Certbot

From Jens\\\\\\\' Wiki
Revision as of 18:50, 17 January 2021 by Jens (talk | contribs)
Jump to navigation Jump to search
Certbot

Generate a Let's Encrypt cert, using Certbot((https://certbot.eff.org/#ubuntuxenial-other))

Unspecified Webserver on Ubuntu 16.04 (xenial)

Install

Since Certbot is packaged for your system, all you'll need to do is apt-get the following packages.

$ sudo apt-get install letsencrypt

Get Started

Certbot supports a number of different “plugins” that can be used to obtain and/or install certificates.

Since your server architecture doesn't yet support automatic installation you'll have to use the certonly command to obtain your certificate.

To obtain a cert using the "webroot" plugin, which can work with the webroot directory of any webserver software:

Note:

Ubuntu Xenial has an old version of Certbot packaged for it that lacks a few features. The webroot plugin doesn't have an interactive mode, so you'll need to specify your domains and webroot paths on the command line to use this plugin.

$ letsencrypt certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is

This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.

Note:

To use the webroot plugin, your server must be configured to serve files from hidden directories. If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver.

To obtain a cert using a built-in “standalone” webserver (you may need to temporarily stop your existing webserver, if any) for example.com and www.example.com:

$ letsencrypt certonly --standalone -d example.com -d www.example.com

Automating renewal

Let's Encrypt certificates last for 90 days, so it's highly advisable to renew them automatically! You can test automatic renewal for your certificates by running this command:

letsencrypt renew --dry-run --agree-tos

There's a bug in the version of Certbot on Ubuntu Xenial which may show a warning saying 'Registering without email!' even if you have previously given an email to Certbot. Don't worry if this happens, it will not effect your renewal. If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following:

letsencrypt renew

More detailed information and options about renewal can be found in the full documentation.

Note: if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.=====Lighttpd===== Lighttpd is not able to auto set up Let's Encrypt.

Lighttpd config

The pemfile is cert+privkey combined in a .pem file!.