====== Certbot / LetsEncrypt ======


===== Installation =====

<code>
apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot
</code>

===== Configuration =====

==== nginx ====

Good guide for nginx config and cronjob for auto renew\\
[[https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8]]


Create "/etc/nginx/letsencrypt/letsencrypt.conf" with the following

<code bash letsencrypt.conf>
location ^~ /.well-known/acme-challenge/ {
               default_type "text/plain";
               root /usr/local/nginx/html/letsencrypt;
}
</code>

Add this to your siteconfiguration inside server{} for http/ port80
<code>include /etc/nginx/letsencrypt/letsencrypt.conf;</code>

Create a folder for challenges
<code>mkdir -p /usr/local/nginx/html/letsencrypt/.well-known/acme-challenge</code>

==== apache2 ====

Just try it. 

===== Get certs =====

<code>
certbot certonly --webroot --agree-tos --no-eff-email --email <yourmail> -w /var/www/lunetikk/ -d lunetikk.de -d www.lunetikk.de
</code>

==== nginx ==== 
Add to your vhost config
<code>
ssl_certificate /etc/letsencrypt/live/lunetikk.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lunetikk.de/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/lunetikk.de/fullchain.pem;
</code>

==== apache2 ==== 
Add to your vhost config
<code>
SSLCertificateFile /etc/letsencrypt/live/lunetikk.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/lunetikk.de/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/lunetikk.de/fullchain.pem
</code>

===== Automation =====

Create a script for automation

<code>
#!/bin/bash
/usr/bin/certbot renew --renew-hook "service apache2 reload" > /var/log/certbot-renew.log
mail -s "CERTBOT Renewals" <YOURMAILADDRESS> < /var/log/certbot-renew.log
DATE=`date +%Y-%m-%d`
mv /var/log/certbot-renew.log /var/log/certbot-renew_%DATE.log
exit 0
</code>

Add to your crontab

<code>@daily /bin/certbotrenew.sh</code>

===== Commands =====

^  Command  ^  Function  ^
|  %%certbot certonly --webroot --agree-tos --no-eff-email --email <mail> -w /usr/local/nginx/html/letsencrypt -d <www.domain.de> -d <domain.de>%%  |  Obtain or renew a certificate  |
|  certbot  renew  |  Renew all previously obtained certificates that are near expiry  |
|  %%certbot certonly --dry-run%%  |  Test "renew" or "certonly" without saving any certificates to disk  |
|  certbot certificates  |  Display information about certificates you have from Certbot  |
|  certbot revoke  |  Revoke a certificate (supply --cert-path)  |
|  certbot delete  |  Delete a certificate  |