Differences

This shows you the differences between two versions of the page.

--- ubuntu:certificates:let_s_encrypt_certificates [2020/05/19 09:18] – [Ubuntu - Certificates - Let's Encrypt Certificates] peter
+++ ubuntu:certificates:let_s_encrypt_certificates [2021/07/05 08:52] (current) – peter
@@ Line 1: / Line 1: @@
 ====== Ubuntu - Certificates - Let's Encrypt Certificates ======
+----
+[[Ubuntu:Certificates:Let's Encrypt Certificates:Create and Update a LetsEncrypt SSL Certificate with CertBot|Create and Update a LetsEncrypt SSL Certificate with CertBot]]
+----
 Install the Let's Encrypt client, certbot:
@@ Line 14: / Line 20: @@
 </code>
+  * This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.
 <WRAP info>
@@ Line 26: / Line 33: @@
-This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.
+<WRAP info>
-<WRAP note>
 **NOTE:**  To use the webroot plugin, your server must be configured to serve files from hidden directories.
@@ Line 35: / Line 40: @@
+<WRAP info>
+**NOTE:** To obtain a cert using a built-in “standalone” webserver (you may need to temporarily stop your existing webserver, if any) for example.com and www.example.com:
-To obtain a cert using a built-in “standalone” webserver (you may need to temporarily stop your existing webserver, if any) for example.com and www.example.com:
 <code bash>
@@ Line 43: / Line 47: @@
 </code>
+</WRAP>
+<WRAP info>
+**NOTE:**  The Let's Encrypt client creates a temporary file in webroot-path/.well-known/acme-challenge/ containing the token used by the Let's Encrypt server to verify that you own the domain you are attempting to get a free ssl certificate for.
+</WRAP>
-The Let's Encrypt client creates a temporary file in webroot-path/.well-known/acme-challenge/ containing the token used by the Let's Encrypt server to verify that you own the domain you are attempting to get a free ssl certificate for.
 ----
@@ Line 77: / Line 86: @@
 webroot-path = /var/www/example/
 </file>
+<WRAP info>
+**NOTE:**  For multiple domains do not include a space after the comma:
+<code bash>
+domains = www.example.com,example.com,www.example2.com,example2.com
+</code>
+</WRAP>
+----
+===== Generate your first cert =====
+To generate your first cert, open a shell and execute the letsencrypt-auto script
+<code bash>
+# cd /root/letsencrypt
+# ./letsencrypt-auto --config /etc/letsencrypt/configs/example.com.conf certonly
+Updating letsencrypt and virtual environment dependencies.......
+Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/mydomain.conf certonly
+IMPORTANT NOTES:
+ - Congratulations! Your certificate and chain have been saved at
+   /etc/letsencrypt/live/www.example.com/fullchain.pem. Your cert will
+   expire on 2016-02-05. To obtain a new version of the certificate in
+   the future, simply run Let's Encrypt again.
+</code>
+<WRAP info>
+**NOTE:**  The **certonly** command: we only want to issue certificates and don't want the client to fiddle with our nginx config.
+</WRAP>
 ----
@@ Line 88: / Line 129: @@
   ...
-  ssl_certificate /etc/letsencrypt/live/www.xrstf.de/fullchain.pem;
+  ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/www.xrstf.de/privkey.pem;
+  ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
   ...
@@ Line 135: / Line 176: @@
 ===== Automating renewal =====
-The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature.  You can test automatic renewal for your certificates by running this command:
+The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire.
+Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature.
+You can test automatic renewal for your certificates by running this command:
 <code bash>
@@ Line 155: / Line 200: @@
 done
-**TODO:** Check if letsencrypt-auto is now certbot-auto.
+<WRAP todo>
+**TODO:** Check if letsencrypt-auto is now certbot-auto.
+</WRAP>
 # make sure nginx picks them up
@@ Line 182: / Line 230: @@
 </code>
+<WRAP todo>
 **TODO:**  if you want to make your crontab to work you need to agree by default, add these lines to your my-domain.conf
+</WRAP>
   renew-by-default
@@ Line 225: / Line 276: @@
 IMPORTANT:  A DNS entry must exist for the * so ensure this is added.
 </WRAP>
+----
+===== To Renew manually =====
+<code bash>
+letsencrypt certonly --webroot -w /var/www/peterroux.com -d peterroux.com -d www.peterroux.com
+</code>