This shows you the differences between two versions of the page.
letsencrypt [2016/01/06 13:44] ian |
letsencrypt [2020/02/13 22:55] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Let's Encrypt ====== | ||
- | |||
- | https:// | ||
- | |||
- | Because the certificate is valid only for 90 days, it is important to use the scripted automation to authorize and renew the certificate. | ||
- | |||
- | 1. If the letsencrypt command is not available in your package manager, use the letsencrypt-auto command by installing it locally. | ||
- | |||
- | <note tip> | ||
- | Your home directory needs to be /root, so use 'sudo -i' or 'su -' | ||
- | < | ||
- | The directory '/ | ||
- | </ | ||
- | </ | ||
- | |||
- | < | ||
- | # cd /usr/local | ||
- | # git clone https:// | ||
- | # cd letsencrypt | ||
- | # ./ | ||
- | </ | ||
- | |||
- | 2. Install anacron for your distro so that we can schedule the renewal process monthly, but we use anacron so that the process doesn' | ||
- | |||
- | < | ||
- | # aptitude install anacron | ||
- | </ | ||
- | |||
- | 3. Add a monthly script to perform the renewals | ||
- | |||
- | < | ||
- | # echo -e '# | ||
- | # chmod u+x / | ||
- | </ | ||
- | |||
- | 4. Run a manual certificate authorization/ | ||
- | |||
- | < | ||
- | # / | ||
- | </ | ||
- | |||
- | < | ||
- | Here the first -d is the certificate name and file name, and later -d options are additional names (AltNames) that are valid for the certificate. | ||
- | |||
- | < | ||
- | # openssl x509 -text -in / | ||
- | X509v3 Subject Alternative Name: | ||
- | DNS: | ||
- | </ | ||
- | </ | ||
- | |||
- | 5. Add your last letsencrypt certonly command to the cron.monthly shell script | ||
- | |||
- | < | ||
- | echo " | ||
- | </ | ||
- | |||
- | <note tip> | ||
- | For verification, | ||
- | |||
- | < | ||
- | 66.133.109.36 - - [20/ | ||
- | </ | ||
- | </ | ||
- | |||
- | 6. Manually configure apache to redirect non-SSL requests to the new VirtualHost where SSL is enabled. | ||
- | |||
- | < | ||
- | < | ||
- | ServerName braindump.ca | ||
- | ServerAlias www.braindump.ca braindump.mrzesty.net | ||
- | |||
- | RewriteEngine On | ||
- | RewriteRule /(.*) https:// | ||
- | </ | ||
- | |||
- | < | ||
- | ... | ||
- | SSLEngine On | ||
- | SSLCertificateFile / | ||
- | SSLCertificateChainFile / | ||
- | SSLCertificateKeyFile / | ||
- | </ | ||
- | </ | ||
- | |||
- | 7. You can repeat steps 4-6 for any additional SSL certificates for other public sites on the server. | ||
- | |||
- | **/ | ||
- | < | ||
- | #!/bin/bash | ||
- | |||
- | / | ||
- | / | ||
- | |||
- | service apache2 reload | ||
- | </ | ||