/bin/httpd /usr/local/sbinln -s /usr/local/apache2/bin/apachectl /usr/local/bin
j’ai créé le répertoire /etc/httpd/conf.d et avant d’aller plus loin le fichier de configuration d’Apache httpd.conf doit être configuré pour qu’il existe bien un hôte virtuel sur le port 80 avec l’adresse visible d’internet :
<VirtualHost 192.168.13.11:80>ServerName adresseperso.ddns.netDocumentRoot /usr/local/apache2/htdocsErrorLog logs/ddns-error_logTransferLog logs/ddns-access_log</VirtualHost>
On tape ensuite :
certbot --apache --apache-server-root /usr/local/apache2
Voilà le résultat :
Saving debug log to /var/log/letsencrypt/letsencrypt.logEnter email address (used for urgent renewal and security notices)(Enter 'c' to cancel): olivier.hoarau@funix.org- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Please read the Terms of Service athttps://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree inorder to register with the ACME server. Do you agree?- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Y)es/(N)o: Y- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Would you be willing, once your first certificate is successfully issued, toshare your email address with the Electronic Frontier Foundation, a foundingpartner of the Let's Encrypt project and the non-profit organization thatdevelops Certbot? We'd like to send you email about our work encrypting the web,EFF news, campaigns, and ways to support digital freedom.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Y)es/(N)o: NAccount registered.Which names would you like to activate HTTPS for?We recommend selecting either all domains, or all domains in a VirtualHost/server block.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1: adresseperso.ddns.net2: funix-mana.kervao.fr3: hoarau-mana.kervao.fr4: sql-mana.kervao.fr5: mana.kervao.fr- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Select the appropriate numbers separated by commas and/or spaces, or leave inputblank to select all options shown (Enter 'c' to cancel): 1Requesting a certificate for adresseperso.ddns.netSuccessfully received certificate.Certificate is saved at: /etc/letsencrypt/live/adresseperso.ddns.net/fullchain.pemKey is saved at: /etc/letsencrypt/live/adresseperso.ddns.net/privkey.pemThis certificate expires on 2025-05-09.These files will be updated when the certificate renews.Deploying certificateSuccessfully deployed certificate for adresseperso.ddns.net to /usr/local/apache2/conf/httpd-le-ssl.confCongratulations! You have successfully enabled HTTPS on https://adresseperso.ddns.netNEXT STEPS:- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -If you like Certbot, please consider supporting our work by:* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate* Donating to EFF: https://eff.org/donate-le- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Il va créer le fichier /usr/local/apache2/conf/httpd-le-ssl.conf qui contiendra :
<IfModule mod_ssl.c><VirtualHost 192.168.13.11:443>ServerName adresseperso.ddns.netDocumentRoot /usr/local/apache2/htdocsErrorLog logs/ddns-error_logTransferLog logs/ddns-access_logSSLCertificateFile /etc/letsencrypt/live/adresseperso.ddns.net/fullchain.pemSSLCertificateKeyFile /etc/letsencrypt/live/adresseperso.ddns.net/privkey.pemInclude /etc/letsencrypt/options-ssl-apache.conf</VirtualHost></IfModule>
et il modifiera le fichier /usr/local/apache2/conf/httpd.conf qui contiendra :
LoadModule ssl_module modules/mod_ssl.so(...)# Secure (SSL/TLS) connectionsInclude conf/extra/httpd-ssl.conf## Note: The following must must be present to support# starting without SSL on platforms with no /dev/random equivalent# but a statically compiled-in mod_ssl.#<IfModule ssl_module>SSLRandomSeed startup builtinSSLRandomSeed connect builtin</IfModule>(...)<VirtualHost 192.168.13.11:80>ServerName adresseperso.ddns.netDocumentRoot /usr/local/apache2/htdocsErrorLog logs/ddns-error_logTransferLog logs/ddns-access_logRewriteEngine onRewriteCond %{SERVER_NAME} =adresseperso.ddns.netRewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]</VirtualHost>(...)Include /usr/local/apache2/conf/httpd-le-ssl.conf
Tous les fichiers de configuration de let’s encrypt se retrouvent sous /etc/letsencrypt, les certificats sont sous /etc/letsencrypt/live/adresseperso.ddns.net. Maintenant le certicat a une durée de vie limitée et il est possible de le renouveler automatiquement, tout est indiqué ici. Il suffit de taper simplement la commande suivante en tant que root dans un terminal :
SLEEPTIME=$(awk 'BEGIN{srand(); print int(rand()*(3600+1))}'); echo "0 0,12 * * * root sleep $SLEEPTIME && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
Voilà le contenu de mon fichier /etc/crontab :
SHELL=/bin/bashPATH=/sbin:/bin:/usr/sbin:/usr/binMAILTO=rootHOME=/# run-parts01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly02 4 * * * root nice -n 19 run-parts --report /etc/cron.daily22 4 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly42 4 1 * * root nice -n 19 run-parts --report /etc/cron.monthly0 0,12 * * * root sleep 2501 && certbot renew -q
On relance crond avec la commande systemctl restart crond
A noter qu’il est important de vérifier que cerbot est bien à jour, pour ce faire il faut taper au moins tous les mois la commande suivante :
/opt/certbot/bin/pip install --upgrade certbot certbot-apache
Voilà le résultat (extrait) :
Requirement already satisfied: certbot in /opt/certbot/lib/python3.10/site-packages (3.1.0)Requirement already satisfied: certbot-apache in /opt/certbot/lib/python3.10/site-packages (3.1.0)Requirement already satisfied: acme>=3.1.0 in /opt/certbot/lib/python3.10/site-packages (from certbot) (3.1.0)Requirement already satisfied: ConfigArgParse>=1.5.3 in /opt/certbot/lib/python3.10/site-packages (from certbot) (1.7)(...)Requirement already satisfied: typing-extensions>=4.9 in /opt/certbot/lib/python3.10/site-packages (from PyOpenSSL!=23.1.0,>=17.5.0->acme>=3.1.0->certbot) (4.12.2)Requirement already satisfied: charset-normalizer<4,>=2 in /opt/certbot/lib/python3.10/site-packages (from requests>=2.20.0->acme>=3.1.0->certbot) (3.4.1)Requirement already satisfied: idna<4,>=2.5 in /opt/certbot/lib/python3.10/site-packages (from requests>=2.20.0->acme>=3.1.0->certbot) (3.10)Requirement already satisfied: urllib3<3,>=1.21.1 in /opt/certbot/lib/python3.10/site-packages (from requests>=2.20.0->acme>=3.1.0->certbot) (2.3.0)Requirement already satisfied: certifi>=2017.4.17 in /opt/certbot/lib/python3.10/site-packages (from requests>=2.20.0->acme>=3.1.0->certbot) (2025.1.31)
le plus simple est de créer le fichier /etc/cron.monthly/certbot-update qui contiendra :
#!/bin/bash/opt/certbot/bin/pip install --upgrade certbot certbot-apache
qui fera ça en tâche de fond.
Arabic
Chinese (Simplified)
Dutch
English
French
German
Italian
Portuguese
Spanish