This shows you the differences between two versions of the page.
letsencrypt [2016/07/26 12:20] ian |
letsencrypt [2020/02/13 22:55] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Let's Encrypt ====== | ||
- | |||
- | https:// | ||
- | |||
- | Because the certificate is valid only for 90 days, it is important to use the scripted automation to authorize and renew the certificate. | ||
- | |||
- | 1. If the certbot command is not available in your package manager, use the certbot-auto command by installing it locally. | ||
- | |||
- | <note tip> | ||
- | Your home directory needs to be /root, so use 'sudo -i' or 'su -' | ||
- | < | ||
- | The directory '/ | ||
- | </ | ||
- | </ | ||
- | |||
- | < | ||
- | # cd / | ||
- | # wget https:// | ||
- | # chmod +x certbot-auto | ||
- | # ./ | ||
- | </ | ||
- | |||
- | 2. Add a monthly script to perform the renewals | ||
- | |||
- | < | ||
- | # echo '# | ||
- | |||
- | sleep $(( $RANDOM % 1800 )) | ||
- | |||
- | logger " | ||
- | |||
- | ' >> / | ||
- | # chmod u+x / | ||
- | </ | ||
- | |||
- | 3. Run a manual certificate authorization/ | ||
- | |||
- | < | ||
- | / | ||
- | </ | ||
- | |||
- | < | ||
- | Here the first -d is the certificate name and file name, and later -d options are additional names (AltNames) that are valid for the certificate. | ||
- | |||
- | < | ||
- | openssl x509 -text -in / | ||
- | X509v3 Subject Alternative Name: | ||
- | DNS: | ||
- | </ | ||
- | </ | ||
- | |||
- | 4. Add your last letsencrypt certonly command to the cron.monthly shell script | ||
- | |||
- | < | ||
- | echo " | ||
- | </ | ||
- | |||
- | <note tip> | ||
- | For verification, | ||
- | |||
- | < | ||
- | 66.133.109.36 - - [20/ | ||
- | </ | ||
- | </ | ||
- | |||
- | 5. Manually configure apache to redirect non-SSL requests to the new VirtualHost where SSL is enabled. | ||
- | |||
- | < | ||
- | < | ||
- | ServerName braindump.ca | ||
- | ServerAlias www.braindump.ca braindump.mrzesty.net | ||
- | |||
- | RewriteEngine On | ||
- | RewriteRule /(.*) https:// | ||
- | </ | ||
- | |||
- | < | ||
- | ... | ||
- | SSLEngine On | ||
- | SSLCertificateFile / | ||
- | SSLCertificateChainFile / | ||
- | SSLCertificateKeyFile / | ||
- | </ | ||
- | </ | ||
- | |||
- | 6. You can repeat steps 4-6 for any additional SSL certificates for other public sites on the server. | ||
- | |||
- | **/ | ||
- | < | ||
- | #!/bin/bash | ||
- | |||
- | sleep $(( $RANDOM % 1800 )) | ||
- | |||
- | logger " | ||
- | |||
- | / | ||
- | / | ||
- | |||
- | service apache2 reload | ||
- | |||
- | logger "End: $0" | ||
- | </ | ||