Difference between revisions of "Letsencrypt"

Letsencrypt is an initiative to have the web encrypted all over the place:

It is using certbot to create and maintain SSL-certificates for websites.

• Get the software

apt-get install certbot python-certbot-nginx

certbot renew

Manual renewal of the certificates that are due for it. Certbot installs a cronjob in /etc/cron.d to check for renewal every 12 hours.

certbot certonly -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials /etc/letsencrypt/gandi.ini -d <domainname>

Get a certificate by DNS-authenication (for gandi-DNS). Certbot must be able to use the API of your DNS-server. Create a new, as far as possible restricted, account for this. You need to install the gandi plugin for certbot first.

Move to a new server

Inspiration came from Ivan Derevianko. It can be even simpler.

Provided you have all configuration the same on the new server as on the old one you only need to do:

• Archive certificates on the old servers

tar cvf letsencrypt.tar ./letsencrypt

• Move them to a new server
• Extract to the same location

Issue

Failed to renew on a server that redirects to https:

server {
 listen 443 ssl;
 listen [::]:443 ssl;
 listen 80;
 listen [::]:80;

 server_name *.domain.tld domain.tld;
 root /var/www/html;
 access_log /var/log/nginx/domain.access.log combined;
 error_log /var/log/nginx/domain.error.log error;

 ssl_certificate      /etc/letsencrypt/live/domain.org/fullchain.pem;
 ssl_certificate_key  /etc/letsencrypt/live/domain.org/privkey.pem;

 location ~ /.well-known {
  allow all;
 }

# Comment the redirect for letsencrypt renewal
 if ($scheme = http) {
  return 301 https://$host$request_uri;
 }