User Tools

Site Tools


letsencrypt

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

letsencrypt [2016/12/18 13:32]
ian
letsencrypt [2020/02/13 22:55]
Line 1: Line 1:
-====== Let's Encrypt ====== 
- 
-https://letsencrypt.org/ offers free signed 90 day SSL certificates which are trusted by the browser, just like a pay-for certificate signed by other CA's - with the option to create multi-domain certs if you control all the domains.  (This site uses a Let's Encrypt certificate). 
- 
-Because the certificate is valid only for 90 days, it is important to use the scripted automation to authorize and renew the certificate. 
- 
-1. If the certbot command is not available in your package manager, use the certbot-auto command by installing it locally. 
- 
-<note tip> 
-Your home directory needs to be /root, so use 'sudo -i' or 'su -' 
-<code> 
-The directory '/home/ian/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. 
-</code> 
-</note> 
- 
-<code> 
-# cd /usr/local/sbin 
-# wget https://dl.eff.org/certbot-auto 
-# chmod +x certbot-auto 
-# ./certbot-auto --help 
-</code> 
- 
-2. Add a monthly script to perform the renewals 
- 
-<code> 
-# echo '#!/bin/bash 
- 
-sleep $(( $RANDOM % 1800 )) 
- 
-logger "Start: $0" 
- 
-' >> /etc/cron.monthly/letsencrypt-renew 
-# chmod u+x /etc/cron.monthly/letsencrypt-renew 
-</code> 
- 
-3. Run a manual certificate authorization/installation.  certbot is able to modify the apache config, but my configuration was too complicated - so I later modify the apache config manually. 
- 
-<code> 
-/usr/local/sbin/certbot-auto certonly --webroot --webroot-path /home/ian/public_html/braindump/dokuwiki/ -d braindump.ca -d www.braindump.ca -d braindump.mrzesty.net 
-</code> 
- 
-<note> 
-Here the first -d is the certificate name and file name, and later -d options are additional names (AltNames) that are valid for the certificate. 
- 
-<code> 
-openssl x509 -text -in /etc/letsencrypt/live/braindump.ca/cert.pem | grep -A1 Alternative 
-            X509v3 Subject Alternative Name:  
-                DNS:www.braindump.ca, DNS:braindump.mrzesty.net, DNS:braindump.ca 
-</code> 
-</note> 
- 
-4. <code> 
-echo '/usr/local/sbin/certbot-auto renew --post-hook "systemctl reload apache2"' >> /etc/cron.monthly/letsencrypt-renew 
-</code> 
- 
-<note tip> 
-For verification, the authorization process puts a file into the DocumentRoot which their servers attempt to retrieve. 
- 
-<code> 
-66.133.109.36 - - [20/Dec/2015:12:27:57 -0500] "GET /.well-known/acme-challenge/j8DDJgtt26GzSSOZ5DuQGQtVuKj9ZyqJohVbP-YS1cc HTTP/1.1" 200 298 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" 
-</code> 
-</note> 
- 
-5. Manually configure apache to redirect non-SSL requests to the new VirtualHost where SSL is enabled. 
- 
-<code> 
-<VirtualHost *:80> 
-        ServerName braindump.ca 
-        ServerAlias www.braindump.ca braindump.mrzesty.net 
- 
-        RewriteEngine On 
-        RewriteRule /(.*) https://%{HTTP_HOST}/$1 [R] 
-</VirtualHost> 
- 
-<VirtualHost *:443> 
-... 
-        SSLEngine On 
-        SSLCertificateFile /etc/letsencrypt/live/braindump.ca/cert.pem 
-        SSLCertificateChainFile /etc/letsencrypt/live/braindump.ca/chain.pem 
-        SSLCertificateKeyFile /etc/letsencrypt/live/braindump.ca/privkey.pem 
-</VirtualHost> 
-</code> 
- 
-6. You can repeat steps 5-6 for any additional SSL certificates for other public sites on the server. 
- 
-**/etc/cron.monthly/99letsencrypt-renew**: 
-<code> 
-#!/bin/bash 
- 
-sleep $(( $RANDOM % 1800 )) 
- 
-logger "Start: $0" 
- 
-/usr/local/sbin/certbot-auto renew --post-hook "systemctl reload apache2" 
- 
-logger "End: $0" 
-</code> 
  
letsencrypt.txt ยท Last modified: 2020/02/13 22:55 (external edit)

free spam filter