Apache HTTP Server ArchLinux - mod_ssl - Verschlüsselung (https)
Das Apache HTTP Server-Modul mod_ssl
wird benötigt um HTTP Kommunikation verschlüsselt betreiben zu können. Die Seitenaufrufe werden nicht nur mehr via http
auf Port 80 erreicht, sonder auch via https
auf Port 443. Um eine HTTP Kommunikation verschlüsselt betreiben zu können, sind zwei weitere Komponenten erforderlich, ein
Schlüssel und ein
Zertifikat.
* Quellen: Buch: Sascha Kersken - Apache 2.4 Das umfassende Handbuch
WICHTIG - Nachfolgende Konfigurationen setzen die Einrichtung eines Apache HTTP Servers, wie unter nachfolgendem internen Link beschrieben, voraus:
HINWEIS - Eine explizite Installation des Moduls mod_ssl
ist nicht erforderlich, da das Modul im Pakete apache
bereits enthalten ist!
Ab hier werden zur Ausführung nachfolgender Befehle root
-Rechte benötigt. Um der Benutzer root
zu werden, melden Sie sich bitte als root
-Benutzer am System an, oder wechseln mit nachfolgendem Befehl zum Benutzer root
:
$ su -
Password:
ssl-Konfiguration
Verzeichnis/Name | Beschreibung |
/etc/httpd/conf/extra/httpd-ssl.conf | Beinhaltet die Einstellungen zur SSL-Konfiguration |
/etc/httpd/conf/extra/httpd-ssl.conf
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailed information about these
# directives see <URL:http://httpd.apache.org/docs/2.4/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# Required modules: mod_log_config, mod_setenvif, mod_ssl,
# socache_shmcb_module (for default value of SSLSessionCache)
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate,
# and that httpd will negotiate as the client of a proxied server.
# See the OpenSSL documentation for a complete list of ciphers, and
# ensure these follow appropriate best practices for this deployment.
# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
# Tachtler
# default: SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# default: SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# By the end of 2016, only TLSv1.2 ciphers should remain in use.
# Older ciphers should be disallowed as soon as possible, while the
# kRSA ciphers do not offer forward secrecy. These changes inhibit
# older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy
# non-browser tooling) from successfully connecting.
#
# To restrict mod_ssl to use only TLSv1.2 ciphers, and disable
# those protocols which do not support forward secrecy, replace
# the SSLCipherSuite and SSLProxyCipherSuite directives above with
# the following two directives, as soon as practical.
# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
# User agents such as web browsers are not configured for the user's
# own preference of either security or performance, therefore this
# must be the prerogative of the web server administrator who manages
# cpu load versus confidentiality, so enforce the server's cipher order.
SSLHonorCipherOrder on
# SSL Protocol support:
# List the protocol versions which clients are allowed to connect with.
# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be
# disabled as quickly as practical. By the end of 2016, only the TLSv1.2
# protocol or later should remain in use.
# Tachtler
# default: SSLProtocol all -SSLv3
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
# Tachtler
# default: SSLProxyProtocol all -SSLv3
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is an internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache "dbm:/run/httpd/ssl_scache"
SSLSessionCache "shmcb:/run/httpd/ssl_scache(512000)"
SSLSessionCacheTimeout 300
# OCSP Stapling (requires OpenSSL 0.9.8h or later)
#
# This feature is disabled by default and requires at least
# the two directives SSLUseStapling and SSLStaplingCache.
# Refer to the documentation on OCSP Stapling in the SSL/TLS
# How-To for more information.
#
# Enable stapling for all SSL-enabled servers:
# Tachtler
# default: #SSLUseStapling On
SSLUseStapling On
# Define a relatively small cache for OCSP Stapling using
# the same mechanism that is used for the SSL session cache
# above. If stapling is used with more than a few certificates,
# the size may need to be increased. (AH01929 will be logged.)
# Tachtler
# default: #SSLStaplingCache "shmcb:/run/httpd/ssl_stapling(32768)"
SSLStaplingCache "shmcb:/run/httpd/ssl_stapling(131072)"
# Seconds before valid OCSP responses are expired from the cache
#SSLStaplingStandardCacheTimeout 3600
# Seconds before invalid OCSP responses are expired from the cache
#SSLStaplingErrorCacheTimeout 600
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/srv/http"
# Tachtler
# default: ServerName www.example.com:443
ServerName apache.tachtler.net:443
# Tachtler
# default: ServerAdmin you@example.com
ServerAdmin webmaster@tachtler.net
ErrorLog "/var/log/httpd/error_log"
TransferLog "/var/log/httpd/access_log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
# Tachtler
# default: SSLCertificateFile "/etc/httpd/conf/server.crt"
SSLCertificateFile "/etc/letsencrypt/live/apache.tachtler.net/fullchain.pem"
#SSLCertificateFile "/etc/httpd/conf/server-dsa.crt"
#SSLCertificateFile "/etc/httpd/conf/server-ecc.crt"
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
# Tachtler
# default: SSLCertificateKeyFile "/etc/httpd/conf/server.key"
SSLCertificateKeyFile "/etc/letsencrypt/live/apache.tachtler.net/privkey.pem"
#SSLCertificateKeyFile "/etc/httpd/conf/server-dsa.key"
#SSLCertificateKeyFile "/etc/httpd/conf/server-ecc.key"
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convenience.
#SSLCertificateChainFile "/etc/httpd/conf/server-ca.crt"
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath "/etc/httpd/conf/ssl.crt"
#SSLCACertificateFile "/etc/httpd/conf/ssl.crt/ca-bundle.crt"
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded).
# The CRL checking mode needs to be configured explicitly
# through SSLCARevocationCheck (defaults to "none" otherwise).
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath "/etc/httpd/conf/ssl.crl"
#SSLCARevocationFile "/etc/httpd/conf/ssl.crl/ca-bundle.crl"
#SSLCARevocationCheck chain
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# TLS-SRP mutual authentication:
# Enable TLS-SRP and set the path to the OpenSSL SRP verifier
# file (containing login information for SRP user accounts).
# Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
# detailed instructions on creating this file. Example:
# "openssl srp -srpvfile /etc/httpd/conf/passwd.srpv -add username"
#SSLSRPVerifierFile "/etc/httpd/conf/passwd.srpv"
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/srv/http/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is sent or allowed to be received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog "/var/log/httpd/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Erklärungen:
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Diese komplexe Direktive verwendet eine durch Doppelpunkte getrennte Cipher-Zeichenkette, die aus OpenSSL-Cipher-Spezifikationen besteht, um die Cipher Suite zu konfigurieren, die der Client in der SSL-Handshake-Phase aushandeln darf. Der optionale Protokollspezifizierer kann die Cipher Suite für eine bestimmte SSL-Version konfigurieren.
SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Diese Direktive kann verwendet werden, um die SSL-Protokollvarianten zu steuern, die mod_ssl
beim Aufbau seiner Serverumgebung für Proxy verwenden soll. Es wird sich nur mit Servern verbinden, die eines der angegebenen Protokolle verwenden. Siehe auch die Erklärungen zu: SSLCipherSuite
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
Diese Direktive kann verwendet werden, um zu steuern, welche Versionen des SSL/TLS-Protokolls bei neuen Verbindungen akzeptiert werden.
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
Mit dieser Direktive kann gesteuert werden, welche SSL-Protokollvarianten mod_ssl
verwenden soll, wenn es seine Serverumgebung für Proxy einrichtet. Es wird sich nur mit Servern verbinden, die eines der angegebenen Protokolle verwenden. Siehe auch die Erklärungen zu: SSLProtocol
Erklärungen:
Einkommentieren der bereits vorbereiteten aber standardmässig auskommentierten Zeile, das OSCP (Online Certificate Status Protocol) Stapling im Apache HTTP Server aktiviert wird.
SSLStaplingCache "shmcb:/run/httpd/ssl_stapling(131072)"
Konfiguriert den Cache, der zum Speichern von OSCP (Online Certificate Status Protocol) Stapling-Antworten verwendet wird, die in den TLS-Handshake aufgenommen werden, wenn SSLUseStapling
aktiviert ist. Die Konfiguration eines Caches ist für OSCP (Online Certificate Status Protocol) Stapling zwingend erforderlich.
Erklärungen:
ServerName apache.tachtler.net:443
Hostname und TCP-HTTPS-Port des Apache HTTP Servers. Der hier angegeben Name dient ausschliesslich und nur der Selbstidentifikation des Apache HTTP Servers. Ob dieser auch für selbst referenzierende URLs benutzt werden soll, regelt nachfolgende Direktive: Siehe nachfolgenden externen Link: UseCanonicalName
ServerAdmin webmaster@tachtler.net
E-Mail-Adresse des Apache HTTP Server-Administrators für automatisch generierte Fehlermeldungensseiten. Wenn der Apache HTTP Server bei der Beantwortung von Client-Anfragen auf Probleme stösst, wird eine angepasste Fehlermeldungsseite erzeugt, welche unter Umständen auch die zusätzliche Ausgabe eines Links mit der E-Mail-Adresse des Apache HTTP Server-Administrators enthalten kann.
Siehe auch nachfolgenden externen Link: ServerSignature
SSLCertificateFile "/etc/letsencrypt/live/apache.tachtler.net/fullchain.pem"
Diese Direktive verweist auf eine Datei mit Zertifikatsdaten im PEM-Format.
HINWEIS - Die Nutzung der Direktive SSLCertificateChainFile ist veraltet (deprecated). SSLCertificateChainFile
wurde mit Apache HTTP Server Version 2.4.8 als veraltet gesetzt, da SSLCertificateFile
erweitert wurde, um auch CA-Zwischenzertifikate aus der Server-Zertifikatsdatei zu laden.
SSLCertificateKeyFile "/etc/letsencrypt/live/apache.tachtler.net/privkey.pem"
Diese Direktive verweist auf die PEM-kodierte private Schlüsseldatei für den Server.
ssl-Konfiguration: /etc/httpd/conf/httpd.conf
Bevor ein erneuter Neustart des Apache HTTP Server erfolgreich durchgeführt werden kann, ist es erforderlich für die nachfolgende Installation die Konfigurationsdatei /etc/httpd/conf/httpd.conf
zu verändern.
Nachfolgende die Veränderung, welche vorgenommen werden muss:
(Nur relevanter Ausschnitt):
# Tachtler
# default: #LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Erklärungen:
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Die Einbindung des Moduls mod_cache_socache
ist erforderlich, wenn Zugriffe über HTTPS gegen den Apache HTTP Server erfolgen sollen und implementiert einen Shared Object Cache Provider, der die Erstellung und den Zugriff auf einen Cache ermöglicht, der durch einen leistungsstarken zyklischen Puffer innerhalb eines Shared Memory Segments unterstützt wird.
(Nur relevanter Ausschnitt):
# Tachtler
# default: #LoadModule ssl_module modules/mod_ssl.so
LoadModule ssl_module modules/mod_ssl.so
Erklärungen:
LoadModule ssl_module modules/mod_ssl.so
Die Einbindung des Moduls mod_ssl
ist erforderlich, wenn Zugriffe über HTTPS gegen den Apache HTTP Server erfolgen sollen.
(Nur relevanter Ausschnitt):
# Tachtler
# default: #LoadModule rewrite_module modules/mod_rewrite.so
LoadModule rewrite_module modules/mod_rewrite.so
Erklärungen:
LoadModule rewrite_module modules/mod_rewrite.so
Die Einbindung des Moduls mod_rewrite
ist erforderlich, wenn z.B. ein Let's Encrypt-Zertifikat und eine Validieren via HTTP-01 challenge durchgeführt werden soll.
Siehe auch nachfolgende externe Links:
Let's Encrypt - Certbot
Nachfolgend sollen Zertifikate von der Zertifizierungsstelle Let's Encrypt bezogen werden. Dies soll durch Nutzung der empfohlenen ACME Client Implementierungen - Certbot - durchgeführt werden.
Weitere Hinweise dazu, können unter nachfolgenden externen Link abgefragt werden:
Nachfolgend sollen die beiden gebräuchlichsten Arten, wie ein Zertifikat von Let's Encrypt bezogen weden kann:
wie auch unter nachfolgenden externen Link beschrieben:
durchgeführt werden.
Let's Encrypt - Certbot - Installation
Zur Installation des Certbot wird nachfolgendes Paket benötigt:
certbot
- ist im
community
-Repository von
ArchLinux enthalten.
Mit nachfolgendem Befehl, wird das Pakete certbot
installiert:
# pacman -S --noconfirm certbot
Installationsverlauf
resolving dependencies...
looking for conflicting packages...
warning: insufficient columns available for table display
Packages (33) python-acme-1.26.0-1 python-appdirs-1.4.4-6
python-cffi-1.15.0-3 python-chardet-4.0.0-5
python-configargparse-1.5-3
python-configobj-5.0.6.r110.g3e2f4cc-3
python-cryptography-36.0.2-1 python-distro-1.7.0-1
python-future-0.18.2-7 python-idna-3.3-4 python-josepy-1.13.0-2
python-more-itertools-8.12.0-1 python-ordered-set-4.0.2-6
python-packaging-20.9-7 python-parsedatetime-2.6-5
python-pycparser-2.21-3 python-pyopenssl-22.0.0-1
python-pyparsing-3.0.8-1 python-pyrfc3339-1.1-9
python-pytz-2022.1-1 python-requests-2.27.1-1
python-requests-toolbelt-0.9.1-7 python-setuptools-1:59.5.0-1
python-six-1.16.0-5 python-urllib3-1.26.9-1
python-zope-component-5.0.1-3 python-zope-deferredimport-4.4-1
python-zope-deprecation-4.4.0-7 python-zope-event-4.5.0-6
python-zope-hookable-5.1.0-3 python-zope-interface-5.4.0-4
python-zope-proxy-4.5.0-3 certbot-1.26.0-1
Total Download Size: 4.22 MiB
Total Installed Size: 27.71 MiB
:: Proceed with installation? [Y/n]
:: Retrieving packages...
python-cryptogra... 921.8 KiB 52.0 KiB/s 00:18 [######################] 100%
python-setuptool... 562.5 KiB 45.7 KiB/s 00:12 [######################] 100%
certbot-1.26.0-1-any 431.7 KiB 42.2 KiB/s 00:10 [######################] 100%
python-zope-inte... 325.9 KiB 63.5 KiB/s 00:05 [######################] 100%
python-cffi-1.15... 227.4 KiB 68.3 KiB/s 00:03 [######################] 100%
python-chardet-4... 196.5 KiB 72.5 KiB/s 00:03 [######################] 100%
python-pycparser... 194.3 KiB 60.9 KiB/s 00:03 [######################] 100%
python-urllib3-1... 184.6 KiB 47.1 KiB/s 00:04 [######################] 100%
python-pyparsing... 152.7 KiB 35.0 KiB/s 00:04 [######################] 100%
python-zope-comp... 113.4 KiB 44.5 KiB/s 00:03 [######################] 100%
python-requests-... 94.0 KiB 28.5 KiB/s 00:03 [######################] 100%
python-acme-1.26... 92.3 KiB 46.6 KiB/s 00:02 [######################] 100%
python-idna-3.3-... 90.0 KiB 52.0 KiB/s 00:02 [######################] 100%
python-pyopenssl... 86.2 KiB 38.5 KiB/s 00:02 [######################] 100%
python-more-iter... 73.8 KiB 40.5 KiB/s 00:02 [######################] 100%
python-requests-... 73.0 KiB 30.3 KiB/s 00:02 [######################] 100%
python-parsedate... 60.6 KiB 48.9 KiB/s 00:01 [######################] 100%
python-zope-prox... 59.8 KiB 64.3 KiB/s 00:01 [######################] 100%
python-configobj... 58.7 KiB 53.8 KiB/s 00:01 [######################] 100%
python-packaging... 53.4 KiB 49.4 KiB/s 00:01 [######################] 100%
python-josepy-1.... 49.9 KiB 55.5 KiB/s 00:01 [######################] 100%
python-pytz-2022... 39.8 KiB 54.5 KiB/s 00:01 [######################] 100%
python-distro-1.... 31.1 KiB 57.6 KiB/s 00:01 [######################] 100%
python-configarg... 30.5 KiB 61.0 KiB/s 00:01 [######################] 100%
python-six-1.16.... 23.2 KiB 54.0 KiB/s 00:00 [######################] 100%
python-zope-depr... 19.3 KiB 40.1 KiB/s 00:00 [######################] 100%
python-zope-hook... 15.6 KiB 46.0 KiB/s 00:00 [######################] 100%
python-appdirs-1... 15.0 KiB 68.3 KiB/s 00:00 [######################] 100%
python-ordered-s... 13.6 KiB 37.8 KiB/s 00:00 [######################] 100%
python-zope-defe... 13.5 KiB 56.4 KiB/s 00:00 [######################] 100%
python-pyrfc3339... 10.4 KiB 37.0 KiB/s 00:00 [######################] 100%
python-zope-even... 8.4 KiB 52.2 KiB/s 00:00 [######################] 100%
Total (32/32) 4.2 MiB 47.9 KiB/s 01:30 [######################] 100%
(33/33) checking keys in keyring [######################] 100%
(33/33) checking package integrity [######################] 100%
(33/33) loading package files [######################] 100%
(33/33) checking for file conflicts [######################] 100%
(33/33) checking available disk space [######################] 100%
:: Running pre-transaction hooks...
(1/1) Performing snapper pre snapshots for the following configurations...
==> root: 20
:: Processing package changes...
( 1/33) installing python-pycparser [######################] 100%
( 2/33) installing python-cffi [######################] 100%
( 3/33) installing python-cryptography [######################] 100%
( 4/33) installing python-pyopenssl [######################] 100%
( 5/33) installing python-josepy [######################] 100%
( 6/33) installing python-pytz [######################] 100%
( 7/33) installing python-pyrfc3339 [######################] 100%
( 8/33) installing python-urllib3 [######################] 100%
Optional dependencies for python-urllib3
python-pysocks: SOCKS support
python-brotli: Brotli support
python-pyopenssl: security support [installed]
python-idna: security support [pending]
( 9/33) installing python-chardet [######################] 100%
(10/33) installing python-idna [######################] 100%
(11/33) installing python-requests [######################] 100%
Optional dependencies for python-requests
python-pysocks: SOCKS proxy support
(12/33) installing python-requests-toolbelt [######################] 100%
(13/33) installing python-acme [######################] 100%
(14/33) installing python-configargparse [######################] 100%
Optional dependencies for python-configargparse
python-yaml: for YAML support
(15/33) installing python-six [######################] 100%
(16/33) installing python-configobj [######################] 100%
(17/33) installing python-appdirs [######################] 100%
(18/33) installing python-more-itertools [######################] 100%
(19/33) installing python-ordered-set [######################] 100%
(20/33) installing python-pyparsing [######################] 100%
Optional dependencies for python-pyparsing
python-railroad-diagrams: for generating Railroad Diagrams
python-jinja: for generating Railroad Diagrams
(21/33) installing python-packaging [######################] 100%
(22/33) installing python-setuptools [######################] 100%
(23/33) installing python-distro [######################] 100%
(24/33) installing python-future [######################] 100%
Optional dependencies for python-future
python-setuptools: futurize and pasteurize scripts [installed]
(25/33) installing python-parsedatetime [######################] 100%
(26/33) installing python-zope-interface [######################] 100%
(27/33) installing python-zope-proxy [######################] 100%
(28/33) installing python-zope-deferredimport [######################] 100%
(29/33) installing python-zope-deprecation [######################] 100%
(30/33) installing python-zope-event [######################] 100%
(31/33) installing python-zope-hookable [######################] 100%
(32/33) installing python-zope-component [######################] 100%
(33/33) installing certbot [######################] 100%
Optional dependencies for certbot
certbot-apache: Apache plugin for Let’s Encrypt client
certbot-nginx: Nginx plugin for Let’s Encrypt client
:: Running post-transaction hooks...
(1/4) Reloading system manager configuration...
(2/4) Creating temporary files...
(3/4) Arming ConditionNeedsUpdate...
(4/4) Performing snapper post snapshots for the following configurations...
==> root: 21
Mit nachfolgendem Befehl kann überprüft werden, welche Inhalte mit den Paket certbot
installiert wurden:
# pacman -Qil certbot
Installierte Dateien
# pacman -Qil certbot
Name : certbot
Version : 1.26.0-1
Description : An ACME client
Architecture : any
URL : https://certbot.eff.org
Licenses : Apache
Groups : None
Provides : None
Depends On : ca-certificates python-acme python-configargparse
python-configobj python-cryptography python-distro
python-parsedatetime python-pyrfc3339 python-pytz
python-setuptools python-zope-component
python-zope-interface
Optional Deps : certbot-apache: Apache plugin for Let’s Encrypt client
certbot-nginx: Nginx plugin for Let’s Encrypt client
Required By : None
Optional For : None
Conflicts With : None
Replaces : letsencrypt
Installed Size : 2.07 MiB
Packager : George Rawlinson <grawlinson@archlinux.org>
Build Date : Wed 06 Apr 2022 01:29:52 AM CEST
Install Date : Fri 29 Apr 2022 02:45:09 PM CEST
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature
certbot /usr/
certbot /usr/bin/
certbot /usr/bin/certbot
certbot /usr/lib/
certbot /usr/lib/python3.10/
certbot /usr/lib/python3.10/site-packages/
certbot /usr/lib/python3.10/site-packages/certbot-1.26.0.dist-info/
certbot /usr/lib/python3.10/site-packages/certbot-1.26.0.dist-info/LICENSE.txt
certbot /usr/lib/python3.10/site-packages/certbot-1.26.0.dist-info/METADATA
certbot /usr/lib/python3.10/site-packages/certbot-1.26.0.dist-info/RECORD
certbot /usr/lib/python3.10/site-packages/certbot-1.26.0.dist-info/WHEEL
certbot /usr/lib/python3.10/site-packages/certbot-1.26.0.dist-info/entry_points.txt
certbot /usr/lib/python3.10/site-packages/certbot-1.26.0.dist-info/top_level.txt
certbot /usr/lib/python3.10/site-packages/certbot/
certbot /usr/lib/python3.10/site-packages/certbot/__init__.py
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/__init__.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/__init__.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/achallenges.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/achallenges.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/configuration.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/configuration.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/crypto_util.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/crypto_util.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/errors.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/errors.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/interfaces.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/interfaces.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/main.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/main.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/ocsp.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/ocsp.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/reverter.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/reverter.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/util.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/__pycache__/util.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__init__.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/__init__.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/__init__.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/account.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/account.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/auth_handler.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/auth_handler.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/cert_manager.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/cert_manager.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/client.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/client.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/constants.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/constants.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/eff.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/eff.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/error_handler.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/error_handler.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/hooks.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/hooks.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/lock.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/lock.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/log.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/log.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/main.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/main.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/renewal.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/renewal.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/reporter.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/reporter.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/snap_config.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/snap_config.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/storage.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/storage.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/updater.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/__pycache__/updater.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/account.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/auth_handler.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cert_manager.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__init__.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/__init__.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/__init__.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/cli_constants.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/cli_constants.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/cli_utils.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/cli_utils.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/group_adder.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/group_adder.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/helpful.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/helpful.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/paths_parser.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/paths_parser.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/plugins_parsing.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/plugins_parsing.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/subparsers.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/subparsers.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/verb_help.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/__pycache__/verb_help.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/cli_constants.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/cli_utils.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/group_adder.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/helpful.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/paths_parser.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/plugins_parsing.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/subparsers.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/cli/verb_help.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/client.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/constants.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/__init__.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/__pycache__/
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/__pycache__/__init__.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/__pycache__/__init__.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/__pycache__/completer.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/__pycache__/completer.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/__pycache__/dummy_readline.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/__pycache__/dummy_readline.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/__pycache__/obj.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/__pycache__/obj.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/__pycache__/util.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/__pycache__/util.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/completer.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/dummy_readline.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/obj.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/display/util.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/eff.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/error_handler.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/hooks.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/lock.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/log.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/main.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/__init__.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/__pycache__/
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/__pycache__/__init__.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/__pycache__/__init__.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/__pycache__/disco.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/__pycache__/disco.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/__pycache__/manual.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/__pycache__/manual.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/__pycache__/null.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/__pycache__/null.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/__pycache__/selection.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/__pycache__/selection.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/__pycache__/standalone.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/__pycache__/standalone.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/__pycache__/webroot.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/__pycache__/webroot.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/disco.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/manual.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/null.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/selection.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/standalone.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/plugins/webroot.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/renewal.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/reporter.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/snap_config.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/storage.py
certbot /usr/lib/python3.10/site-packages/certbot/_internal/updater.py
certbot /usr/lib/python3.10/site-packages/certbot/achallenges.py
certbot /usr/lib/python3.10/site-packages/certbot/compat/
certbot /usr/lib/python3.10/site-packages/certbot/compat/__init__.py
certbot /usr/lib/python3.10/site-packages/certbot/compat/__pycache__/
certbot /usr/lib/python3.10/site-packages/certbot/compat/__pycache__/__init__.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/compat/__pycache__/__init__.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/compat/__pycache__/_path.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/compat/__pycache__/_path.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/compat/__pycache__/filesystem.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/compat/__pycache__/filesystem.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/compat/__pycache__/misc.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/compat/__pycache__/misc.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/compat/__pycache__/os.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/compat/__pycache__/os.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/compat/_path.py
certbot /usr/lib/python3.10/site-packages/certbot/compat/filesystem.py
certbot /usr/lib/python3.10/site-packages/certbot/compat/misc.py
certbot /usr/lib/python3.10/site-packages/certbot/compat/os.py
certbot /usr/lib/python3.10/site-packages/certbot/configuration.py
certbot /usr/lib/python3.10/site-packages/certbot/crypto_util.py
certbot /usr/lib/python3.10/site-packages/certbot/display/
certbot /usr/lib/python3.10/site-packages/certbot/display/__init__.py
certbot /usr/lib/python3.10/site-packages/certbot/display/__pycache__/
certbot /usr/lib/python3.10/site-packages/certbot/display/__pycache__/__init__.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/display/__pycache__/__init__.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/display/__pycache__/ops.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/display/__pycache__/ops.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/display/__pycache__/util.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/display/__pycache__/util.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/display/ops.py
certbot /usr/lib/python3.10/site-packages/certbot/display/util.py
certbot /usr/lib/python3.10/site-packages/certbot/errors.py
certbot /usr/lib/python3.10/site-packages/certbot/interfaces.py
certbot /usr/lib/python3.10/site-packages/certbot/main.py
certbot /usr/lib/python3.10/site-packages/certbot/ocsp.py
certbot /usr/lib/python3.10/site-packages/certbot/plugins/
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__init__.py
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/__init__.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/__init__.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/common.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/common.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/dns_common.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/dns_common.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/dns_common_lexicon.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/dns_common_lexicon.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/dns_test_common.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/dns_test_common.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/dns_test_common_lexicon.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/dns_test_common_lexicon.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/enhancements.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/enhancements.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/storage.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/storage.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/util.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/__pycache__/util.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/plugins/common.py
certbot /usr/lib/python3.10/site-packages/certbot/plugins/dns_common.py
certbot /usr/lib/python3.10/site-packages/certbot/plugins/dns_common_lexicon.py
certbot /usr/lib/python3.10/site-packages/certbot/plugins/dns_test_common.py
certbot /usr/lib/python3.10/site-packages/certbot/plugins/dns_test_common_lexicon.py
certbot /usr/lib/python3.10/site-packages/certbot/plugins/enhancements.py
certbot /usr/lib/python3.10/site-packages/certbot/plugins/storage.py
certbot /usr/lib/python3.10/site-packages/certbot/plugins/util.py
certbot /usr/lib/python3.10/site-packages/certbot/py.typed
certbot /usr/lib/python3.10/site-packages/certbot/reverter.py
certbot /usr/lib/python3.10/site-packages/certbot/ssl-dhparams.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/
certbot /usr/lib/python3.10/site-packages/certbot/tests/__init__.py
certbot /usr/lib/python3.10/site-packages/certbot/tests/__pycache__/
certbot /usr/lib/python3.10/site-packages/certbot/tests/__pycache__/__init__.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/tests/__pycache__/__init__.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/tests/__pycache__/acme_util.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/tests/__pycache__/acme_util.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/tests/__pycache__/util.cpython-310.opt-1.pyc
certbot /usr/lib/python3.10/site-packages/certbot/tests/__pycache__/util.cpython-310.pyc
certbot /usr/lib/python3.10/site-packages/certbot/tests/acme_util.py
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/README
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/cert-5sans_512.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/cert-nosans_nistp256.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/cert-san_512.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/cert_2048.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/cert_512.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/cert_512_bad.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/cert_fullchain_2048.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/cert_intermediate_1.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/cert_intermediate_2.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/cert_leaf.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/cli.ini
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/csr-6sans_512.conf
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/csr-6sans_512.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/csr-nonames_512.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/csr-nosans_512.conf
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/csr-nosans_512.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/csr-nosans_nistp256.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/csr-san_512.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/csr_512.der
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/csr_512.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/ec_prime256v1_key.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/ec_secp384r1_key.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/ec_secp521r1_key.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/nistp256_key.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/ocsp_certificate.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/ocsp_issuer_certificate.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/ocsp_responder_certificate.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/os-release
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/rsa2048_key.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/rsa256_key.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/rsa512_key.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/sample-archive-ec/
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/sample-archive-ec/cert1.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/sample-archive-ec/chain1.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/sample-archive-ec/fullchain1.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/sample-archive-ec/privkey1.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/sample-archive/
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/sample-archive/cert1.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/sample-archive/chain1.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/sample-archive/fullchain1.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/sample-archive/privkey1.pem
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/sample-renewal-ancient.conf
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/sample-renewal-deprecated-option.conf
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/sample-renewal-ec.conf
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/sample-renewal.conf
certbot /usr/lib/python3.10/site-packages/certbot/tests/testdata/webrootconftest.ini
certbot /usr/lib/python3.10/site-packages/certbot/tests/util.py
certbot /usr/lib/python3.10/site-packages/certbot/util.py
certbot /usr/lib/systemd/
certbot /usr/lib/systemd/system/
certbot /usr/lib/systemd/system/certbot-renew.service
certbot /usr/lib/systemd/system/certbot-renew.timer
certbot /usr/lib/tmpfiles.d/
certbot /usr/lib/tmpfiles.d/certbot.conf
certbot /usr/share/
certbot /usr/share/man/
certbot /usr/share/man/man1/
certbot /usr/share/man/man1/certbot.1.gz
certbot /usr/share/man/man7/
certbot /usr/share/man/man7/certbot.7.gz
Ein detaillierte Beschreibung zu den Certbot - Command-line options
kann unter nachfolgendem externen Link eingesehen werden:
Let's Encrypt - Certbot - HTTP-01
Let's Encrypt - Certbot - /etc/httpd/conf/httpd.conf
Let's Encrypt gibt dem ACME-Client einen Token und der ACME-Client, hier Certbot legt eine Datei auf dem Webserver unter
http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>
ab.
Diese Datei enthält den Token sowie einen Fingerabdruck des Kontoschlüssels.
Damit dies möglich wird, ist z.B. eine Anpassung der Konfigurationsdatei
des Apache HTTP Server wie nachfolgend erforderlich:
(Nur relevanter Ausschnitt)
# Tachtler
# ----------------------------------------------------------
# For creation of Let's Encrypt certificates following lines
# are necessary.
# ----------------------------------------------------------
Alias /.well-known/acme-challenge/ /srv/http/.well-known/acme-challenge/
<Location /.well-known/acme-challenge/>
Require all granted
Satisfy Any
</Location>
Certbot erstellt im Verzeichnis
die TOKEN-Dateien, welche dann zur Prüfung der Berechtigung von den Servern von Let's Encrypt abgerufen werden.
Let's Encrypt - Certbot - Neustart Apache HTTPD Server
Bevor weitere Konfigurationsschritte erfolgen, sollte ein Neustart erfolgen, was mit nachfolgendem Befehl durchgeführt werden kann:
# systemctl restart httpd.service
HINWEIS - Es erfolgen keine weiteren Ausgaben, wenn der Start erfolgreich war !
Let's Encrypt - Certbot - HTTP-01 - Zertifikatserstellung
Mit nachfoglendem Befehl kann mit dem ACME-Client Certbot ein Let's Encrypt-Zertifikat erstmals erstellt werden:
# certbot certonly --test-cert --agree-tos --non-interactive -m webmaster@tachtler.net --webroot --webroot-path /srv/http -d apache.tachtler.net -d www.apache.tachtler.net
Erklärungen:
Parameter | Beschreibung |
certbot | Ausführbares Programm des ACME-Client Certbot |
certonly | Subkommand um ein Zertifikat zu beantragen oder zu erneuern, ohne Installation |
−−webroot | Dateien zur Authentifizierung in den Webroot-Ordner eines Servers erzeugen |
−−agree-tos | Akzeptieren des Abonnentenvertrag des ACME-Servers |
−m <E-Mail> | E-Mail-Adresse für wichtige Kontobenachrichtigungen, z.B. Zertifikatsablauf |
−−non-interactive | Ausführung, ohne dass eine Benutzereingabe erforderlich ist |
−−webroot-path <Pfad> | Pfad zur Web-Präsenz im Apache HTTPD Server. Dies kann mehrfach/mehrere Male angegeben werden, um verschiedene Domänen zu behandeln |
-d <Domäne.tld> | Domäne und Top-Level-Domäne. Dies kann mehrfach/mehrere Male angegeben werden, um verschiedene Domänen zu behandeln bzw. die einzelnen SAN (Subject Alternative Names) in ienem Zertifikat zu erstellen |
Zusätzliche Test-Parameter |
−−test-cert | Ausführung nicht gegen den produktiven Server von Let's Encrypt, sondern gegen den Test Server. |
−−dry-run | Testen von certonly oder auch renew , ohne ein Zertifikat auf der Festplatte zu speichern |
Erstellung gegen die Test-CA von Let's Encrypt
# certbot certonly --test-cert --agree-tos --non-interactive -m webmaster@tachtler.net --webroot --webroot-path /srv/http -d apache.tachtler.net -d www.apache.tachtler.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Account registered.
Requesting a certificate for apache.tachtler.net and www.apache.tachtler.net
Performing the following challenges:
http-01 challenge for apache.tachtler.net
http-01 challenge for www.apache.tachtler.net
Using the webroot path /srv/http for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/apache.tachtler.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/apache.tachtler.net/privkey.pem
Your certificate will expire on 2022-08-01. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
HINWEIS - Das Löschen aller Verzeichnisse und Dateien aus der Erstellung gegen die Test-CA von Let's Encrypt, kann mit nachfolgendem Befehl erfolgen:
# rm -rf /etc/letsencrypt/*
Erstellung gegen die produktive CA von Let's Encrypt
# certbot certonly --agree-tos --non-interactive -m webmaster@tachtler.net --webroot --webroot-path /srv/http -d apache.tachtler.net -d www.apache.tachtler.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Account registered.
Requesting a certificate for apache.tachtler.net and www.apache.tachtler.net
Performing the following challenges:
http-01 challenge for apache.tachtler.net
http-01 challenge for www.apache.tachtler.net
Using the webroot path /srv/http for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/apache.tachtler.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/apache.tachtler.net/privkey.pem
Your certificate will expire on 2022-08-01. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Falls das Erstellen eines Zertifikats erfolgreich durchgeführt worden ist, ist im Verzeichnis
ein neues Unterverzeichnis mit dem Namen der ersten Domäne.tld hier
erstellt worden, in dem alle benötigten Dateien vorhanden sind und welches einen Inhalt wie mit nachfolgendem Befehl abgerufen, zur Ansicht bringen sollte:
# ls -l /etc/letsencrypt/live/apache.tachtler.net/
total 4
lrwxrwxrwx 1 root root 43 May 3 16:58 cert.pem -> ../../archive/apache.tachtler.net/cert1.pem
lrwxrwxrwx 1 root root 44 May 3 16:58 chain.pem -> ../../archive/apache.tachtler.net/chain1.pem
lrwxrwxrwx 1 root root 48 May 3 16:58 fullchain.pem -> ../../archive/apache.tachtler.net/fullchain1.pem
lrwxrwxrwx 1 root root 46 May 3 16:58 privkey.pem -> ../../archive/apache.tachtler.net/privkey1.pem
-rw-r--r-- 1 root root 692 May 3 16:58 README
Eine Überprüfung, ob das Zertifikat auch korrekt ausgestellt wurde, kann mit nachfolgendem Befehl erfolgen:
# openssl x509 -noout -text -in /etc/letsencrypt/live/apache.tachtler.net/fullchain.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:23:02:61:a6:33:3e:fe:78:fb:ed:96:40:22:69:a3:ce:1e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=R3
Validity
Not Before: May 3 14:58:06 2022 GMT
Not After : Aug 1 14:58:05 2022 GMT
Subject: CN=apache.tachtler.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b2:08:1c:50:e0:64:a1:00:20:f2:95:72:67:5f:
c7:a2:64:bd:d6:ff:5c:8b:ff:0e:55:f9:dc:1d:2c:
6a:85:91:fd:a5:7c:4b:18:ad:22:0d:80:2e:14:30:
1b:6c:cc:52:28:ef:ce:93:3e:27:50:bb:29:3a:18:
d0:3a:83:91:41:4e:f1:42:9a:2c:de:76:87:7f:5a:
94:f7:e4:f5:35:82:59:1e:8c:96:71:b0:62:98:46:
e8:36:8a:55:08:3f:1c:4f:06:e8:a2:2c:63:8f:ce:
d5:7e:56:b5:8d:82:ff:64:86:78:0b:1c:b5:f4:a3:
67:29:c2:64:81:60:12:f7:e6:28:67:e7:62:80:a8:
31:9e:6e:bc:f4:6e:b5:91:16:b0:2f:35:a6:f6:52:
7b:16:5c:d2:b7:0b:57:3e:39:dd:de:1d:3c:9c:cf:
ed:14:d7:f6:bf:df:56:b6:91:88:3e:e5:a4:86:35:
1d:01:27:07:f6:a3:16:ce:22:90:5f:43:24:3e:96:
17:d0:c2:8d:9d:d0:e2:e6:cf:70:80:7d:c6:17:69:
43:4e:78:dd:54:ff:37:34:81:ca:89:e5:2d:35:ee:
93:1f:50:c2:53:25:7f:4c:81:a0:95:46:0f:cd:78:
75:0f:a4:3e:56:ca:eb:40:d0:f8:4e:c5:a8:1b:b7:
5a:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
15:E6:47:E2:A3:4C:2C:AA:11:6D:01:DF:70:7E:2A:73:9D:A4:F0:29
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:apache.tachtler.net, DNS:www.apache.tachtler.net
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:
BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84
Timestamp : May 3 13:25:06.094 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:76:22:8B:F9:AA:5C:19:2E:49:D5:27:35:
1F:62:27:FD:E3:ED:B3:82:14:6D:4D:5B:C1:61:E5:2F:
AD:A6:36:83:02:21:00:91:27:A1:A7:CE:2E:18:C8:F9:
57:7D:36:50:F4:2B:10:14:2A:76:4B:65:4C:66:D5:44:
E9:C0:EF:35:61:28:20
Signed Certificate Timestamp:
Version : v1(0)
Log ID : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E:
4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6
Timestamp : May 3 13:25:06.599 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:1D:09:9C:CF:34:7C:E2:7D:B9:2C:53:38:
98:00:1E:5F:44:F4:B6:67:B5:AF:6E:80:CC:AB:6B:4C:
9C:56:81:1C:02:20:57:4C:9D:E8:6B:10:21:14:AC:0D:
BB:81:CF:FA:0C:D0:FD:48:AF:03:70:63:44:14:8E:71:
6A:39:AA:AB:82:4E
Signature Algorithm: sha256WithRSAEncryption
86:3e:cb:65:65:cc:8d:55:14:f9:46:f6:47:f1:1f:00:61:10:
d9:c5:af:8c:54:f1:63:51:3b:9c:22:39:0a:b9:c1:2a:56:38:
ae:36:5f:3c:a8:02:fc:10:d5:28:2d:d4:c0:c5:ee:9e:28:ee:
57:2e:19:51:f7:20:d0:1b:26:f8:5b:0a:cb:1a:9f:8d:b5:56:
50:52:e3:85:67:6d:5e:a5:d8:66:38:d7:6b:d4:50:12:6e:3a:
16:0e:fe:08:92:b3:be:48:51:f4:13:c1:9b:7e:c3:bc:e7:24:
d4:4e:a8:7b:b7:d7:1e:5e:cf:8c:b3:20:8e:ce:ec:8c:c0:b9:
b6:e4:2b:2a:db:0a:c7:07:f3:e5:c9:26:df:97:8f:90:37:3c:
08:85:24:be:c0:8c:74:19:1f:f3:fd:a4:ee:ba:c3:00:11:dc:
81:81:68:9a:cc:3b:02:94:e8:6a:a3:25:fd:f6:4f:48:43:ae:
98:25:d4:57:40:16:c1:2f:26:9a:e2:92:e9:00:ad:18:ee:df:
6b:22:5e:ae:ce:df:28:88:ae:38:00:4f:a6:b4:78:d3:a3:95:
51:ba:3b:bf:08:a3:72:e7:7e:43:cc:ac:e6:aa:19:28:ce:58:
c8:12:92:92:85:c2:2f:06:92:f6:37:21:62:50:6d:b3:65:bf:
36:18:bf:aa
Wichtig sind hier die beiden Dateien:
welche in der Konfigurationsdatei
eingebunden werden müssen wie, unter nachfolgendem internen Link beschrieben:
Let's Encrypt - Certbot - DNS-01
Neben der Installation von Certbot soll bei der Nutzung des Let's Encrypt - Challenge Types - DNS-01 auch die Möglichkeit geschaffen werden, voll automatisiert beim jeweiligen DNS-Provider, dynamische DNS-Updates durchzuführen, damit eine Zertifikatserneuerung auch cron
-Job bzw. systemd-timerd
gesteuert ablaufen kann.
WICHTIG - Nachfolgen wird der DNS-Provider Core Networks als Beispiel verwendet!
Certbot besitzt die Fähigkeit mittels Plugins - dynamische DNS-Updates durchzuführen. Eine Liste der gebräuchlichsten DNS-Plugins kann unter nachfolgendem externen Link eingesehen werden:
Zusätzliche DNS-Plugins können im Internet gefunden werden, wie das nachfolgende für die Verwendung mit dem hier verwendeten DNS-Provider - Core Networks unter nachfolgendem externen Link:
Let's Encrypt - pip - Installation
Zur Installation des pip wird nachfolgendes Paket benötigt:
python-pip
- ist im
extras
-Repository von
ArchLinux enthalten.
Mit nachfolgendem Befehl, wird das Pakete python-pip
installiert:
# pacman -S --noconfirm python-pip
Installationsverlauf
# pacman -S --noconfirm python-pip
resolving dependencies...
looking for conflicting packages...
Package (30) New Version Net Change Download Size
extra/python-appdirs 1.4.4-6 0.07 MiB 0.01 MiB
community/python-cachecontrol 1:0.12.6-4 0.10 MiB 0.03 MiB
extra/python-cffi 1.15.0-3 1.02 MiB 0.22 MiB
extra/python-chardet 4.0.0-5 2.10 MiB 0.19 MiB
community/python-colorama 0.4.4-6 0.08 MiB 0.02 MiB
community/python-contextlib2 0.6.0.post1-6 0.05 MiB 0.02 MiB
extra/python-cryptography 36.0.2-1 4.11 MiB
community/python-distlib 0.3.4-1 0.93 MiB 0.18 MiB
community/python-distro 1.7.0-1 0.16 MiB 0.03 MiB
community/python-html5lib 1.1-11 1.34 MiB 0.21 MiB
extra/python-idna 3.3-4 0.66 MiB 0.09 MiB
community/python-more-itertools 8.12.0-1 0.48 MiB 0.07 MiB
community/python-msgpack 1.0.3-1 0.25 MiB 0.07 MiB
extra/python-ordered-set 4.0.2-6 0.06 MiB 0.01 MiB
extra/python-packaging 20.9-7 0.18 MiB 0.05 MiB
extra/python-pep517 0.12.0-4 0.13 MiB 0.03 MiB
community/python-progress 1.6-5 0.04 MiB 0.01 MiB
extra/python-pycparser 2.21-3 1.39 MiB 0.19 MiB
extra/python-pyopenssl 22.0.0-1 0.54 MiB 0.08 MiB
extra/python-pyparsing 3.0.8-1 0.96 MiB 0.15 MiB
extra/python-requests 2.27.1-1 0.45 MiB 0.09 MiB
extra/python-resolvelib 0.5.5-4 0.10 MiB 0.02 MiB
extra/python-retrying 1.3.3-13 0.03 MiB 0.01 MiB
extra/python-setuptools 1:59.5.0-1 2.96 MiB 0.55 MiB
extra/python-six 1.16.0-5 0.09 MiB 0.02 MiB
community/python-toml 0.10.2-7 0.14 MiB 0.03 MiB
extra/python-tomli 2.0.1-1 0.08 MiB 0.02 MiB
extra/python-urllib3 1.26.9-1 0.70 MiB 0.18 MiB
community/python-webencodings 0.5.1-9 0.06 MiB 0.02 MiB
extra/python-pip 21.0-1 1.56 MiB 0.41 MiB
Total Download Size: 3.04 MiB
Total Installed Size: 20.84 MiB
:: Proceed with installation? [Y/n]
:: Retrieving packages...
python-setuptool... 562.5 KiB 173 KiB/s 00:03 [######################] 100%
python-pip-21.0-... 415.7 KiB 232 KiB/s 00:02 [######################] 100%
python-cffi-1.15... 227.4 KiB 219 KiB/s 00:01 [######################] 100%
python-html5lib-... 211.5 KiB 201 KiB/s 00:01 [######################] 100%
python-chardet-4... 196.5 KiB 201 KiB/s 00:01 [######################] 100%
python-pycparser... 194.3 KiB 148 KiB/s 00:01 [######################] 100%
python-urllib3-1... 184.6 KiB 210 KiB/s 00:01 [######################] 100%
python-distlib-0... 183.2 KiB 254 KiB/s 00:01 [######################] 100%
python-pyparsing... 152.7 KiB 170 KiB/s 00:01 [######################] 100%
python-requests-... 94.0 KiB 120 KiB/s 00:01 [######################] 100%
python-idna-3.3-... 90.0 KiB 237 KiB/s 00:00 [######################] 100%
python-pyopenssl... 86.2 KiB 196 KiB/s 00:00 [######################] 100%
python-more-iter... 73.8 KiB 295 KiB/s 00:00 [######################] 100%
python-msgpack-1... 73.7 KiB 205 KiB/s 00:00 [######################] 100%
python-packaging... 53.4 KiB 172 KiB/s 00:00 [######################] 100%
python-toml-0.10... 34.0 KiB 136 KiB/s 00:00 [######################] 100%
python-pep517-0.... 32.0 KiB 160 KiB/s 00:00 [######################] 100%
python-distro-1.... 31.1 KiB 155 KiB/s 00:00 [######################] 100%
python-cachecont... 30.3 KiB 233 KiB/s 00:00 [######################] 100%
python-colorama-... 24.8 KiB 165 KiB/s 00:00 [######################] 100%
python-resolveli... 23.6 KiB 169 KiB/s 00:00 [######################] 100%
python-six-1.16.... 23.2 KiB 129 KiB/s 00:00 [######################] 100%
python-tomli-2.0... 22.6 KiB 161 KiB/s 00:00 [######################] 100%
python-webencodi... 19.3 KiB 161 KiB/s 00:00 [######################] 100%
python-contextli... 15.6 KiB 130 KiB/s 00:00 [######################] 100%
python-appdirs-1... 15.0 KiB 116 KiB/s 00:00 [######################] 100%
python-progress-... 13.9 KiB 92.8 KiB/s 00:00 [######################] 100%
python-ordered-s... 13.6 KiB 151 KiB/s 00:00 [######################] 100%
python-retrying-... 10.8 KiB 108 KiB/s 00:00 [######################] 100%
Total (29/29) 3.0 MiB 170 KiB/s 00:18 [######################] 100%
(30/30) checking keys in keyring [######################] 100%
(30/30) checking package integrity [######################] 100%
(30/30) loading package files [######################] 100%
(30/30) checking for file conflicts [######################] 100%
(30/30) checking available disk space [######################] 100%
:: Running pre-transaction hooks...
(1/1) Performing snapper pre snapshots for the following configurations...
==> root: 12
:: Processing package changes...
( 1/30) installing python-appdirs [######################] 100%
( 2/30) installing python-msgpack [######################] 100%
( 3/30) installing python-urllib3 [######################] 100%
Optional dependencies for python-urllib3
python-pysocks: SOCKS support
python-brotli: Brotli support
python-pyopenssl: security support [pending]
python-idna: security support [pending]
( 4/30) installing python-chardet [######################] 100%
( 5/30) installing python-idna [######################] 100%
( 6/30) installing python-requests [######################] 100%
Optional dependencies for python-requests
python-pysocks: SOCKS proxy support
( 7/30) installing python-cachecontrol [######################] 100%
Optional dependencies for python-cachecontrol
python-lockfile: for the FileCache
( 8/30) installing python-colorama [######################] 100%
( 9/30) installing python-contextlib2 [######################] 100%
(10/30) installing python-distlib [######################] 100%
(11/30) installing python-more-itertools [######################] 100%
(12/30) installing python-ordered-set [######################] 100%
(13/30) installing python-pyparsing [######################] 100%
Optional dependencies for python-pyparsing
python-railroad-diagrams: for generating Railroad Diagrams
python-jinja: for generating Railroad Diagrams
(14/30) installing python-six [######################] 100%
(15/30) installing python-packaging [######################] 100%
(16/30) installing python-setuptools [######################] 100%
(17/30) installing python-distro [######################] 100%
(18/30) installing python-webencodings [######################] 100%
(19/30) installing python-html5lib [######################] 100%
Optional dependencies for python-html5lib
python-lxml: lxml treebuilder
python-genshi: genshi treewalker
(20/30) installing python-tomli [######################] 100%
(21/30) installing python-pep517 [######################] 100%
(22/30) installing python-progress [######################] 100%
(23/30) installing python-retrying [######################] 100%
(24/30) installing python-resolvelib [######################] 100%
(25/30) installing python-toml [######################] 100%
(26/30) installing python-pycparser [######################] 100%
(27/30) installing python-cffi [######################] 100%
(28/30) installing python-cryptography [######################] 100%
(29/30) installing python-pyopenssl [######################] 100%
(30/30) installing python-pip [######################] 100%
:: Running post-transaction hooks...
(1/2) Arming ConditionNeedsUpdate...
(2/2) Performing snapper post snapshots for the following configurations...
==> root: 13
Mit nachfolgendem Befehl kann überprüft werden, welche Inhalte mit den Paket python-pip
installiert wurden:
# pacman -Qil python-pip
Installierte Dateien
# pacman -Qil python-pip
Name : python-pip
Version : 21.0-1
Description : The PyPA recommended tool for installing Python packages
Architecture : any
URL : https://pip.pypa.io/
Licenses : MIT
Groups : None
Provides : None
Depends On : python-appdirs python-cachecontrol python-colorama
python-contextlib2 python-distlib python-distro
python-html5lib python-packaging python-pep517
python-progress python-requests python-retrying
python-resolvelib python-setuptools python-six python-toml
python-pyopenssl
Optional Deps : None
Required By : None
Optional For : python
Conflicts With : None
Replaces : None
Installed Size : 1600.35 KiB
Packager : Felix Yan <felixonmars@archlinux.org>
Build Date : Fri 25 Feb 2022 03:56:10 PM CET
Install Date : Wed 04 May 2022 03:33:17 PM CEST
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature
python-pip /usr/
python-pip /usr/bin/
python-pip /usr/bin/pip
python-pip /usr/bin/pip3
python-pip /usr/bin/pip3.10
python-pip /usr/lib/
python-pip /usr/lib/python3.10/
python-pip /usr/lib/python3.10/site-packages/
python-pip /usr/lib/python3.10/site-packages/pip-21.0-py3.10.egg-info/
python-pip /usr/lib/python3.10/site-packages/pip-21.0-py3.10.egg-info/PKG-INFO
python-pip /usr/lib/python3.10/site-packages/pip-21.0-py3.10.egg-info/SOURCES.txt
python-pip /usr/lib/python3.10/site-packages/pip-21.0-py3.10.egg-info/dependency_links.txt
python-pip /usr/lib/python3.10/site-packages/pip-21.0-py3.10.egg-info/entry_points.txt
python-pip /usr/lib/python3.10/site-packages/pip-21.0-py3.10.egg-info/not-zip-safe
python-pip /usr/lib/python3.10/site-packages/pip-21.0-py3.10.egg-info/top_level.txt
python-pip /usr/lib/python3.10/site-packages/pip/
python-pip /usr/lib/python3.10/site-packages/pip/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/__main__.py
python-pip /usr/lib/python3.10/site-packages/pip/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/__pycache__/__main__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/__pycache__/build_env.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/__pycache__/cache.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/__pycache__/configuration.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/__pycache__/exceptions.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/__pycache__/locations.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/__pycache__/main.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/__pycache__/pyproject.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/__pycache__/self_outdated_check.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/__pycache__/wheel_builder.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/build_env.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cache.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/__pycache__/autocompletion.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/__pycache__/base_command.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/__pycache__/cmdoptions.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/__pycache__/command_context.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/__pycache__/main.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/__pycache__/main_parser.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/__pycache__/parser.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/__pycache__/progress_bars.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/__pycache__/req_command.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/__pycache__/spinners.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/__pycache__/status_codes.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/autocompletion.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/base_command.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/cmdoptions.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/command_context.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/main.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/main_parser.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/parser.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/progress_bars.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/req_command.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/spinners.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/cli/status_codes.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/cache.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/check.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/completion.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/configuration.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/debug.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/download.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/freeze.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/hash.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/help.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/install.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/list.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/search.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/show.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/uninstall.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/__pycache__/wheel.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/cache.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/check.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/completion.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/configuration.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/debug.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/download.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/freeze.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/hash.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/help.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/install.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/list.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/search.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/show.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/uninstall.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/commands/wheel.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/configuration.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/distributions/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/distributions/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/distributions/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/distributions/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/distributions/__pycache__/base.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/distributions/__pycache__/installed.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/distributions/__pycache__/sdist.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/distributions/__pycache__/wheel.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/distributions/base.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/distributions/installed.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/distributions/sdist.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/distributions/wheel.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/exceptions.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/index/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/index/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/index/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/index/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/index/__pycache__/collector.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/index/__pycache__/package_finder.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/index/collector.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/index/package_finder.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/locations.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/main.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/__pycache__/candidate.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/__pycache__/direct_url.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/__pycache__/format_control.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/__pycache__/index.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/__pycache__/link.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/__pycache__/scheme.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/__pycache__/search_scope.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/__pycache__/selection_prefs.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/__pycache__/target_python.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/__pycache__/wheel.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/candidate.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/direct_url.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/format_control.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/index.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/link.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/scheme.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/search_scope.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/selection_prefs.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/target_python.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/models/wheel.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/__pycache__/auth.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/__pycache__/cache.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/__pycache__/download.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/__pycache__/lazy_wheel.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/__pycache__/session.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/__pycache__/utils.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/__pycache__/xmlrpc.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/auth.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/cache.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/download.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/lazy_wheel.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/session.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/utils.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/network/xmlrpc.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/__pycache__/check.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/__pycache__/freeze.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/__pycache__/prepare.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/build/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/build/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/build/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/build/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/build/__pycache__/metadata.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/build/__pycache__/metadata_legacy.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/build/__pycache__/wheel.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/build/__pycache__/wheel_legacy.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/build/metadata.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/build/metadata_legacy.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/build/wheel.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/build/wheel_legacy.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/check.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/freeze.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/install/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/install/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/install/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/install/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/install/__pycache__/editable_legacy.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/install/__pycache__/legacy.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/install/__pycache__/wheel.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/install/editable_legacy.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/install/legacy.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/install/wheel.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/operations/prepare.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/pyproject.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/req/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/req/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/req/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/req/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/req/__pycache__/constructors.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/req/__pycache__/req_file.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/req/__pycache__/req_install.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/req/__pycache__/req_set.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/req/__pycache__/req_tracker.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/req/__pycache__/req_uninstall.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/req/constructors.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/req/req_file.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/req/req_install.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/req/req_set.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/req/req_tracker.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/req/req_uninstall.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/__pycache__/base.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/base.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/legacy/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/legacy/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/legacy/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/legacy/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/legacy/__pycache__/resolver.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/legacy/resolver.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/__pycache__/base.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/__pycache__/candidates.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/__pycache__/factory.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/__pycache__/found_candidates.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/__pycache__/provider.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/__pycache__/reporter.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/__pycache__/requirements.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/__pycache__/resolver.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/base.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/candidates.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/factory.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/found_candidates.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/provider.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/reporter.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/requirements.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/resolution/resolvelib/resolver.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/self_outdated_check.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/appdirs.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/compat.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/compatibility_tags.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/datetime.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/deprecation.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/direct_url_helpers.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/distutils_args.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/encoding.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/entrypoints.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/filesystem.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/filetypes.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/glibc.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/hashes.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/inject_securetransport.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/logging.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/misc.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/models.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/packaging.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/parallel.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/pkg_resources.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/setuptools_build.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/subprocess.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/temp_dir.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/typing.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/unpacking.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/urls.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/virtualenv.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/__pycache__/wheel.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/appdirs.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/compat.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/compatibility_tags.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/datetime.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/deprecation.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/direct_url_helpers.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/distutils_args.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/encoding.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/entrypoints.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/filesystem.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/filetypes.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/glibc.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/hashes.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/inject_securetransport.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/logging.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/misc.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/models.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/packaging.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/parallel.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/pkg_resources.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/setuptools_build.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/subprocess.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/temp_dir.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/typing.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/unpacking.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/urls.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/virtualenv.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/utils/wheel.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/vcs/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/vcs/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/vcs/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_internal/vcs/__pycache__/__init__.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/vcs/__pycache__/bazaar.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/vcs/__pycache__/git.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/vcs/__pycache__/mercurial.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/vcs/__pycache__/subversion.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/vcs/__pycache__/versioncontrol.cpython-310.pyc
python-pip /usr/lib/python3.10/site-packages/pip/_internal/vcs/bazaar.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/vcs/git.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/vcs/mercurial.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/vcs/subversion.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/vcs/versioncontrol.py
python-pip /usr/lib/python3.10/site-packages/pip/_internal/wheel_builder.py
python-pip /usr/lib/python3.10/site-packages/pip/_vendor/
python-pip /usr/lib/python3.10/site-packages/pip/_vendor/__init__.py
python-pip /usr/lib/python3.10/site-packages/pip/_vendor/__pycache__/
python-pip /usr/lib/python3.10/site-packages/pip/_vendor/__pycache__/__init__.cpython-310.pyc
python-pip /usr/share/
python-pip /usr/share/bash-completion/
python-pip /usr/share/bash-completion/completions/
python-pip /usr/share/bash-completion/completions/pip
python-pip /usr/share/fish/
python-pip /usr/share/fish/vendor_completions.d/
python-pip /usr/share/fish/vendor_completions.d/pip.fish
python-pip /usr/share/licenses/
python-pip /usr/share/licenses/python-pip/
python-pip /usr/share/licenses/python-pip/LICENSE
python-pip /usr/share/man/
python-pip /usr/share/man/man1/
python-pip /usr/share/man/man1/pip-cache.1.gz
python-pip /usr/share/man/man1/pip-check.1.gz
python-pip /usr/share/man/man1/pip-config.1.gz
python-pip /usr/share/man/man1/pip-debug.1.gz
python-pip /usr/share/man/man1/pip-download.1.gz
python-pip /usr/share/man/man1/pip-freeze.1.gz
python-pip /usr/share/man/man1/pip-hash.1.gz
python-pip /usr/share/man/man1/pip-help.1.gz
python-pip /usr/share/man/man1/pip-install.1.gz
python-pip /usr/share/man/man1/pip-list.1.gz
python-pip /usr/share/man/man1/pip-search.1.gz
python-pip /usr/share/man/man1/pip-show.1.gz
python-pip /usr/share/man/man1/pip-uninstall.1.gz
python-pip /usr/share/man/man1/pip-wheel.1.gz
python-pip /usr/share/man/man1/pip.1.gz
Let's Encrypt - pip: certbot-dns-corenetworks - Installation
Zur Installation des PyPi - certbot-dns-corenetworks wird nachfolgendes Paket benötigt:
Mit nachfolgendem Befehl, wird das Pakete certbot-dns-corenetworks
installiert:
# pip install certbot-dns-corenetworks
Installationsverlauf
# pip install certbot-dns-corenetworks
Collecting certbot-dns-corenetworks
Downloading certbot_dns_corenetworks-0.2.1-py3-none-any.whl (8.3 kB)
Collecting parsedatetime<3.0,>=2.6
Downloading parsedatetime-2.6-py3-none-any.whl (42 kB)
|████████████████████████████████| 42 kB 75 kB/s
Collecting zope.interface<6.0.0,>=5.2.0
Downloading zope.interface-5.4.0.tar.gz (249 kB)
|████████████████████████████████| 249 kB 60 kB/s
Collecting corenetworks<0.3.0,>=0.2.0
Downloading corenetworks-0.2.1-py3-none-any.whl (10 kB)
Collecting acme<2.0.0,>=1.10.1
Downloading acme-1.27.0-py3-none-any.whl (48 kB)
|████████████████████████████████| 48 kB 157 kB/s
Collecting certbot<2.0.0,>=1.10.1
Downloading certbot-1.27.0-py3-none-any.whl (272 kB)
|████████████████████████████████| 272 kB 201 kB/s
Collecting pyrfc3339
Downloading pyRFC3339-1.1-py2.py3-none-any.whl (5.7 kB)
Requirement already satisfied: setuptools>=41.6.0 in /usr/lib/python3.10/site-packages (from acme<2.0.0,>=1.10.1->certbot-dns-corenetworks) (59.5.0)
Collecting josepy>=1.13.0
Downloading josepy-1.13.0-py2.py3-none-any.whl (29 kB)
Requirement already satisfied: cryptography>=2.5.0 in /usr/lib/python3.10/site-packages (from acme<2.0.0,>=1.10.1->certbot-dns-corenetworks) (36.0.2)
Collecting requests-toolbelt>=0.3.0
Downloading requests_toolbelt-0.9.1-py2.py3-none-any.whl (54 kB)
|████████████████████████████████| 54 kB 154 kB/s
Collecting pytz>=2019.3
Downloading pytz-2022.1-py2.py3-none-any.whl (503 kB)
|████████████████████████████████| 503 kB 104 kB/s
Requirement already satisfied: PyOpenSSL>=17.3.0 in /usr/lib/python3.10/site-packages (from acme<2.0.0,>=1.10.1->certbot-dns-corenetworks) (22.0.0)
Requirement already satisfied: requests>=2.20.0 in /usr/lib/python3.10/site-packages (from acme<2.0.0,>=1.10.1->certbot-dns-corenetworks) (2.27.1)
Collecting configobj>=5.0.6
Downloading configobj-5.0.6.tar.gz (33 kB)
Requirement already satisfied: distro>=1.0.1 in /usr/lib/python3.10/site-packages (from certbot<2.0.0,>=1.10.1->certbot-dns-corenetworks) (1.7.0)
Collecting ConfigArgParse>=0.9.3
Downloading ConfigArgParse-1.5.3-py3-none-any.whl (20 kB)
Collecting zope.component
Downloading zope.component-5.0.1-py2.py3-none-any.whl (68 kB)
|████████████████████████████████| 68 kB 206 kB/s
Requirement already satisfied: six in /usr/lib/python3.10/site-packages (from configobj>=5.0.6->certbot<2.0.0,>=1.10.1->certbot-dns-corenetworks) (1.16.0)
Collecting jsonschema<4.0.0,>=3.2.0
Downloading jsonschema-3.2.0-py2.py3-none-any.whl (56 kB)
|████████████████████████████████| 56 kB 160 kB/s
Requirement already satisfied: cffi>=1.12 in /usr/lib/python3.10/site-packages (from cryptography>=2.5.0->acme<2.0.0,>=1.10.1->certbot-dns-corenetworks) (1.15.0)
Requirement already satisfied: pycparser in /usr/lib/python3.10/site-packages (from cffi>=1.12->cryptography>=2.5.0->acme<2.0.0,>=1.10.1->certbot-dns-corenetworks) (2.21)
Collecting attrs>=17.4.0
Downloading attrs-21.4.0-py2.py3-none-any.whl (60 kB)
|████████████████████████████████| 60 kB 154 kB/s
Collecting pyrsistent>=0.14.0
Downloading pyrsistent-0.18.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (115 kB)
|████████████████████████████████| 115 kB 159 kB/s
Requirement already satisfied: chardet>=3.0.2 in /usr/lib/python3.10/site-packages (from requests>=2.20.0->acme<2.0.0,>=1.10.1->certbot-dns-corenetworks) (4.0.0)
Requirement already satisfied: idna>=2.5 in /usr/lib/python3.10/site-packages (from requests>=2.20.0->acme<2.0.0,>=1.10.1->certbot-dns-corenetworks) (3.3)
Requirement already satisfied: urllib3>=1.21.1 in /usr/lib/python3.10/site-packages (from requests>=2.20.0->acme<2.0.0,>=1.10.1->certbot-dns-corenetworks) (1.26.9)
Collecting zope.hookable>=4.2.0
Downloading zope.hookable-5.1.0.tar.gz (21 kB)
Collecting zope.event
Downloading zope.event-4.5.0-py2.py3-none-any.whl (6.8 kB)
Using legacy 'setup.py install' for configobj, since package 'wheel' is not installed.
Using legacy 'setup.py install' for zope.interface, since package 'wheel' is not installed.
Using legacy 'setup.py install' for zope.hookable, since package 'wheel' is not installed.
Installing collected packages: pytz, zope.interface, zope.hookable, zope.event, requests-toolbelt, pyrsistent, pyrfc3339, josepy, attrs, zope.component, parsedatetime, jsonschema, configobj, ConfigArgParse, acme, corenetworks, certbot, certbot-dns-corenetworks
Running setup.py install for zope.interface ... done
Running setup.py install for zope.hookable ... done
Running setup.py install for configobj ... done
Successfully installed ConfigArgParse-1.5.3 acme-1.27.0 attrs-21.4.0 certbot-1.27.0 certbot-dns-corenetworks-0.2.1 configobj-5.0.6 corenetworks-0.2.1 josepy-1.13.0 jsonschema-3.2.0 parsedatetime-2.6 pyrfc3339-1.1 pyrsistent-0.18.1 pytz-2022.1 requests-toolbelt-0.9.1 zope.component-5.0.1 zope.event-4.5.0 zope.hookable-5.1.0 zope.interface-5.4.0
Mit nachfolgendem Befehl kann überprüft werden, welche Inhalte mit den Paket certbot-dns-corenetworks
installiert wurden:
# pip show certbot-dns-corenetworks
Installierte Dateien
# pip show certbot-dns-corenetworks
Name: certbot-dns-corenetworks
Version: 0.2.1
Summary: Core Networks DNS Authenticator plugin for Certbot.
Home-page: https://github.com/thegeeklab/certbot-dns-corenetworks/
Author: Robert Kaussow
Author-email: mail@thegeeklab.de
License: MIT
Location: /usr/lib/python3.10/site-packages
Requires: corenetworks, zope.interface, certbot, acme, parsedatetime
Required-by:
Eine Überprüfung, ob das DNS-Plugin auch von genutzt werden kann, soll durch Ausgabe der Auflistung aller Plugins die kennt, mit nachfolgendem Befehl durchgeführt werden:
# certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* dns-corenetworks
Description: Obtain certificates using a DNS TXT record (if you are using Core
Networks for your domains).
Interfaces: Authenticator, Plugin
Entry point: dns-corenetworks =
certbot_dns_corenetworks.dns_corenetworks:Authenticator
* standalone
Description: Spin up a temporary webserver
Interfaces: Authenticator, Plugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
* webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Let's Encrypt - pip: certbot-dns-corenetworks - Konfiguration: /etc/corenetworks.ini
Zur Konfiguration des des PyPi - certbot-dns-corenetworks DNS-Plugins muss eine Konfigurationsdatei, mit nachfolgenden Befehl angelegt werden, welche nachfolgenden Inhalt haben muss:
# vim /etc/corenetworks.ini
Nachfolgende der Inhalt der Konfigurationsdatei: /etc/corenetworks.ini
dns_corenetworks_username = Benutzername
dns_corenetworks_password = GeheimesPasswort
Anschliessend können noch mit nachfolgendem Befehl die Dateirechte wie folgt angepasst werden:
# chmod 400 /etc/corenetworks.ini
WICHTIG - Die „Credentials“ können meist von/auf der Website des jeweiligen DNS-Providers bezogen/gesetzt werden!
Let's Encrypt - Certbot - DNS-01 - Zertifikatserstellung
Mit nachfoglendem Befehl kann mit dem ACME-Client Certbot ein Let's Encrypt-Zertifikat erstmals erstellt werden:
HIWNEIS - Die Erstellung erfolgt als Wildcard-Zertifikat - aus Demonstrationsgründen aber für die Sub-Domäne !
# certbot certonly --test-cert --agree-tos --non-interactive -m webmaster@tachtler.net --authenticator dns-corenetworks --dns-corenetworks-credentials /etc/corenetworks.ini --dns-corenetworks-propagation-seconds 30 -d *.apache.tachtler.net
Erklärungen:
Parameter | Beschreibung |
certbot | Ausführbares Programm des ACME-Client Certbot |
certonly | Subkommand um ein Zertifikat zu beantragen oder zu erneuern, ohne Installation |
−−agree-tos | Akzeptieren des Abonnentenvertrag des ACME-Servers |
−m <E-Mail> | E-Mail-Adresse für wichtige Kontobenachrichtigungen, z.B. Zertifikatsablauf |
−−non-interactive | Ausführung, ohne dass eine Benutzereingabe erforderlich ist |
–authenticator <plugin> | Angabe des zu verwendenden DNS-Plugins |
−−webroot | Dateien zur Authentifizierung in den Webroot-Ordner eines Servers erzeugen |
–dns-corenetworks-credentials <file> | Datei mit Credentials (Benutzername und Passwort) für den verwendeten DNS-Provider |
–dns-corenetworks-propagation-seconds <n> | Sekunden, die das DNS-Plugin warten soll, bis die DNS-Änderungen beim DNS-Provider durchgeführt sind |
Zusätzliche Test-Parameter |
−−test-cert | Ausführung nicht gegen den produktiven Server von Let's Encrypt, sondern gegen den Test Server. |
−−dry-run | Testen von certonly oder auch renew , ohne ein Zertifikat auf der Festplatte zu speichern |
Erstellung gegen die Test-CA von Let's Encrypt
# certbot certonly --test-cert --agree-tos --non-interactive -m webmaster@tachtler.net --authenticator dns-corenetworks --dns-corenetworks-credentials /etc/corenetworks.ini --dns-corenetworks-propagation-seconds 30 -d *.apache.tachtler.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.apache.tachtler.net
Waiting 30 seconds for DNS changes to propagate
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/apache.tachtler.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/apache.tachtler.net/privkey.pem
This certificate expires on 2022-08-02.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the
certificate in the background, but you may need to take steps to enable that functionality. See
https://certbot.org/renewal-setup for instructions.
HINWEIS - Das Löschen aller Verzeichnisse und Dateien aus der Erstellung gegen die Test-CA von Let's Encrypt, kann mit nachfolgendem Befehl erfolgen:
# rm -rf /etc/letsencrypt/*
Erstellung gegen die produktive CA von Let's Encrypt
# certbot certonly --agree-tos --non-interactive -m webmaster@tachtler.net --authenticator dns-corenetworks --dns-corenetworks-credentials /etc/corenetworks.ini --dns-corenetworks-propagation-seconds 30 -d *.apache.tachtler.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for *.apache.tachtler.net
Waiting 30 seconds for DNS changes to propagate
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/apache.tachtler.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/apache.tachtler.net/privkey.pem
This certificate expires on 2022-08-02.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the
certificate in the background, but you may need to take steps to enable that functionality. See
https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Falls das Erstellen eines Zertifikats erfolgreich durchgeführt worden ist, ist im Verzeichnis
ein neues Unterverzeichnis mit dem Namen der ersten Domäne.tld hier
erstellt worden, in dem alle benötigten Dateien vorhanden sind und welches einen Inhalt wie mit nachfolgendem Befehl abgerufen, zur Ansicht bringen sollte:
# ls -l /etc/letsencrypt/live/apache.tachtler.net/
total 20
lrwxrwxrwx 1 root root 43 May 4 19:54 cert.pem -> ../../archive/apache.tachtler.net/cert1.pem
lrwxrwxrwx 1 root root 44 May 4 19:54 chain.pem -> ../../archive/apache.tachtler.net/chain1.pem
lrwxrwxrwx 1 root root 48 May 4 19:54 fullchain.pem -> ../../archive/apache.tachtler.net/fullchain1.pem
lrwxrwxrwx 1 root root 46 May 4 19:54 privkey.pem -> ../../archive/apache.tachtler.net/privkey1.pem
-rw-r--r-- 1 root root 692 May 4 19:54 README
Eine Überprüfung, ob das Zertifikat auch korrekt ausgestellt wurde, kann mit nachfolgendem Befehl erfolgen:
# openssl x509 -noout -text -in /etc/letsencrypt/live/apache.tachtler.net/fullchain.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:88:1d:ca:cf:62:42:97:08:c4:77:b0:f2:87:98:61:a1:c6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: May 4 16:54:24 2022 GMT
Not After : Aug 2 16:54:23 2022 GMT
Subject: CN = *.apache.tachtler.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a6:14:9a:de:a3:2f:18:51:1d:b4:f4:48:ba:01:
26:f6:38:7c:22:cd:76:25:e6:6a:54:6a:ec:a5:f1:
ea:53:70:5c:22:19:01:bc:82:d4:80:38:5f:d8:da:
1e:3f:ab:05:3b:1f:5b:55:9a:5c:e6:15:66:cd:d2:
42:63:b6:6c:9b:57:c5:ce:bc:14:75:6c:5e:77:7e:
fb:b1:36:f4:d6:79:70:2c:a9:62:d1:10:c5:c4:fb:
22:91:b8:84:8d:47:13:f7:87:4e:b4:1e:c6:6d:c4:
f6:5c:d0:73:5e:86:8c:59:a7:26:f2:df:7a:25:c6:
b9:79:28:c6:27:c7:42:cc:0e:b2:46:83:00:25:c2:
8e:ca:09:39:9f:93:d2:82:ab:52:1c:7f:c9:86:e2:
16:4e:69:40:23:6a:f2:9b:f5:1e:56:4f:33:c9:ff:
81:8a:7e:ed:5e:83:e2:5c:e3:e3:e4:2b:e6:30:d6:
5a:5f:0f:81:81:02:99:c4:5e:33:10:7e:6e:91:dc:
09:f8:e2:34:dc:39:c8:db:19:30:43:f5:8a:39:60:
32:49:0e:0b:d6:6d:b4:84:c6:97:7a:3d:2b:3c:02:
7d:1b:dd:bd:67:e8:31:05:12:82:b5:7d:68:41:d9:
2d:d3:52:d8:e4:93:95:da:a7:ec:4d:bc:d3:0c:d4:
21:e9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
28:05:31:53:95:CC:64:52:37:C9:93:33:DF:FA:8F:50:AA:F2:1F:62
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:*.apache.tachtler.net
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A:
EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73
Timestamp : May 4 17:54:24.973 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:06:33:94:D4:7D:1C:4B:81:85:37:55:8E:
C6:40:34:1D:75:8F:BC:55:95:D9:11:02:2D:1F:09:28:
DE:B9:B7:CD:02:20:61:A0:84:3B:B8:E7:EF:61:47:24:
49:6E:86:BB:1F:BA:76:28:AF:3D:65:28:67:B5:05:59:
F6:50:95:2C:71:6A
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:
BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84
Timestamp : May 4 17:54:24.960 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:C2:7E:FD:0B:6C:86:2D:AA:EC:85:54:
D3:64:7A:A0:B8:46:40:72:0D:43:0D:65:C6:9E:8B:E3:
19:3F:A8:B6:67:02:21:00:8C:5A:04:FE:FA:9B:0D:1F:
C7:4F:4B:C7:B9:C5:18:D3:8B:E4:BF:33:F9:58:34:41:
54:98:80:AF:57:3B:41:6A
Signature Algorithm: sha256WithRSAEncryption
00:3d:ec:cc:25:c4:77:ab:ff:68:f5:ef:af:f8:7d:d4:a3:d1:
cf:7a:83:9f:72:b2:8d:da:89:bb:5d:eb:38:eb:b5:75:43:3f:
0d:bf:6b:fa:42:4f:d0:27:15:2c:1d:54:44:f2:45:b2:71:a9:
47:b8:9b:ed:e7:80:1d:0b:7f:30:ef:b0:49:64:d6:ab:4e:0f:
67:82:72:de:d5:c6:71:ca:43:20:7c:f1:c2:03:35:90:dc:30:
82:40:4c:b0:22:c3:58:30:a3:1e:71:6f:8b:2f:86:62:61:d3:
72:f0:16:e2:7c:74:db:ac:05:9f:93:0e:3e:52:56:96:da:7a:
8a:75:69:47:09:7f:da:ed:e4:96:f0:dc:74:c9:2d:2d:8c:5f:
44:33:29:f7:9c:a6:8f:3f:a1:ac:5b:e6:16:a9:ae:ea:9c:4b:
69:46:24:9d:b2:bd:5d:fc:ce:f8:6c:12:a6:f6:78:7d:9f:7b:
ca:c1:5b:c7:ed:79:c5:06:56:78:d2:bd:7c:7f:eb:d5:22:eb:
72:f4:e9:48:68:52:75:fe:65:a4:da:ae:03:47:ff:6a:0d:e3:
f6:b9:26:35:c3:84:d5:18:c3:13:79:95:82:2e:a9:78:3a:88:
a6:b4:ba:c3:e8:b6:0a:cc:f4:e0:51:2c:1a:7f:fe:14:bb:11:
69:cb:f0:cf
Wichtig sind hier die beiden Dateien:
welche in der Konfigurationsdatei
eingebunden werden müssen wie, unter nachfolgendem internen Link beschrieben:
Let's Encrypt - Apache - SSL-Konfiguration
Let's Encrypt - Apache: /etc/httpd/conf/httpd.conf
Abschliessend ist es noch erforderlich, nachfolgende Konfigurationsdatei
zu ändern, das die nachfolgend auskommentierte Zeile, in der eine weitere Konfigurationsdatei
mit angezogen wird:
(Nur relevanter Ausschnitt):
# Secure (SSL/TLS) connections
# Tachtler
# default: #Include conf/extra/httpd-ssl.conf
Include conf/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Erklärungen:
Include conf/extra/httpd-ssl.conf
Einkommentieren der bereits vorbereiteten aber standardmässig auskommentierten Zeile, das die Konfigurationsdatei, welche die SSL-Konfiguration beinhaltet, auch inkludiert wird.
Let's Encrypt - Apache - Neustart Apache HTTPD Server mit Zertifikat
Es muss nun ein abschliessender Neustart erfolgen, was mit nachfolgendem Befehl durchgeführt werden kann:
# systemctl restart httpd.service
HINWEIS - Es erfolgen keine weiteren Ausgaben, wenn der Start erfolgreich war !
Let's Encrypt - Apache - Test
Wenn ein erneuter Neustart des Apache HTTP Server erfolgreich durchgeführt wurde, kann die Abfrage mittels eines Browsers durch Eingabe nachfolgender URL
erfolgen, wie im nachfolgenden Bild dargestellt:
HINWEIS - Der Aufruf der Seite erfolgt verschlüsselt mittels Eingabe von https://apache.tachtler.net !
HIWNEIS - Die Erstellung bei DNS-01 erfolgte als Wildcard-Zertifikat - aus Demonstrationsgründen für die Sub-Domäne *.apache.tachtler.net
!
HINWEIS - Der Aufruf der Seite erfolgt verschlüsselt mittels Eingabe von https://www.apache.tachtler.net !
OCSP Stapling
OSCP (Online Certificate Status Protocol) Stapling, auch besser als eine TLS-Zertifikatsstatusabfrage-Erweiterung bekannt, ist ein weiterer Ansatz um den Gültigkeitsstatus von digitalen Zertifikaten zu prüfen. Es ermöglicht dem Apache HTTP Server, die Aufgabe der Zertifikatsvalidierung zu übernehmen, indem er eine von der Zertifizierungsstelle signierte OCSP-Antwort mit Zeitstempel an den ursprünglichen TLS-Handshake anhängt („stapling“). Dies verringert den Kommunikationsaufwand zwischen Clients und Zertifizierungsstellen deutlich, da der Client nicht bei der Zertifizierungsstellen eine OSCP-Anfrage stellen muss, sondern diese bereits vom Apache HTTP Server mit geliefert bekommt.
Zur Einrichtung von OSCP (Online Certificate Status Protocol) Stapling ist nachfolgende Konfigurationsdatei anzupassen:
Nachfolgende Konfigurationsdatei
muss so abgeändert werden:
(Nur relevanter Ausschnitt):
# OCSP Stapling (requires OpenSSL 0.9.8h or later)
#
# This feature is disabled by default and requires at least
# the two directives SSLUseStapling and SSLStaplingCache.
# Refer to the documentation on OCSP Stapling in the SSL/TLS
# How-To for more information.
#
# Enable stapling for all SSL-enabled servers:
# Tachtler
# default: #SSLUseStapling On
SSLUseStapling On
# Define a relatively small cache for OCSP Stapling using
# the same mechanism that is used for the SSL session cache
# above. If stapling is used with more than a few certificates,
# the size may need to be increased. (AH01929 will be logged.)
# Tachtler
# default: #SSLStaplingCache "shmcb:/run/httpd/ssl_stapling(32768)"
SSLStaplingCache "shmcb:/run/httpd/ssl_stapling(131072)"
Erklärungen:
Einkommentieren der bereits vorbereiteten aber standardmässig auskommentierten Zeile, das OSCP (Online Certificate Status Protocol) Stapling im Apache HTTP Server aktiviert wird.
SSLStaplingCache "shmcb:/run/httpd/ssl_stapling(131072)"
Konfiguriert den Cache, der zum Speichern von OSCP (Online Certificate Status Protocol) Stapling-Antworten verwendet wird, die in den TLS-Handshake aufgenommen werden, wenn SSLUseStapling
aktiviert ist. Die Konfiguration eines Caches ist für OSCP (Online Certificate Status Protocol) Stapling zwingend erforderlich.
OCSP Stapling - Apache - Neustart Apache HTTPD Server
Es muss nun ein abschliessender Neustart erfolgen, was mit nachfolgendem Befehl durchgeführt werden kann:
# systemctl restart httpd.service
HINWEIS - Es erfolgen keine weiteren Ausgaben, wenn der Start erfolgreich war !
OCSP Stapling - Apache - Test
Nachfolgende Abfrage ermöglicht es zu testen, ob der Apache HTTP Server tatsächlich eine SCP (Online Certificate Status Protocol) Stapling-Antworten beim TLS-Handshake mit anhängt bzw. „voranstellt“:
# openssl s_client -connect apache.tachtler.net:443 -status | more
(Nur relevanter Ausschnitt):
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = R3
Produced At: Jun 5 01:25:00 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
Serial Number: 03230261A6333EFE78FBED96402269A3CE1E
Cert Status: good
This Update: Jun 5 01:00:00 2022 GMT
Next Update: Jun 12 00:59:58 2022 GMT
Signature Algorithm: sha256WithRSAEncryption
41:cf:b5:93:5a:bd:f4:e3:e4:63:87:db:d8:67:f2:cf:3b:6c:
06:c7:e8:83:78:04:fe:c3:67:07:4c:33:e6:65:e6:a1:0e:34:
18:be:17:18:fa:ba:37:c2:43:73:63:e3:c8:4f:7b:9d:7f:74:
37:e5:cb:2d:8b:8d:1d:2c:38:c3:fc:c6:75:d8:95:5d:06:f9:
59:78:4d:d7:62:94:1c:5d:00:b6:f0:e7:69:1d:30:23:dc:a9:
5d:80:ec:ae:45:af:69:58:e0:3c:90:e6:44:1d:48:90:03:b3:
80:e0:84:38:a2:d4:d1:87:32:ce:45:22:cd:6e:04:72:f6:76:
de:dd:62:89:a2:5b:61:3f:36:6a:85:0e:06:42:bf:9e:7f:7a:
28:fc:05:6d:80:fd:d1:93:4e:be:48:81:67:da:0a:82:2a:d6:
f9:79:d7:30:7d:78:2a:68:ef:7c:e7:a1:d3:2d:3e:76:c8:42:
e8:12:39:f7:10:7d:c0:40:07:d6:2c:ac:f5:1a:ba:98:46:17:
85:b7:18:3c:62:21:62:8c:0d:19:e7:ff:0a:93:a3:f1:60:cb:
fb:d4:c9:5c:1f:7d:0c:3b:1a:e5:ec:cd:94:7b:22:90:8f:84:
ec:3f:82:0e:5e:14:96:80:3a:33:74:b1:4d:b7:87:f9:ab:a3:
77:d7:04:3a
======================================
HINWEIS - Die Abfrage/OpenSSL-Client-Verbindung kann durch Drücken der Tastenkombination [Strg]-[c] beendet werden.
HINWEIS - Wichtig sind hier die beiden Zeilen:
SSL-Ciphers - Apache
Unter nachfolgendem Link kann eine „Empfehlung“ eingeholt werden, welche Cipher (Verschlüsselungs-Algorithmen) beim Apache HTTP Server zur Kommunikation mit den Clients (z.B. Browsern oder mobile Geräte) ausgehandelt werden sollen.
ACHTUNG - Zu restriktive Einstellungen, können die Erreichbarkeit des Apache HTTP Server mindern, jedoch zu tolerante Einstellungen können die sichere Kommunikation gefährden. Es ist eine genaue Abwägung zu treffen und zu berücksichtigen, wer die Clients sind, welche auf den Apache HTTP Server zugreifen!
Siehe auch nachfolgenden externen Link:
HINWEIS - Die Einstellungen zu den Direktiven
sollten NICHT gesetzt werden, diese sollten auf on
gesetzt bzw. belassen werden!
Erklärungen:
Bei der Auswahl von Cipher (Verschlüsselungs-Algorithmen) während eines SSLv3- oder TLSv1-Handshake mit einem Client (z.B. Browsern oder mobile Geräte) wird normalerweise die Präferenz des Clients verwendet. Wenn diese Direktive aktiviert ist, wird stattdessen die Präferenz des Servers verwendet. Dies ist NICHT die Standard-Einstellung, ist aber explizit gesetzt!
Dies ist die Standard-Einstellung und ist normalerweise nicht explizit in der Konfigurationsdatei /etc/httpd/conf/extra/httpd-ssl.conf
gesetzt. Diese Direktive bewirkt die Verwendung von TLS-Sitzungstickets (RFC 5077).
Das „SSLSessionTicket“ ist dank einem Prozess bei den das „SSLSessionTicket“ signiert wird, ebenfalls als sicher einzustufen. Das ändert aber nichts an der Tatsache, dass zumindest eine Verwundbarkeit besteht, indem die Session Parameter theoretisch Client-seitig gestohlen werden könnten. Es handelt sich also auch um eine Frage, ob man die Angreifbarkeit auf Kosten von Performance reduzieren sollte.
Ein Aufruf mit nachfolgenden Parametern ergab nachfolgende Antwort:
moz://a SSL Configuration Generator - Apache - Intermediate - Server Version: 2.4.53 - OpenSSL Version: 1.1.1o - HTTP Strict Transport Security: deaktiviert
Nachfolgende Konfigurationsdatei
muss so abgeändert werden:
(Nur relevanter Ausschnitt):
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate,
# and that httpd will negotiate as the client of a proxied server.
# See the OpenSSL documentation for a complete list of ciphers, and
# ensure these follow appropriate best practices for this deployment.
# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
# Tachtler
# default: SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# default: SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# By the end of 2016, only TLSv1.2 ciphers should remain in use.
# Older ciphers should be disallowed as soon as possible, while the
# kRSA ciphers do not offer forward secrecy. These changes inhibit
# older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy
# non-browser tooling) from successfully connecting.
#
# To restrict mod_ssl to use only TLSv1.2 ciphers, and disable
# those protocols which do not support forward secrecy, replace
# the SSLCipherSuite and SSLProxyCipherSuite directives above with
# the following two directives, as soon as practical.
# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
# User agents such as web browsers are not configured for the user's
# own preference of either security or performance, therefore this
# must be the prerogative of the web server administrator who manages
# cpu load versus confidentiality, so enforce the server's cipher order.
SSLHonorCipherOrder on
# SSL Protocol support:
# List the protocol versions which clients are allowed to connect with.
# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be
# disabled as quickly as practical. By the end of 2016, only the TLSv1.2
# protocol or later should remain in use.
# Tachtler
# default: SSLProtocol all -SSLv3
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
# Tachtler
# default: SSLProxyProtocol all -SSLv3
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
Erklärungen:
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Diese komplexe Direktive verwendet eine durch Doppelpunkte getrennte Cipher-Zeichenkette, die aus OpenSSL-Cipher-Spezifikationen besteht, um die Cipher Suite zu konfigurieren, die der Client in der SSL-Handshake-Phase aushandeln darf. Der optionale Protokollspezifizierer kann die Cipher Suite für eine bestimmte SSL-Version konfigurieren.
SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Diese Direktive kann verwendet werden, um die SSL-Protokollvarianten zu steuern, die mod_ssl
beim Aufbau seiner Serverumgebung für Proxy verwenden soll. Es wird sich nur mit Servern verbinden, die eines der angegebenen Protokolle verwenden. Siehe auch die Erklärungen zu: SSLCipherSuite
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
Diese Direktive kann verwendet werden, um zu steuern, welche Versionen des SSL/TLS-Protokolls bei neuen Verbindungen akzeptiert werden.
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
Mit dieser Direktive kann gesteuert werden, welche SSL-Protokollvarianten mod_ssl
verwenden soll, wenn es seine Serverumgebung für Proxy einrichtet. Es wird sich nur mit Servern verbinden, die eines der angegebenen Protokolle verwenden. Siehe auch die Erklärungen zu: SSLProtocol
SSL-Ciphers - Apache - Neustart Apache HTTPD Server
Es muss nun ein abschliessender Neustart erfolgen, was mit nachfolgendem Befehl durchgeführt werden kann:
# systemctl restart httpd.service
HINWEIS - Es erfolgen keine weiteren Ausgaben, wenn der Start erfolgreich war !
SSL-Ciphers - Apache - Test