Now they renamed it from Letsencrypt to Certbot.
Working on script to reflect the change but i have to make sure it does not change | Break all required dependencies.
Great thing happen securing internet servers, And it's Free.
But there is catch, You have to renew your certificated Often.
Since they provided tool to do so, i don't think there is problem at all.
One thing, i've noticed that on AWS, some how authentication using the webroot method fails.
So i had to use http method, which works perfectly fine.
But, renewal works without any issue using webroot.
First install command line API tool. letsencrypt source
There is many way you can get new certificate or renew certificate.
But i like following way, which can be scripted easily.
./letsencrypt-auto --email <email> --agree-tos certonly -d <fqdn> -c <Location_for_config>
It is good idea to create config file for each certificate because we can use it for renewal
# Domain which you are trying to get certificate for; # multiple domain like aliases can be saperated by comma # e.g. domains = wiki.k2patel.in, dokuwiki.k2patel.in domains = wiki.k2patel.in # Define rsa keysize rsa-key-size = 4096 # Define the api server server = https://acme-v01.api.letsencrypt.org/directory # email address for your certificate email = k2patel@rediffmail.com # we can disable the UI and turn on the text mode text = True # authenticate by placing file in webroot located under .well-known/acme-challenge/ authenticator = webroot webroot-path = /var/www/letsencrypt/
I'm using https redirect for my hosts so i use following code on each domain.
Works fine for me.
if ($request_uri !~ "^/.well-known/acme-challenge/(.*)") { rewrite ^(.*) https://$host$1 permanent; } location /.well-known/acme-challenge { root /var/www/letsencrypt; }
SSL Configuration
ssl on; ssl_certificate_key /etc/letsencrypt/live/fqdn.testdomain.com/privkey.pem; ssl_certificate /etc/letsencrypt/live/fqdn.testdomain.com/fullchain.pem; ssl_trusted_certificate /etc/letsencrypt/live/fqdn.testdomain.com/fullchain.pem;
So each domain only need to redirect to HTTPS if URL requested is from acme.
RewriteEngine On RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC] RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=302]
SSL configuration
SSLEngine on SSLCertificateFile "/etc/letsencrypt/live/fqdn.testdomain.com/cert.pem" SSLCertificateKeyFile "/etc/letsencrypt/live/fqdn.testdomain.com/privkey.pem" SSLCACertificatePath "/etc/letsencrypt/live/fqdn.testdomain.com/" SSLCertificateChainFile "/etc/letsencrypt/live/fqdn.testdomain.com/fullchain.pem"
Now i have script which run every 11 week.
#!/usr/bin/env bash # ############# # # Renew Certificate using lets-encrypt # Author : Ketan Patel <k2patel.in> # License : BSD # ############# source /etc/bashrc # Globals ( Please update ) # ldomains=('wiki.k2patel.in' 'www.k2patel.in' 'ip.k2patel.in' 'rpm.k2patel.in') LETSENCRYPT_HOME="/root/letsencrypt" WEBSERVER="nginx" # Enable System level logging # Redirect log to logger exec 1> >(logger -t $(basename $0)) 2>&1 for i in ${ldomains[@]} do ${LETSENCRYPT_HOME}/letsencrypt-auto certonly -c /etc/letsencrypt/config/${i}.conf --renew-by-default done # Start web services if /usr/bin/systemctl restart ${WEBSERVER} ; then echo "Web service re-started after certificate renewal." else echo "Failed to start web services" fi