Letsencrypt

From wiki
Revision as of 12:22, 26 February 2023 by Hdridder (talk | contribs)
Jump to navigation Jump to search

Letsencrypt is an initiative to have the web encrypted all over the place:

It is using certbot to create and maintain SSL-certificates for websites.

20230226: Certbot has moved to a snap (Don´t like that) and the gandi-plugin is not available for that. Check this

  • Get the software
apt-get install certbot python-certbot-nginx
certbot certonly --nginx
Get a certificate by putting a challenge in a local directory
certbot renew
Manual renewal of the certificates that are due for it. Certbot installs a cronjob in /etc/cron.d to check for renewal every 12 hours.
certbot certonly -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials /etc/letsencrypt/gandi.ini -d <domainname>
Get a certificate by DNS-authenication (for gandi-DNS). Certbot must be able to use the API of your DNS-server. Create a new, as far as possible restricted, account for this. You need to install the gandi plugin for certbot first.
certbot revoke --cert-path /etc/letsencrypt/archive/<domainname>/cert1.pem
Revoke an certificate, you get the option to remove all related files
certbot delete
Presents a menu to delete files for a domain

Move to a new server

Inspiration came from Ivan Derevianko. It can be even simpler.

Provided you have all configuration the same on the new server as on the old one you only need to do:

  • Archive certificates on the old servers
tar cvf letsencrypt.tar ./letsencrypt
  • Move them to a new server
  • Extract to the same location

Issue

Failed to renew on a server that redirects to https: 

server {
 listen 443 ssl;
 listen [::]:443 ssl;
 listen 80;
 listen [::]:80;

 server_name *.domain.tld domain.tld;
 root /var/www/html;
 access_log /var/log/nginx/domain.access.log combined;
 error_log /var/log/nginx/domain.error.log error;

 ssl_certificate      /etc/letsencrypt/live/domain.org/fullchain.pem;
 ssl_certificate_key  /etc/letsencrypt/live/domain.org/privkey.pem;

 location ~ /.well-known {
  allow all;
 }

# Comment the redirect for letsencrypt renewal
 if ($scheme = http) {
  return 301 https://$host$request_uri;
 }
Retrieved from "https://wiki.antiperfect.org/index.php?title=Letsencrypt&oldid=1376"