Differences

This shows you the differences between two versions of the page.

--- certificates:let_s_encrypt_certificates [2017/03/17 01:00] – peter
+++ certificates:let_s_encrypt_certificates [2019/11/26 21:50] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== Certificates - Let's Encrypt Certificates ======
-Install the Let's Encrypt client, certbot:
-<code bash>
-sudo apt-get install letsencrypt
-</code>
-If you already have a webserver running, it is recommended choosing the **"webroot"** plugin.
-<code bash>
-sudo letsencrypt certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is
-</code>
-Note that LE does not issue wildcard certificates by design, so you probably want to get a cert for www.example.com and example.com.
-This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.
-<WRAP note>
-Note:
-To use the webroot plugin, your server must be configured to serve files from hidden directories.  If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver.
-</WRAP>
-To obtain a cert using a built-in “standalone” webserver (you may need to temporarily stop your existing webserver, if any) for example.com and www.example.com:
-<code bash>
-letsencrypt certonly --standalone -d example.com -d www.example.com
-</code>
-The Let's Encrypt client creates a temporary file in webroot-path/.well-known/acme-challenge/ containing the token used by the Let's Encrypt server to verify that you own the domain you are attempting to get a free ssl certificate for.
-===== Config Files =====
-The file /etc/letsencrypt/configs/my-domain.conf, where my‑domain is your fully qualified domain name (for example, www.example.com)
-<file bash /etc/letsencrypt/configs/my-domain.conf>
-# the domain we want to get the cert for;
-# technically it's possible to have multiple of this lines, but it only worked
-# with one domain for me, another one only got one cert, so I would recommend
-# separate config files per domain.
-domains = my-domain
-#domains = www.example.com,example.com,www.test.com,test.com
-# increase key size
-rsa-key-size = 4096
-# the current closed beta (as of 2015-Nov-07) is using this server
-server = https://acme-v01.api.letsencrypt.org/directory
-# this address will receive renewal reminders
-email = my-email
-# turn off the ncurses UI, we want this to be run as a cronjob
-text = True
-# authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
-# and then letting LE fetch it
-authenticator = webroot
-webroot-path = /var/www/example/
-</file>
-===== NginX config =====
-Update your nginx sites to use the new certificate and private key:
-<file bash /etc/nginx/sites-available/example.com>
-server {
-  ...
-  ssl_certificate /etc/letsencrypt/live/www.xrstf.de/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/www.xrstf.de/privkey.pem;
-  ...
-}
-</file>
-Also add following lines in your nginx config:
-<file bash /etc/nginx/sites-enabled/default>
-#  location ~ /.well-known {
-#    allow all;
-#  }
-#  location /.well-known/acme-challenge {
-#    root /var/www/example;
-#  }
-  location ~ /\.well-known\/acme-challenge {
-    allow all;
-  }
-</file>
-otherwise it will response an unauthorized error.
-===== Permissions =====
-We need a user www-data to be able to run the Python script letsencrypt-auto.
-===== Restart Nginx =====
-Verify the configuration file is syntactically valid and restart NGINX:
-<code bash>
-sudo nginx -t && sudo nginx -s reload
-</code>
-===== Automating renewal =====
-The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature.  You can test automatic renewal for your certificates by running this command:
-<code bash>
-letsencrypt renew --dry-run
-</code>
-or Monthly cron job in /etc/cron.monthly:
-<code bash>
-#!/bin/sh
-# create new certs
-cd /root/letsencrypt
-for conf in $(ls /etc/letsencrypt/configs/*.conf); do
-#  ./letsencrypt-auto --renew --config "$conf" certonly
-  ./letsencrypt-auto --renew-by-default --config "$conf" certonly
-done
-**TODO:** Check if letsencrypt-auto is now certbot-auto.
-# make sure nginx picks them up
-service nginx restart
-</code>
-or
-<code bash>
-#!/bin/sh
-cd /opt/letsencrypt/
-#./certbot-auto --config /etc/letsencrypt/configs/my-domain.conf certonly
-./certbot-auto --non-interactive --keep-until-expiring --agree-tos --quiet --config /etc/letsencrypt/configs/my-domain.conf certonly
-if [ $? -ne 0 ]
- then
-        ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
-        echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
-                 $ERRORLOG
- else
-        nginx -s reload
-fi
-exit 0
-</code>
-**TODO:**  if you want to make your crontab to work you need to agree by default, add these lines to your my-domain.conf
-  renew-by-default
-  agree-dev-preview
-  agree-tos
-Create /var/log/letsencrypt/ if it doesn’t exist.
-And now I get new certs on the first of every month.
-To test your cron monthly script you can use (as root):
-<code bash>
-run-parts -v /etc/cron.monthly
-</code>
-===== References =====
-https://letsecure.me/secure-web-deployment-with-lets-encrypt-and-nginx/
-https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/
-https://gist.github.com/xrstf/581981008b6be0d2224f
-https://gist.github.com/dominikwilkowski/435054905c3c7abc2badc92a0acff4ba
-https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04