blob: 25d059ca39a4454590b8daff865ed7e91a057be6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
PLUGINS SUPPORT
letsencrypt support five plugins to obtain/install certificates and many more to come in the future.
However, we will only cover standalone and apache plugin. Using apache plugin is the recommended way
as it doesn't require the webserver to be taken offline causing downtime during validation.
All domain-spesific configuration files are stored in /etc/letsencrypt/live/<DOMAIN-NAME>
Once certificate is created, you need to enable SSL module in httpd.conf and configure httpd-ssl.conf
OBTAINING CERTIFICATE USING STANDALONE PLUGIN
Here's what i use to create a certificate using port 443 for domain validation
certbot certonly --webroot-path=<DOCUMENT-ROOT> --preferred-challenges tls-sni-01 -d <DOMAIN-NAME> \
--email <ADMIN-EMAIL> --renew-by-default --agree-tos --text --standalone
If you want to use port 80 for domain validation, replace
--preferred-challenges tls-sni-01
with
--preferred-challenges http-01
Since 0.14.1, letsencrypt is able to generate/renew all certificates for all of your configured vhost domains.
Just run letsencrypt or certbot and you will see all domains are available.
NOTE:
You need to make sure that the port (80 or 443) is NOT USED before running above command (ie. you may need to
temporarily stop your exising webserver)
OBTAINING CERTIFICATE USING APACHE PLUGIN
Thanks to Eric Pratt, certbot/letsencrypt's Apache Plugin is now working well with Slackware.
Here's what i use to create a certificate using port 443 for domain validation
certbot certonly --apache --webroot-path=<DOCUMENT-ROOT> --preferred-challenges tls-sni-01 -d <DOMAIN-NAME> \
--email <ADMIN-EMAIL> --renew-by-default --agree-tos --text
RENEWAL PROCESS
Best way to automate the certificate renewal is by using cron service.
Create a bash script in /etc/cron.monthly that does the following actions (depending on which plugin you used):
Standalone: - turn off httpd service
- give some delay (2s is enough)
- run the same command generate the certificate to renew automatically
- start httpd service
Apache Plugin: run the same command to generate the certificate to renew automatically or use
letsencrypt renew (it will automatically renew when the expired date is less than few weeks).
RATE LIMIT
Rate limit on registrations per IP is now 500 per 3 hours.
Rate limit on certificates per Domain is now 20 per 7 days.
See complete documentation here: https://letsencrypt.org/docs/rate-limits/
CONFIGURATION FILES
It is possible to specify configuration file with letsencrypt --config cli.ini (or shorter -c cli.ini).
An example configuration file is shown below:
# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Uncomment and update to register with the specified e-mail address
# email = foo@example.com
# Uncomment and update to generate certificates for the specified
# domains.
# domains = example.com, www.example.com
# Uncomment to use a text interface instead of ncurses
# text = True
# Uncomment to use the standalone or apache authenticator on port 443
# authenticator = standalone / apache
# preferred-challenges = tls-sni-01
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
# webroot-path = /usr/share/nginx/html
By default, the following locations are searched:
/etc/letsencrypt/cli.ini
$XDG_CONFIG_HOME/letsencrypt/cli.ini (or ~/.config/letsencrypt/cli.ini if $XDG_CONFIG_HOME is not set).
|