Vous devriez également vérifier l’ecc, mais je pense que tout correspond.
oui, c’est comme ça que tout devrait fonctionner.
OK. Tout est prêt. Merci encore pour votre persévérance. J’ai marqué votre publication qui souligne le problème comme étant la solution.
J’ai déjà demandé dans un autre post s’il était judicieux de conserver le certificat rsa obsolète, j’espère qu’il sera bientôt supprimé.
Quelque chose ne va pas tout à fait : je viens de supprimer les anciens certificats et d’en créer de nouveaux avec la réécriture suivante, mais le certificat n’a pas été créé non plus pour www :
cat /var/discourse/containers/app.yml
after_ssl:
# indiquer à letsencrypt quels certificats supplémentaires obtenir
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--keylength/
to: "-d www.rpg-foren.com --keylength"
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--fullchainpath/
to: "-d www.rpg-foren.com --fullchainpath"
global: true
cat /etc/runit/1.d/letsencrypt
#!/bin/bash
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
issue_cert() {
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue $2 -d rpg-foren.com -d www.rpg-foren.com --keylength $1 -w /var/www/discourse/public
}
cert_exists() {
[[ "$(cd /shared/letsencrypt/rpg-foren.com$1 && openssl verify -CAfile <(openssl x509 -in ca.cer) fullchain.cer | grep "OK")" ]]
}
########################################################
# Certificat RSA
########################################################
issue_cert "4096"
if ! cert_exists ""; then
# Tenter de renouveler le certificat en cas d'erreur
issue_cert "4096" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
--installcert \
-d rpg-foren.com \
-d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com.cer \
--keypath /shared/ssl/rpg-foren.com.key \
--reloadcmd "sv reload nginx"
########################################################
# Certificat ECDSA
########################################################
issue_cert "ec-256"
if ! cert_exists "_ecc"; then
# Tenter de renouveler le certificat en cas d'erreur
issue_cert "ec-256" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
--installcert --ecc \
-d rpg-foren.com \
-d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com_ecc.cer \
--keypath /shared/ssl/rpg-foren.com_ecc.key \
--reloadcmd "sv reload nginx"
if cert_exists "" || cert_exists "_ecc"; then
grep -q 'force_https' "/var/www/discourse/config/discourse.conf" || echo "force_https = 'true'" >> "/var/www/discourse/config/discourse.conf"
fi
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
openssl x509 -in /var/discourse/shared/standalone/ssl/rpg-foren.com_ecc.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:f0:89:90:30:4f:d5:9b:40:00:9e:96:9a:d7:d0:dc:78:d5
Signature Algorithm: ecdsa-with-SHA384
Issuer: C = US, O = Let's Encrypt, CN = E6
Validity
Not Before: Sep 23 15:23:00 2024 GMT
Not After : Dec 22 15:22:59 2024 GMT
Subject: CN = rpg-foren.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:3a:65:89:b0:9b:07:c2:ef:f7:43:f8:f7:2e:e5:
8e:f8:47:76:19:cc:e6:98:50:e4:18:b7:9b:e0:f0:
60:49:ed:06:5c:66:d0:7b:79:07:84:0f:75:36:4b:
70:98:1d:76:6b:15:20:8f:c5:6d:43:cc:b8:12:a1:
eb:5a:d8:0f:7f
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
7F:CC:80:95:73:18:45:96:CD:73:16:0D:69:CA:4F:5E:54:D4:C1:13
X509v3 Authority Key Identifier:
93:27:46:98:03:A9:51:68:8E:98:D6:C4:42:48:DB:23:BF:58:94:D2
Authority Information Access:
OCSP - URI:http://e6.o.lencr.org
CA Issuers - URI:http://e6.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:rpg-foren.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : A2:E3:0A:E4:45:EF:BD:AD:9B:7E:38:ED:47:67:77:53:
D7:82:5B:84:94:D7:2B:5E:1B:2C:C4:B9:50:A4:47:E7
Timestamp : Sep 23 16:21:30.838 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:F4:3A:0D:45:49:BE:EB:7D:9F:03:C1:
36:53:77:49:23:6F:E4:57:2B:68:01:5A:31:EB:DB:B4:
1D:1B:30:EA:44:02:21:00:A1:DA:11:1B:2B:59:BB:86:
BF:0B:DC:F6:45:9A:DB:77:DB:A4:DF:1B:4D:74:6A:51:
9A:2A:A0:80:CC:E8:F3:CF
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:
B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74
Timestamp : Sep 23 16:21:30.896 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:0A:B1:11:58:B1:41:F3:B4:90:13:55:9C:
E2:AD:D1:B8:0B:E9:15:A1:C9:4C:5C:AC:CC:1D:22:46:
6F:FC:64:C4:02:20:4A:EA:C9:AD:99:E3:0A:86:6C:3E:
80:EF:21:D8:DE:A4:83:EA:B6:E6:27:96:C1:98:92:4A:
7B:F0:87:38:41:20
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:66:02:31:00:89:8d:24:d5:88:52:bb:f8:9e:db:d8:4c:ef:
33:c6:ea:c0:92:60:5f:42:55:e9:47:4f:2c:07:02:94:6d:d0:
32:14:8a:46:6b:c9:b1:24:e4:ff:34:32:d1:0b:d3:7c:df:02:
31:00:8c:2f:42:67:62:c0:4c:63:9d:8e:52:21:9a:a8:76:e5:
7d:a3:27:22:f2:1b:25:07:d0:86:44:ae:26:33:8b:70:7b:b2:
cc:e5:85:30:a6:1c:8f:b1:51:d2:cf:d1:61:0d
openssl x509 -in /var/discourse/shared/standalone/ssl/rpg-foren.com.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:c8:d5:4a:f1:f4:9b:4f:23:b0:17:be:25:27:97:9b:2c:c2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R10
Validity
Not Before: Sep 23 15:22:54 2024 GMT
Not After : Dec 22 15:22:53 2024 GMT
Subject: CN = rpg-foren.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c9:ac:0e:03:50:58:be:48:e5:57:4f:86:8c:2c:
01:da:4d:08:c2:1f:e2:02:c4:73:98:f6:e7:04:a2:
68:ce:44:21:3e:f8:d7:cb:f8:bd:1c:ba:8f:a4:8b:
11:61:c9:8e:49:ef:a1:88:15:f3:41:1a:41:7f:80:
6a:fb:48:64:b2:2e:d6:79:e2:d0:b1:a1:bc:6b:91:
ec:76:96:8a:37:f4:24:14:d9:e9:a4:89:2a:49:c1:
bb:f1:26:98:15:4f:8e:e9:20:5f:bb:64:02:f9:4f:
93:e2:35:45:15:a8:66:c0:a9:92:97:5f:7e:f8:bd:
65:86:dc:05:9f:46:c8:b7:59:e1:1f:cc:c7:8c:ad:
fa:e3:fb:27:1f:92:45:16:45:9d:ab:4d:5c:29:5d:
7b:96:cc:26:62:69:c3:44:42:e1:7f:de:e3:32:b9:
4e:d2:86:c7:a5:e0:c8:40:bf:b8:5d:d9:fc:6f:70:
23:7b:07:23:0b:88:6b:6f:07:3b:18:76:f9:45:8b:
31:4c:9c:7f:34:d7:36:1f:59:51:42:8a:d8:d7:08:
d9:6b:72:f2:d1:9e:44:16:dd:3b:07:48:ca:a9:ee:
7c:fd:98:b1:4c:99:a4:71:62:c4:eb:ee:bc:d8:46:
c6:39:7c:ce:a5:4c:1d:0d:9e:ca:9b:00:46:e3:46:
0a:14:2a:19:f9:2e:5a:3e:98:f8:81:ac:72:c9:d7:
17:08:0b:40:e7:14:26:dd:87:15:45:6d:58:c1:61:
d3:02:e8:4d:84:70:e8:73:ba:ea:ae:47:5b:fe:e4:
58:5d:43:c7:eb:d9:17:1c:bc:1d:77:85:ac:74:6c:
a5:4d:b3:58:98:22:be:cc:dc:cb:90:49:90:c6:d5:
9a:4b:dd:13:bf:71:2e:f7:f5:d3:67:e8:54:66:cf:
e4:d4:24:78:5f:87:d1:2a:c5:fa:1e:53:f8:d1:f0:
5b:29:d1:fb:0b:21:24:cf:4e:73:da:c3:0b:d2:b9:
cd:75:5a:70:12:ca:e5:fb:37:ca:07:46:7a:41:5d:
5f:3b:7b:e4:91:7a:3d:6f:1f:3a:90:a9:6d:47:3f:
27:3e:9b:a0:e5:da:d2:22:e5:71:37:69:8b:0c:c1:
42:05:2c:ba:70:d9:8e:d2:af:25:e1:64:4e:e2:3b:
2d:a1:a8:14:f1:bb:18:0e:17:83:8c:04:ee:67:34:
5f:bf:c1:00:53:3c:da:9d:74:9b:5b:69:6d:f5:dd:
d6:0a:4f:03:66:a2:25:79:8c:cb:8e:ed:0d:c3:06:
38:44:ad:36:60:07:19:7e:09:86:c1:d3:f2:08:e8:
72:ca:7d:c8:c7:48:2d:39:7b:17:5c:a8:b9:80:dd:
73:57:05
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
FE:E1:BC:4C:C3:11:44:83:80:48:E6:F4:AB:B8:DE:AE:93:4F:2E:8F
X509v3 Authority Key Identifier:
BB:BC:C3:47:A5:E4:BC:A9:C6:C3:A4:72:0C:10:8D:A2:35:E1:C8:E8
Authority Information Access:
OCSP - URI:http://r10.o.lencr.org
CA Issuers - URI:http://r10.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:rpg-foren.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
Timestamp : Sep 23 16:21:24.622 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:BD:C6:D8:48:E3:CD:EA:A7:41:E4:27:
FE:34:0C:47:A6:1F:78:6F:61:70:4F:39:B5:BE:22:2F:
39:E1:41:CE:53:02:20:69:1E:20:E0:42:25:40:76:D4:
B0:66:08:15:D7:9C:CC:4F:BC:A4:A2:1E:C6:36:0E:0B:
25:F5:7B:2D:30:85:3A
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 3F:17:4B:4F:D7:22:47:58:94:1D:65:1C:84:BE:0D:12:
ED:90:37:7F:1F:85:6A:EB:C1:BF:28:85:EC:F8:64:6E
Timestamp : Sep 23 16:21:24.621 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:9E:CF:69:F9:27:E3:B0:4E:7D:DC:2D:
13:99:CD:8D:8C:B2:99:0B:B1:CA:82:83:07:2B:91:F7:
1B:71:EB:7B:ED:02:21:00:91:C6:62:90:C3:ED:ED:07:
62:1A:EC:43:02:C6:FE:F3:87:6A:0E:9C:C3:D7:54:1B:
69:3F:3F:FF:31:00:F6:6D
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
51:76:6c:49:3c:86:ea:b0:14:35:ca:85:63:27:de:76:ce:5c:
f2:17:83:28:f8:55:a3:31:f2:4a:32:ae:35:13:35:4b:95:54:
de:be:d7:b7:23:04:cf:2e:5b:e7:4f:cc:0b:90:58:fe:f8:14:
1a:16:a6:ec:1d:18:ec:36:e3:9a:dd:47:b6:e7:66:c9:6d:30:
cf:ab:d3:2d:9f:c6:c8:65:67:23:c1:3d:2e:b3:0c:c8:62:9c:
7a:ee:5d:f1:97:ea:b8:2e:a3:fb:3c:89:14:60:1e:e4:b7:9c:
8c:3c:af:18:aa:c2:68:06:aa:55:9b:cc:0c:5f:c4:ac:90:d1:
a2:c0:13:ed:71:0f:de:8d:0b:a8:1e:c1:1b:ea:38:b7:75:db:
66:b6:fc:68:16:7c:3c:11:5a:e6:f0:37:bc:26:83:ae:43:68:
68:71:d7:da:02:15:ef:50:5b:3e:6a:b3:6a:f7:7a:1f:a0:fc:
f3:f3:c7:43:2c:a2:e0:59:ba:1b:5c:7c:1b:03:7c:52:d1:6e:
2b:db:a2:dc:2d:69:9c:36:fe:b5:98:68:9f:67:8a:61:c8:8c:
6b:0e:b7:59:dc:92:92:d2:84:99:37:e7:ed:2f:47:a9:2a:a9:
b4:47:99:eb:64:8a:f2:57:09:16:d7:03:99:a9:fc:c2:1e:f8:
61:3a:a7:23
Je viens de les recréer manuellement comme décrit ici.