User Tools

Site Tools


letsencrypt

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
letsencrypt [2015/12/21 22:03]
ian
letsencrypt [2020/02/13 22:55] (current)
Line 1: Line 1:
 ====== Let's Encrypt ====== ====== Let's Encrypt ======
  
-https://letsencrypt.org/ offers free signed 90 day SSL certificates which are trusted by the browser, just like a pay-for certificate signed by other CA's.  (This site uses a Let's Encrypt certificate).+https://letsencrypt.org/ offers free signed 90 day SSL certificates which are trusted by the browser, just like a pay-for certificate signed by other CA'- with the option to create multi-domain certs if you control all the domains.  (This site uses a Let's Encrypt certificate).
  
 Because the certificate is valid only for 90 days, it is important to use the scripted automation to authorize and renew the certificate. Because the certificate is valid only for 90 days, it is important to use the scripted automation to authorize and renew the certificate.
  
-1. If the letsencrypt command is not available in your package manager, use the letsencrypt-auto command by installing it locally.+1. If the certbot command is not available in your package manager, use the certbot-auto command by installing it locally.
  
 <note tip> <note tip>
Line 15: Line 15:
  
 <code> <code>
-# cd /usr/local +# cd /usr/local/sbin 
-git clone https://github.com/letsencrypt/letsencrypt +wget https://dl.eff.org/certbot-auto 
-cd letsencrypt +chmod +x certbot-auto 
-# ./letsencrypt-auto --help+# ./certbot-auto --help
 </code> </code>
  
-2. Install anacron for your distro so that we can schedule the renewal process monthly, but we use anacron so that the process doesn't run at the same time as everyone else.+2. Add a weekly script to perform the renewals
  
 <code> <code>
-aptitude install anacron +echo '#!/bin/bash
-</code>+
  
-3. Add a monthly script to perform the renewals+sleep $(( $RANDOM % 1800 ))
  
-<code> +logger "Start: $0" 
-# echo -e '#!/bin/bash\n\n' >> /etc/cron.monthly/letsencrypt-renew + 
-# chmod u+x /etc/cron.monthly/letsencrypt-renew+' >> /etc/cron.weekly/letsencrypt-renew 
 +# chmod u+x /etc/cron.weekly/letsencrypt-renew
 </code> </code>
  
-4. Run a manual certificate authorization/installation.  letsencrypt is able to modify the apache config, but my configuration was too complicated - so I later modify the apache config manually.+3. Run a manual certificate authorization/installation.  certbot is able to modify the apache config, but my configuration was too complicated - so I later modify the apache config manually.
  
 <code> <code>
-/usr/local/letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot --webroot-path /home/ian/public_html/braindump/dokuwiki/ -d braindump.ca -d www.braindump.ca -d braindump.mrzesty.net+/usr/local/sbin/certbot-auto certonly --webroot --webroot-path /var/www -d braindump.ca -d www.braindump.ca -d braindump.mrzesty.net
 </code> </code>
  
Line 44: Line 44:
  
 <code> <code>
-openssl x509 -text -in /etc/letsencrypt/live/braindump.ca/cert.pem | grep -A1 Alternative+openssl x509 -text -in /etc/letsencrypt/live/braindump.ca/cert.pem | grep -A1 Alternative
             X509v3 Subject Alternative Name:              X509v3 Subject Alternative Name: 
                 DNS:www.braindump.ca, DNS:braindump.mrzesty.net, DNS:braindump.ca                 DNS:www.braindump.ca, DNS:braindump.mrzesty.net, DNS:braindump.ca
Line 50: Line 50:
 </note> </note>
  
-5Add your last letsencrypt certonly command to the cron.monthly shell script +4. <code> 
- +echo '/usr/local/sbin/certbot-auto renew --deploy-hook "systemctl reload apache2">> /etc/cron.weekly/letsencrypt-renew
-<code> +
-echo "!?certonly?" >> /etc/cron.monthly/letsencrypt-renew+
 </code> </code>
  
Line 64: Line 62:
 </note> </note>
  
-6. Manually configure apache to redirect non-SSL requests to the new VirtualHost where SSL is enabled.+5. Manually configure apache to redirect non-SSL requests to the new VirtualHost where SSL is enabled.
  
 <code> <code>
Line 71: Line 69:
         ServerAlias www.braindump.ca braindump.mrzesty.net         ServerAlias www.braindump.ca braindump.mrzesty.net
  
 +        DocumentRoot /var/www/
         RewriteEngine On         RewriteEngine On
-        RewriteRule /(.*) https://%{HTTP_HOST}/$1 [R]+        RewriteCond %{REQUEST_URI} !/.well-known/.* 
 +        RewriteRule (.*) https://%{HTTP_HOST}$1 [R]
 </VirtualHost> </VirtualHost>
  
Line 84: Line 84:
 </code> </code>
  
-7. You can repeat steps 4-6 for any additional SSL certificates for other public sites on the server.+6. You can repeat steps 5-6 for any additional SSL certificates for other public sites on the server.
  
-**/etc/cron.monthly/letsencrypt-renew**:+**/etc/cron.weekly/letsencrypt-renew**:
 <code> <code>
 #!/bin/bash #!/bin/bash
  
-/usr/local/letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot --webroot-path /home/ian/public_html/braindump/dokuwiki/ -d braindump.ca -d www.braindump.ca -d braindump.mrzesty.net +sleep $(( $RANDOM % 1800 )) 
-/usr/local/letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot --webroot-path /home/ian/public_html/MrZesty -d mrzesty.net -d www.mrzesty.net+ 
 +logger "Start: $0" 
 + 
 +/usr/local/sbin/certbot-auto renew --deploy-hook "systemctl reload apache2" 
 + 
 +logger "End: $0"
 </code> </code>
  
letsencrypt.1450753396.txt.gz · Last modified: 2020/02/13 22:55 (external edit)

free spam filter