This shows you the differences between two versions of the page.
letsencrypt [2018/03/02 17:03] ian |
letsencrypt [2020/02/13 22:55] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Let's Encrypt ====== | ||
- | |||
- | https:// | ||
- | |||
- | Because the certificate is valid only for 90 days, it is important to use the scripted automation to authorize and renew the certificate. | ||
- | |||
- | 1. If the certbot command is not available in your package manager, use the certbot-auto command by installing it locally. | ||
- | |||
- | <note tip> | ||
- | Your home directory needs to be /root, so use 'sudo -i' or 'su -' | ||
- | < | ||
- | The directory '/ | ||
- | </ | ||
- | </ | ||
- | |||
- | < | ||
- | # cd / | ||
- | # wget https:// | ||
- | # chmod +x certbot-auto | ||
- | # ./ | ||
- | </ | ||
- | |||
- | 2. Add a weekly script to perform the renewals | ||
- | |||
- | < | ||
- | # echo '# | ||
- | |||
- | sleep $(( $RANDOM % 1800 )) | ||
- | |||
- | logger " | ||
- | |||
- | ' >> / | ||
- | # chmod u+x / | ||
- | </ | ||
- | |||
- | 3. Run a manual certificate authorization/ | ||
- | |||
- | < | ||
- | / | ||
- | </ | ||
- | |||
- | < | ||
- | Here the first -d is the certificate name and file name, and later -d options are additional names (AltNames) that are valid for the certificate. | ||
- | |||
- | < | ||
- | openssl x509 -text -in / | ||
- | X509v3 Subject Alternative Name: | ||
- | DNS: | ||
- | </ | ||
- | </ | ||
- | |||
- | 4. < | ||
- | echo '/ | ||
- | </ | ||
- | |||
- | <note tip> | ||
- | For verification, | ||
- | |||
- | < | ||
- | 66.133.109.36 - - [20/ | ||
- | </ | ||
- | </ | ||
- | |||
- | 5. Manually configure apache to redirect non-SSL requests to the new VirtualHost where SSL is enabled. | ||
- | |||
- | < | ||
- | < | ||
- | ServerName braindump.ca | ||
- | ServerAlias www.braindump.ca braindump.mrzesty.net | ||
- | |||
- | DocumentRoot /var/www/ | ||
- | RewriteEngine On | ||
- | RewriteCond %{REQUEST_URI} !/ | ||
- | RewriteRule (.*) https:// | ||
- | </ | ||
- | |||
- | < | ||
- | ... | ||
- | SSLEngine On | ||
- | SSLCertificateFile / | ||
- | SSLCertificateChainFile / | ||
- | SSLCertificateKeyFile / | ||
- | </ | ||
- | </ | ||
- | |||
- | 6. You can repeat steps 5-6 for any additional SSL certificates for other public sites on the server. | ||
- | |||
- | **/ | ||
- | < | ||
- | #!/bin/bash | ||
- | |||
- | sleep $(( $RANDOM % 1800 )) | ||
- | |||
- | logger " | ||
- | |||
- | / | ||
- | |||
- | logger "End: $0" | ||
- | </ | ||