(Modifié le 08/10/2019)

Yunohost , installer et renouveler les certificats Let’s encrypt

yunohost >= 2.5
# yunohost domain -h

...
    cert-status         List status of current certificates (all by default).
    cert-install        Install Let's Encrypt certificates for given domains
                        (all by default).
    cert-renew          Renew the Let's Encrypt certificates for given domains
                        (all by default).
...

Exemple :
# yunohost domain cert-install mondomaine.tld --force

Succès ! La configuration de SSOwat a été générée
Succès ! La configuration a été mise à jour pour le service « dnsmasq »
Succès ! Installation avec succès d’un certificat Let’s Encrypt pour le domaine mondomaine.tld !

Génération des certificats avec le client acme.sh

Liens

Installation client acme

Installation client acme.sh (https://github.com/Neilpang/acme.sh)

cd ~
sudo apt install socat -y # prérequis
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
./acme.sh --install 
[mardi 13 août 2019, 21:38:57 (UTC+0200)] Installing to /home/usera//.acme.sh
[mardi 13 août 2019, 21:38:57 (UTC+0200)] Installed to /home/usera//.acme.sh/acme.sh
[mardi 13 août 2019, 21:38:57 (UTC+0200)] Installing alias to '/home/usera//.bashrc'
[mardi 13 août 2019, 21:38:57 (UTC+0200)] OK, Close and reopen your terminal to start using acme.sh
[mardi 13 août 2019, 21:38:57 (UTC+0200)] Installing cron job
18 0 * * * "/home/usera//.acme.sh"/acme.sh --cron --home "/home/usera//.acme.sh" > /dev/null
[mardi 13 août 2019, 21:38:57 (UTC+0200)] Good, bash is found, so change the shebang to use bash as preferred.
[mardi 13 août 2019, 21:38:57 (UTC+0200)] OK

Fermer le terminal, puis le réouvrir et vérifier

$ acme.sh -h

Création de clé et des certificats avec API OVH

Passer l’étape 1 si vous avez déjà un jeu de clé

1 - Create application key and secret

https://eu.api.ovh.com/createApp/

Application Name : DNS-Api
Application Description : certificats
Application Key : REC23OMyBq2FZrLN
Application Secret : 32eqGDOrrF6b1Smj4kFgQdv1zX2DW7US

2 - Set api key and api secret.

# application key
export OVH_AK="REC23OMyBq2FZrLN"

# application secret
export OVH_AS="32eqGDOrrF6b1Smj4kFgQdv1zX2DW7US"

Génération des certificats

acme.sh --dns dns_ovh --issue --keylength 4096 -d mondomaine.tld -d *.mondomaine.tld # Clé RSA 4096bits , chiffrement RSA est un algorithme de cryptographie asymétrique
acme.sh --dns dns_ovh --issue --keylength ec-384 -d 'mondomaine.tld' -d '*.mondomaine.tld' # Clé ecc-384 , cryptographie sur les courbes elliptiques (en anglais, elliptic curve cryptography ou ECC)

Notre exemple
acme.sh --dns dns_ovh --issue --keylength ec-384 -d 'ouestline.xyz' -d '*.ouestline.xyz'

Si vous utilisez pour la première fois OVH api, vous devez authentifier l’api. (Cela ne se produit qu’au premier lancement du bash acme.sh)
Vous verrez quelque chose comme ci-dessous:

[mardi 13 août 2019, 21:43:18 (UTC+0200)] Using OVH endpoint: ovh-eu
[mardi 13 août 2019, 21:43:18 (UTC+0200)] OVH consumer key is empty, Let's get one:
[mardi 13 août 2019, 21:43:18 (UTC+0200)] Please open this link to do authentication: https://eu.api.ovh.com/auth/?credentialToken=v6T3D18cgLt6V3HAvqP9o7qVp9oMJMI2txPl2QcbuILO1JQifebP7U0uaDMu3Ibn
[mardi 13 août 2019, 21:43:18 (UTC+0200)] Here is a guide for you: https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api
[mardi 13 août 2019, 21:43:18 (UTC+0200)] Please retry after the authentication is done.

3 - Authentification de la clé api

(Cela ne se produit qu’au premier lancement du bash acme.sh)

Ouvrir le lien : https://eu.api.ovh.com/auth/?credentialToken=v6T3D18cgLt6V3HAvqP9o7qVp9oMJMI2txPl2QcbuILO1JQifebP7U0uaDMu3Ibn

Authentifier vous et sélectionner “Unlimited” pour la validité (saisir le code otp si validé) Cliquer sur “Authorize Access”

OVH authentication Success !

If you see this page, it means your authentication is ok.

Go back to your shell, and try again.

4 - Puis relancer le bash

acme.sh --dns dns_ovh --issue --keylength 4096 -d mondomaine.tld -d smtp.mondomaine.tld -d imap.mondomaine.tld

Notre exemple
acme.sh --dns dns_ovh --issue --keylength ec-384 -d 'ouestline.xyz' -d '*.ouestline.xyz'

[mardi 13 août 2019, 21:45:13 (UTC+0200)] Verifying: ouestline.xyz
[mardi 13 août 2019, 21:45:16 (UTC+0200)] Success
[mardi 13 août 2019, 21:45:16 (UTC+0200)] Verifying: *.ouestline.xyz
[mardi 13 août 2019, 21:45:19 (UTC+0200)] Success
[mardi 13 août 2019, 21:45:19 (UTC+0200)] Removing DNS records.
[mardi 13 août 2019, 21:45:19 (UTC+0200)] Removing txt: pcHjdzrzqBIbuI98aJx6Tan4iejK_NbnCLrAGu-03-0 for domain: _acme-challenge.ouestline.xyz
[mardi 13 août 2019, 21:45:19 (UTC+0200)] Using OVH endpoint: ovh-eu
[mardi 13 août 2019, 21:45:19 (UTC+0200)] Checking authentication
[mardi 13 août 2019, 21:45:19 (UTC+0200)] Consumer key is ok.
[mardi 13 août 2019, 21:45:20 (UTC+0200)] Removed: Success
[mardi 13 août 2019, 21:45:20 (UTC+0200)] Removing txt: 9m38ahU-HMS1nDrdq8O5AkJUQRYEQchQQxNW4Sdv2M8 for domain: _acme-challenge.ouestline.xyz
[mardi 13 août 2019, 21:45:20 (UTC+0200)] Using OVH endpoint: ovh-eu
[mardi 13 août 2019, 21:45:20 (UTC+0200)] Checking authentication
[mardi 13 août 2019, 21:45:20 (UTC+0200)] Consumer key is ok.
[mardi 13 août 2019, 21:45:22 (UTC+0200)] Removed: Success
[mardi 13 août 2019, 21:45:22 (UTC+0200)] Verify finished, start to sign.
[mardi 13 août 2019, 21:45:22 (UTC+0200)] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/63384623/889352683
[mardi 13 août 2019, 21:45:24 (UTC+0200)] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/0325da09619fcdb4d883a1970157e2101960
[mardi 13 août 2019, 21:45:24 (UTC+0200)] Cert success.

[...]

[mardi 13 août 2019, 21:45:24 (UTC+0200)] Your cert is in  /home/usera//.acme.sh/ouestline.xyz_ecc/ouestline.xyz.cer 
[mardi 13 août 2019, 21:45:24 (UTC+0200)] Your cert key is in  /home/usera//.acme.sh/ouestline.xyz_ecc/ouestline.xyz.key 
[mardi 13 août 2019, 21:45:24 (UTC+0200)] The intermediate CA cert is in  /home/usera//.acme.sh/ouestline.xyz_ecc/ca.cer 
[mardi 13 août 2019, 21:45:24 (UTC+0200)] And the full chain certs is there:  /home/usera//.acme.sh/ouestline.xyz_ecc/fullchain.cer 

Maintenant, créez des liens symboliques vers vos nouveaux certificats :

sudo ln -s $HOME/.acme.sh/mondomaine.tld/fullchain.cer /etc/ssl/private/crt.pem  
sudo ln -s $HOME/.acme.sh/mondomaine.tld/mondomaine.tld.key  /etc/ssl/private/key.pem  

Notre exemple des liens (utilisation nginx)

sudo ln -s /home/usera//.acme.sh/ouestline.xyz_ecc/fullchain.cer /etc/ssl/private/ouestline.xyz-fullchain.pem   # full chain certs
sudo ln -s /home/usera//.acme.sh/ouestline.xyz_ecc/ouestline.xyz.key /etc/ssl/private/ouestline.xyz-key.pem     # cert key
sudo ln -s /home/usera//.acme.sh/ouestline.xyz_ecc/ouestline.xyz.cer /etc/ssl/private/ouestline.xyz-chain.pem   # cert domain
sudo ln -s /home/usera//.acme.sh/ouestline.xyz_ecc/ca.cer /etc/ssl/private/ouestline.xyz-ca.pem                 # intermediate CA cert

Vérification et mise à jour automatique
$ crontab -e # visualise tous les jobs de l’utilisateur en cours

18 0 * * * "/home/usera//.acme.sh"/acme.sh --cron --home "/home/usera//.acme.sh" > /dev/null

acme.sh - Options et paramètres

Usage: acme.sh  command ...[parameters]....
Commands:
  --help, -h               Show this help message.
  --version, -v            Show version info.
  --install                Install acme.sh to your system.
  --uninstall              Uninstall acme.sh, and uninstall the cron job.
  --upgrade                Upgrade acme.sh to the latest code from https://github.com/Neilpang/acme.sh.
  --issue                  Issue a cert.
  --signcsr                Issue a cert from an existing csr.
  --deploy                 Deploy the cert to your server.
  --install-cert           Install the issued cert to apache/nginx or any other server.
  --renew, -r              Renew a cert.
  --renew-all              Renew all the certs.
  --revoke                 Revoke a cert.
  --remove                 Remove the cert from list of certs known to acme.sh.
  --list                   List all the certs.
  --showcsr                Show the content of a csr.
  --install-cronjob        Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
  --uninstall-cronjob      Uninstall the cron job. The 'uninstall' command can do this automatically.
  --cron                   Run cron job to renew all the certs.
  --toPkcs                 Export the certificate and key to a pfx file.
  --toPkcs8                Convert to pkcs8 format.
  --update-account         Update account info.
  --register-account       Register account key.
  --deactivate-account     Deactivate the account.
  --create-account-key     Create an account private key, professional use.
  --create-domain-key      Create an domain private key, professional use.
  --createCSR, -ccsr       Create CSR , professional use.
  --deactivate             Deactivate the domain authz, professional use.
  --set-notify             Set the cron notification hook, level or mode.


Parameters:
  --domain, -d   domain.tld         Specifies a domain, used to issue, renew or revoke etc.
  --challenge-alias domain.tld      The challenge domain alias for DNS alias mode: https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
  --domain-alias domain.tld         The domain alias for DNS alias mode: https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
  --force, -f                       Used to force to install or force to renew a cert immediately.
  --staging, --test                 Use staging server, just for test.
  --debug                           Output debug info.
  --output-insecure                 Output all the sensitive messages. By default all the credentials/sensitive messages are hidden from the output/debug/log for secure.
  --webroot, -w  /path/to/webroot   Specifies the web root folder for web root mode.
  --standalone                      Use standalone mode.
  --alpn                            Use standalone alpn mode.
  --stateless                       Use stateless mode, see: https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
  --apache                          Use apache mode.
  --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file]   Use dns mode or dns api.
  --dnssleep  [120]                  The time in seconds to wait for all the txt records to take effect in dns api mode. Default 120 seconds.

  --keylength, -k [2048]            Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
  --accountkeylength, -ak [2048]    Specifies the account key length.
  --log    [/path/to/logfile]       Specifies the log file. The default is: "/root/.acme.sh/acme.sh.log" if you don't give a file path here.
  --log-level 1|2                   Specifies the log level, default is 1.
  --syslog [0|3|6|7]                Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.

  These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert:

  --cert-file                       After issue/renew, the cert will be copied to this path.
  --key-file                        After issue/renew, the key will be copied to this path.
  --ca-file                         After issue/renew, the intermediate cert will be copied to this path.
  --fullchain-file                  After issue/renew, the fullchain cert will be copied to this path.

  --reloadcmd "service nginx reload" After issue/renew, it's used to reload the server.

  --server SERVER                   ACME Directory Resource URI. (default: https://acme-v01.api.letsencrypt.org/directory)
  --accountconf                     Specifies a customized account config file.
  --home                            Specifies the home dir for acme.sh.
  --cert-home                       Specifies the home dir to save all the certs, only valid for '--install' command.
  --config-home                     Specifies the home dir to save all the configurations.
  --useragent                       Specifies the user agent string. it will be saved for future use too.
  --accountemail                    Specifies the account email, only valid for the '--install' and '--update-account' command.
  --accountkey                      Specifies the account key path, only valid for the '--install' command.
  --days                            Specifies the days to renew the cert when using '--issue' command. The default value is 60 days.
  --httpport                        Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
  --tlsport                         Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
  --local-address                   Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
  --listraw                         Only used for '--list' command, list the certs in raw format.
  --stopRenewOnError, -se           Only valid for '--renew-all' command. Stop if one cert has error in renewal.
  --insecure                        Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
  --ca-bundle                       Specifies the path to the CA certificate bundle to verify api server's certificate.
  --ca-path                         Specifies directory containing CA certificates in PEM format, used by wget or curl.
  --nocron                          Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
  --noprofile                       Only valid for '--install' command, which means: do not install aliases to user profile.
  --no-color                        Do not output color text.
  --force-color                     Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
  --ecc                             Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
  --csr                             Specifies the input csr.
  --pre-hook                        Command to be run before obtaining any certificates.
  --post-hook                       Command to be run after attempting to obtain/renew certificates. No matter the obtain/renew is success or failed.
  --renew-hook                      Command to be run once for each successfully renewed certificate.
  --deploy-hook                     The hook file to deploy cert
  --ocsp-must-staple, --ocsp        Generate ocsp must Staple extension.
  --always-force-new-domain-key     Generate new domain key when renewal. Otherwise, the domain key is not changed by default.
  --auto-upgrade   [0|1]            Valid for '--upgrade' command, indicating whether to upgrade automatically in future.
  --listen-v4                       Force standalone/tls server to listen at ipv4.
  --listen-v6                       Force standalone/tls server to listen at ipv6.
  --openssl-bin                     Specifies a custom openssl bin location.
  --use-wget                        Force to use wget, if you have both curl and wget installed.
  --yes-I-know-dns-manual-mode-enough-go-ahead-please  Force to use dns manual mode: https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode
  --branch, -b                      Only valid for '--upgrade' command, specifies the branch name to upgrade to.

  --notify-level  0|1|2|3           Set the notification level:  Default value is 2.
                                     0: disabled, no notification will be sent. 
                                     1: send notifications only when there is an error.
                                     2: send notifications when a cert is successfully renewed, or there is an error.
                                     3: send notifications when a cert is skipped, renewed, or error.
  --notify-mode   0|1               Set notification mode. Default value is 0.
                                     0: Bulk mode. Send all the domain's notifications in one message(mail).
                                     1: Cert mode. Send a message for every single cert.
  --notify-hook   [hookname]        Set the notify hook

Debian Stretch (nginx et certbot)

On passe en mode su
sudo -s
Obtenir les certificats pour un domaine donné (ex: mondomaine.tld)
Créer le dossier
mkdir -p /etc/nginx/conf.d/mondomaine.tld.d
Installer certbot
apt install certbot
Configuration webroot
nano /etc/nginx/conf.d/mondomaine.tld.d/000-acme-challenge.conf

location '/.well-known/acme-challenge'
{
        default_type "text/plain";
        alias /tmp/acme-challenge-public/;
}

Vérifier
nginx -t
Recharger
systemctl reload nginx
Générer les certificats
certbot certonly --register-unsafely-without-email --webroot -w /var/www -d mondomaine.tld -d seed.mondomaine.tld

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Registering without email!

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mondomaine.tld
http-01 challenge for seed.mondomaine.tld
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/mondomaine.tld/fullchain.pem. Your cert will
   expire on 2018-01-01. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Renouvellement automatique Certificat Let’s Encrypt

Afin de renouveler automatiquement un certificat émis par Let’s Encrypt CA avant la date d’expiration, programmez un job crontab pour exécuter une fois par jour à 2:00 AM, en émettant la commande suivante.
La sortie de la tâche cron exécutée sera dirigée vers un fichier journal, stocké dans /var/log/letsencrypt.log

crontab -e

0 2 * * * certbot renew » /var/log/letsencrypt.log