blob: aba34175809af4ad007d4ee555c03ae47ef88e2c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
PLUGIN SUPPORT
letsencrypt support five plugins to obtain/install certificates and many more to come in the future.
However, we will only cover standalone plugin because apache plugin only works on Debian-based OS for now
and nginx is still considered very experimental.
OBTAINING CERTIFICATE USING STANDALONE PLUGIN
Since Slackware is not yet supported, instead of running "letsencrypt-auto certonly"
as instructed, you can run "letsencrypt certonly" to install certificates manually using standalone plugin.
Here's what i use to create a certificate using port 443 for domain validation
letsencrypt certonly --webroot-path=<DOCUMENT-ROOT> --standalone-supported-challenges tls-sni-01 -d <DOMAIN-NAME> \
--email <ADMIN-EMAIL> --renew-by-default --agree-tos --text --standalone
If you want to use port 80 for domain validation, replace
--standalone-supported-challenges tls-sni-01
with
--standalone-supported-challenges http-01
NOTE:
You need to make sure that the port (80 or 443) is NOT USED before running above command (ie. you may need to
temporarily stop your exising webserver)
All domain-spesific configuration files are stored in /etc/letsencrypt/live/<DOMAIN-NAME>
Once certificate is created, you need to enable and configure httpd-ssl.conf
RENEWAL PROCESS
Best way is to use a simple bash script that perform following actions:
- turn off httpd service
- give some delay (2s is enough)
- run the above command to renew automatically
- start httpd service
RATE LIMIT
Rate limit on registrations per IP is now 10 per 3 hours.
Rate limit on certificates per Domain is now 5 per 7 days.
CONFIGURATION FILES
It is possible to specify configuration file with letsencrypt --config cli.ini (or shorter -c cli.ini).
An example configuration file is shown below:
# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Always use the staging/testing server
server = https://acme-staging.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
# email = foo@example.com
# Uncomment and update to generate certificates for the specified
# domains.
# domains = example.com, www.example.com
# Uncomment to use a text interface instead of ncurses
# text = True
# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
# webroot-path = /usr/share/nginx/html
By default, the following locations are searched:
/etc/letsencrypt/cli.ini
$XDG_CONFIG_HOME/letsencrypt/cli.ini (or ~/.config/letsencrypt/cli.ini if $XDG_CONFIG_HOME is not set).
|