Letsencrypt

From wiki
Jump to navigation Jump to search

Letsencrypt is an initiative to have the web encrypted all over the place:

It is using certbot to create and maintain SSL-certificates for websites.

  • Get the software
apt-get install certbot python-certbot-nginx
certbot certonly --nginx -d <domain> -d <domain>
Get a certificate for the specified domains by putting a challenge in a local directory
certbot certonly --nginx --cert-name <certificatename> -d <domain> -d <domain>
Get an new certificate for the certificate with cert-name <certificatename> for the specified domains.
certbot renew
Manual renewal of the certificates that are due for it. Certbot installs a cronjob in /etc/cron.d to check for renewal every 12 hours.
certbot certonly -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials /etc/letsencrypt/gandi.ini -d <domainname>
Get a certificate by DNS-authenication (for gandi-DNS). Certbot must be able to use the API of your DNS-server. Create a new, as far as possible restricted, account for this. You need to install the gandi plugin for certbot first.

20230226: Certbot has moved to a snap (Don´t like that) and the gandi-plugin is not available for that. Check this an use below.

certbot -d <domainname> --manual --preferred-challenges dns-01 certonly
If there is no plugin for your DNS provider use this.
This command will provide you a string you should put in a TXT record.
certbot revoke --cert-path /etc/letsencrypt/archive/<domainname>/cert1.pem
Revoke an certificate, you get the option to remove all related files
certbot delete
Presents a menu to delete files for a domain
certbot certificates --cert-name <certificatename>
Show the certificate with the specified name, without --cert-name all certbot certificates on this server are shown.

Move to a new server

Inspiration came from Ivan Derevianko. It can be even simpler.

Provided you have all configuration the same on the new server as on the old one you only need to do:

  • Archive certificates on the old servers
tar cvf letsencrypt.tar ./letsencrypt
  • Move them to a new server
  • Extract to the same location

Issue

Failed to renew on a server that redirects to https: 

server {
 listen 443 ssl;
 listen [::]:443 ssl;
 listen 80;
 listen [::]:80;

 server_name *.domain.tld domain.tld;
 root /var/www/html;
 access_log /var/log/nginx/domain.access.log combined;
 error_log /var/log/nginx/domain.error.log error;

 ssl_certificate      /etc/letsencrypt/live/domain.org/fullchain.pem;
 ssl_certificate_key  /etc/letsencrypt/live/domain.org/privkey.pem;

 location ~ /.well-known {
  allow all;
 }

# Comment the redirect for letsencrypt renewal
 if ($scheme = http) {
  return 301 https://$host$request_uri;
 }
Retrieved from "https://wiki.antiperfect.org/index.php?title=Letsencrypt&oldid=1401"