Differences

This shows you the differences between two versions of the page.

--- ubuntu:certificates:let_s_encrypt_certificates [2020/05/11 17:01] – [Add all sub-domains to a certificate] peter
+++ ubuntu:certificates:let_s_encrypt_certificates [2021/07/05 08:52] (current) – peter
@@ Line 1: / Line 1: @@
 ====== Ubuntu - Certificates - Let's Encrypt Certificates ======
+----
+[[Ubuntu:Certificates:Let's Encrypt Certificates:Create and Update a LetsEncrypt SSL Certificate with CertBot|Create and Update a LetsEncrypt SSL Certificate with CertBot]]
+----
 Install the Let's Encrypt client, certbot:
@@ Line 14: / Line 20: @@
 </code>
+  * This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.
-Note that LE does not issue wildcard certificates by design, so you probably want to get a cert for www.example.com and example.com.
+<WRAP info>
+**NOTE:**  Historically LetsEncrypt did not issue wildcard certificates by design, so you probably want to get a cert for www.example.com and example.com.
-This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.
+But recent changes allow this, such as:
-<WRAP note>
+<code bash>
-Note:
+certbot certonly --cert-name *.sharewiz.net -d sharewiz.net,www.sharewiz.net,wiki.sharewiz.net
-To use the webroot plugin, your server must be configured to serve files from hidden directories.  If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver.
+</code>
 </WRAP>
+<WRAP info>
+**NOTE:**  To use the webroot plugin, your server must be configured to serve files from hidden directories.
+If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver.
+</WRAP>
-To obtain a cert using a built-in “standalone” webserver (you may need to temporarily stop your existing webserver, if any) for example.com and www.example.com:
+<WRAP info>
+**NOTE:** To obtain a cert using a built-in “standalone” webserver (you may need to temporarily stop your existing webserver, if any) for example.com and www.example.com:
 <code bash>
@@ Line 33: / Line 47: @@
 </code>
+</WRAP>
+<WRAP info>
+**NOTE:**  The Let's Encrypt client creates a temporary file in webroot-path/.well-known/acme-challenge/ containing the token used by the Let's Encrypt server to verify that you own the domain you are attempting to get a free ssl certificate for.
+</WRAP>
-The Let's Encrypt client creates a temporary file in webroot-path/.well-known/acme-challenge/ containing the token used by the Let's Encrypt server to verify that you own the domain you are attempting to get a free ssl certificate for.
 ----
@@ Line 67: / Line 86: @@
 webroot-path = /var/www/example/
 </file>
+<WRAP info>
+**NOTE:**  For multiple domains do not include a space after the comma:
+<code bash>
+domains = www.example.com,example.com,www.example2.com,example2.com
+</code>
+</WRAP>
+----
+===== Generate your first cert =====
+To generate your first cert, open a shell and execute the letsencrypt-auto script
+<code bash>
+# cd /root/letsencrypt
+# ./letsencrypt-auto --config /etc/letsencrypt/configs/example.com.conf certonly
+Updating letsencrypt and virtual environment dependencies.......
+Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/mydomain.conf certonly
+IMPORTANT NOTES:
+ - Congratulations! Your certificate and chain have been saved at
+   /etc/letsencrypt/live/www.example.com/fullchain.pem. Your cert will
+   expire on 2016-02-05. To obtain a new version of the certificate in
+   the future, simply run Let's Encrypt again.
+</code>
+<WRAP info>
+**NOTE:**  The **certonly** command: we only want to issue certificates and don't want the client to fiddle with our nginx config.
+</WRAP>
 ----
@@ Line 78: / Line 129: @@
   ...
-  ssl_certificate /etc/letsencrypt/live/www.xrstf.de/fullchain.pem;
+  ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/www.xrstf.de/privkey.pem;
+  ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
   ...
@@ Line 125: / Line 176: @@
 ===== Automating renewal =====
-The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature.  You can test automatic renewal for your certificates by running this command:
+The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire.
+Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature.
+You can test automatic renewal for your certificates by running this command:
 <code bash>
@@ Line 145: / Line 200: @@
 done
-**TODO:** Check if letsencrypt-auto is now certbot-auto.
+<WRAP todo>
+**TODO:** Check if letsencrypt-auto is now certbot-auto.
+</WRAP>
 # make sure nginx picks them up
@@ Line 172: / Line 230: @@
 </code>
+<WRAP todo>
 **TODO:**  if you want to make your crontab to work you need to agree by default, add these lines to your my-domain.conf
+</WRAP>
   renew-by-default
@@ Line 215: / Line 276: @@
 IMPORTANT:  A DNS entry must exist for the * so ensure this is added.
 </WRAP>
+----
+===== To Renew manually =====
+<code bash>
+letsencrypt certonly --webroot -w /var/www/peterroux.com -d peterroux.com -d www.peterroux.com
+</code>