Certbot: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
== Certbot == | |||
Generate a Let's Encrypt cert, using Certbot((https://certbot.eff.org/#ubuntuxenial-other)) | Generate a Let's Encrypt cert, using Certbot((https://certbot.eff.org/#ubuntuxenial-other)) | ||
=====Unspecified Webserver on Ubuntu 16.04 (xenial)===== | =====Unspecified Webserver on Ubuntu 16.04 (xenial)===== | ||
| Line 7: | Line 6: | ||
<code bash>$ sudo apt-get install letsencrypt</code> | <code bash>$ sudo apt-get install letsencrypt</code> | ||
==Get Started== | |||
Certbot supports a number of different “plugins” that can be used to obtain and/or install certificates. | Certbot supports a number of different “plugins” that can be used to obtain and/or install certificates. | ||
| Line 14: | Line 13: | ||
To obtain a cert using the "webroot" plugin, which can work with the webroot directory of any webserver software: | To obtain a cert using the "webroot" plugin, which can work with the webroot directory of any webserver software: | ||
Note: | '''Note:''' | ||
Ubuntu Xenial has an old version of Certbot packaged for it that lacks a few features. The webroot plugin doesn't have an interactive mode, so you'll need to specify your domains and webroot paths on the command line to use this plugin. | Ubuntu Xenial has an old version of Certbot packaged for it that lacks a few features. The webroot plugin doesn't have an interactive mode, so you'll need to specify your domains and webroot paths on the command line to use this plugin. | ||
| Line 22: | Line 21: | ||
This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair. | This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair. | ||
Note: | '''Note:''' | ||
To use the webroot plugin, your server must be configured to serve files from hidden directories. If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver. | To use the webroot plugin, your server must be configured to serve files from hidden directories. If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver. | ||
| Line 29: | Line 28: | ||
<code bash>$ letsencrypt certonly --standalone -d example.com -d www.example.com</code> | <code bash>$ letsencrypt certonly --standalone -d example.com -d www.example.com</code> | ||
==Automating renewal== | |||
Let's Encrypt certificates last for 90 days, so it's highly advisable to renew them automatically! You can test automatic renewal for your certificates by running this command: | Let's Encrypt certificates last for 90 days, so it's highly advisable to renew them automatically! You can test automatic renewal for your certificates by running this command: | ||
| Line 44: | Line 43: | ||
Lighttpd is not able to auto set up Let's Encrypt. | Lighttpd is not able to auto set up Let's Encrypt. | ||
==Lighttpd config== | |||
The pemfile is cert+privkey combined in a .pem file!. | The pemfile is cert+privkey combined in a .pem file!. | ||
Latest revision as of 18:51, 17 January 2021
Certbot
Generate a Let's Encrypt cert, using Certbot((https://certbot.eff.org/#ubuntuxenial-other))
Unspecified Webserver on Ubuntu 16.04 (xenial)
Install
Since Certbot is packaged for your system, all you'll need to do is apt-get the following packages.
$ sudo apt-get install letsencrypt
Get Started
Certbot supports a number of different “plugins” that can be used to obtain and/or install certificates.
Since your server architecture doesn't yet support automatic installation you'll have to use the certonly command to obtain your certificate.
To obtain a cert using the "webroot" plugin, which can work with the webroot directory of any webserver software:
Note:
Ubuntu Xenial has an old version of Certbot packaged for it that lacks a few features. The webroot plugin doesn't have an interactive mode, so you'll need to specify your domains and webroot paths on the command line to use this plugin.
$ letsencrypt certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is
This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.
Note:
To use the webroot plugin, your server must be configured to serve files from hidden directories. If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver.
To obtain a cert using a built-in “standalone” webserver (you may need to temporarily stop your existing webserver, if any) for example.com and www.example.com:
$ letsencrypt certonly --standalone -d example.com -d www.example.com
Automating renewal
Let's Encrypt certificates last for 90 days, so it's highly advisable to renew them automatically! You can test automatic renewal for your certificates by running this command:
letsencrypt renew --dry-run --agree-tos
There's a bug in the version of Certbot on Ubuntu Xenial which may show a warning saying 'Registering without email!' even if you have previously given an email to Certbot. Don't worry if this happens, it will not effect your renewal. If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following:
letsencrypt renew
More detailed information and options about renewal can be found in the full documentation.
Note: if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.=====Lighttpd===== Lighttpd is not able to auto set up Let's Encrypt.
Lighttpd config
The pemfile is cert+privkey combined in a .pem file!.