Letsencrypt
Jump to navigation
Jump to search
Letsencrypt is an initiative to have the web encrypted all over the place:
It is using certbot to create and maintain SSL-certificates for websites.
- Get the software
apt-get install certbot python-certbot-nginx
- certbot renew
- Manual renewal of the certificates that are due for it. Certbot installs a cronjob in /etc/cron.d to check for renewal every 12 hours.
- certbot certonly -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials /etc/letsencrypt/gandi.ini -d <domainname>
- Get a certificate by DNS-authenication (for gandi-DNS). Certbot must be able to use the API of your DNS-server. Create a new, as far as possible restricted, account for this. You need to install the gandi plugin for certbot first.
- certbot revoke --cert-path /etc/letsencrypt/archive/<domainname>/cert1.pem
- Revoke an certificate, you get the option to remove all related files
- certbot delete
- Presents a menu to delete files for a domain
Move to a new server
Inspiration came from Ivan Derevianko. It can be even simpler.
Provided you have all configuration the same on the new server as on the old one you only need to do:
- Archive certificates on the old servers
tar cvf letsencrypt.tar ./letsencrypt
- Move them to a new server
- Extract to the same location
Issue
Failed to renew on a server that redirects to https:
server {
listen 443 ssl;
listen [::]:443 ssl;
listen 80;
listen [::]:80;
server_name *.domain.tld domain.tld;
root /var/www/html;
access_log /var/log/nginx/domain.access.log combined;
error_log /var/log/nginx/domain.error.log error;
ssl_certificate /etc/letsencrypt/live/domain.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.org/privkey.pem;
location ~ /.well-known {
allow all;
}
# Comment the redirect for letsencrypt renewal
if ($scheme = http) {
return 301 https://$host$request_uri;
}