Difference between revisions of "Letsencrypt"
Jump to navigation
Jump to search
| Line 8: | Line 8: | ||
:<code>apt-get install certbot python-certbot-nginx</code> | :<code>apt-get install certbot python-certbot-nginx</code> | ||
| − | ;certbot certonly --nginx | + | ;certbot certonly --nginx -d <domain> -d <domain> |
| − | :Get a certificate by putting a challenge in a local directory | + | :Get a certificate for the specified domains by putting a challenge in a local directory |
| + | |||
| + | ;certbot certonly --nginx --cert-name <certificatename> -d <domain> -d <domain> | ||
| + | :Get an new certificate for the certificate with cert-name <certificatename> for the specified domains. | ||
;certbot renew | ;certbot renew | ||
| Line 20: | Line 23: | ||
;certbot delete | ;certbot delete | ||
:Presents a menu to delete files for a domain | :Presents a menu to delete files for a domain | ||
| + | |||
| + | ;certbot certificates --cert-name <certificatename> | ||
| + | :Show the certificate with the specified name, without --cert-name all certbot certificates on this server are shown. | ||
==Move to a new server== | ==Move to a new server== | ||
Revision as of 19:02, 5 March 2023
Letsencrypt is an initiative to have the web encrypted all over the place:
It is using certbot to create and maintain SSL-certificates for websites.
20230226: Certbot has moved to a snap (Don´t like that) and the gandi-plugin is not available for that. Check this
- Get the software
apt-get install certbot python-certbot-nginx
- certbot certonly --nginx -d <domain> -d <domain>
- Get a certificate for the specified domains by putting a challenge in a local directory
- certbot certonly --nginx --cert-name <certificatename> -d <domain> -d <domain>
- Get an new certificate for the certificate with cert-name <certificatename> for the specified domains.
- certbot renew
- Manual renewal of the certificates that are due for it. Certbot installs a cronjob in /etc/cron.d to check for renewal every 12 hours.
- certbot certonly -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials /etc/letsencrypt/gandi.ini -d <domainname>
- Get a certificate by DNS-authenication (for gandi-DNS). Certbot must be able to use the API of your DNS-server. Create a new, as far as possible restricted, account for this. You need to install the gandi plugin for certbot first.
- certbot revoke --cert-path /etc/letsencrypt/archive/<domainname>/cert1.pem
- Revoke an certificate, you get the option to remove all related files
- certbot delete
- Presents a menu to delete files for a domain
- certbot certificates --cert-name <certificatename>
- Show the certificate with the specified name, without --cert-name all certbot certificates on this server are shown.
Move to a new server
Inspiration came from Ivan Derevianko. It can be even simpler.
Provided you have all configuration the same on the new server as on the old one you only need to do:
- Archive certificates on the old servers
tar cvf letsencrypt.tar ./letsencrypt
- Move them to a new server
- Extract to the same location
Issue
Failed to renew on a server that redirects to https:
server {
listen 443 ssl;
listen [::]:443 ssl;
listen 80;
listen [::]:80;
server_name *.domain.tld domain.tld;
root /var/www/html;
access_log /var/log/nginx/domain.access.log combined;
error_log /var/log/nginx/domain.error.log error;
ssl_certificate /etc/letsencrypt/live/domain.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.org/privkey.pem;
location ~ /.well-known {
allow all;
}
# Comment the redirect for letsencrypt renewal
if ($scheme = http) {
return 301 https://$host$request_uri;
}