User Tools

Site Tools


linux:ubuntu:certbot

Certbot / LetsEncrypt

Installation

apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

Configuration

nginx

Good guide for nginx config and cronjob for auto renew
https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8

Create “/etc/nginx/letsencrypt/letsencrypt.conf” with the following

letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
               default_type "text/plain";
               root /usr/local/nginx/html/letsencrypt;
}

Add this to your siteconfiguration inside server{} for http/ port80

include /etc/nginx/letsencrypt/letsencrypt.conf;

Create a folder for challenges

mkdir -p /usr/local/nginx/html/letsencrypt/.well-known/acme-challenge

apache2

Just try it.

Get certs

certbot certonly --webroot --agree-tos --no-eff-email --email <yourmail> -w /var/www/lunetikk/ -d lunetikk.de -d www.lunetikk.de

nginx

Add to your vhost config

ssl_certificate /etc/letsencrypt/live/lunetikk.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lunetikk.de/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/lunetikk.de/fullchain.pem;

apache2

Add to your vhost config

SSLCertificateFile /etc/letsencrypt/live/lunetikk.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/lunetikk.de/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/lunetikk.de/fullchain.pem

Automation

Create a script for automation

#!/bin/bash
/usr/bin/certbot renew --renew-hook "service apache2 reload" > /var/log/certbot-renew.log
mail -s "CERTBOT Renewals" <YOURMAILADDRESS> < /var/log/certbot-renew.log
DATE=`date +%Y-%m-%d`
mv /var/log/certbot-renew.log /var/log/certbot-renew_%DATE.log
exit 0

Add to your crontab

@daily /bin/certbotrenew.sh

Commands

Command Function
certbot certonly --webroot --agree-tos --no-eff-email --email <mail> -w /usr/local/nginx/html/letsencrypt -d <www.domain.de> -d <domain.de> Obtain or renew a certificate
certbot renew Renew all previously obtained certificates that are near expiry
certbot certonly --dry-run Test “renew” or “certonly” without saving any certificates to disk
certbot certificates Display information about certificates you have from Certbot
certbot revoke Revoke a certificate (supply --cert-path)
certbot delete Delete a certificate
linux/ubuntu/certbot.txt · Last modified: 2018/12/13 09:28 by lunetikk