This shows you the differences between two versions of the page.
letsencrypt [2018/09/25 14:38] k2patel [Nginx configuration] |
letsencrypt [2020/08/10 02:35] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Letsencrypt | Certbot ====== | ||
- | Now they renamed it from Letsencrypt to Certbot.\\ | ||
- | Working on script to reflect the change but i have to make sure it does not change | Break all required dependencies.\\ | ||
- | Great thing happen securing internet servers, And it's Free.\\ | ||
- | But there is catch, You have to renew your certificated Often.\\ | ||
- | Since they provided tool to do so, i don't think there is problem at all.\\ | ||
- | |||
- | First install command line API tool. | ||
- | [[https://github.com/letsencrypt/letsencrypt|letsencrypt source]] | ||
- | |||
- | There is many way you can get new certificate or renew certificate.\\ | ||
- | But i like following way, which can be scripted easily. | ||
- | |||
- | <code bash Get New Certificate> | ||
- | ./letsencrypt-auto --email <email> --agree-tos certonly -d <fqdn> -c <Location_for_config> | ||
- | </code> | ||
- | |||
- | ==== configuration for certificate request / location ==== | ||
- | //It is good idea to create config file for each certificate because we can use it for renewal// | ||
- | |||
- | <code ini sample_config> | ||
- | # Domain which you are trying to get certificate for; | ||
- | # multiple domain like aliases can be saperated by comma | ||
- | # e.g. domains = wiki.k2patel.in, dokuwiki.k2patel.in | ||
- | domains = wiki.k2patel.in | ||
- | |||
- | # Define rsa keysize | ||
- | rsa-key-size = 4096 | ||
- | |||
- | # Define the api server | ||
- | server = https://acme-v01.api.letsencrypt.org/directory | ||
- | |||
- | # email address for your certificate | ||
- | email = k2patel@rediffmail.com | ||
- | |||
- | # we can disable the UI and turn on the text mode | ||
- | text = True | ||
- | |||
- | # authenticate by placing file in webroot located under .well-known/acme-challenge/ | ||
- | authenticator = webroot | ||
- | webroot-path = /var/www/letsencrypt/ | ||
- | </code> | ||
- | |||
- | ==== Nginx configuration ==== | ||
- | I'm using https redirect for my hosts so i use following code on each domain.\\ | ||
- | Works fine for me. | ||
- | |||
- | <code conf nginx.conf> | ||
- | if ($request_uri !~ "^/.well-known/acme-challenge/(.*)") { | ||
- | rewrite ^(.*) https://$host$1 permanent; | ||
- | } | ||
- | location /.well-known/acme-challenge { | ||
- | root /var/www/letsencrypt; | ||
- | } | ||
- | </code> | ||
- | |||
- | |||
- | SSL Configuration | ||
- | <code conf ssl.conf> | ||
- | ssl on; | ||
- | ssl_certificate_key /etc/letsencrypt/live/fqdn.testdomain.com/privkey.pem; | ||
- | ssl_certificate /etc/letsencrypt/live/fqdn.testdomain.com/fullchain.pem; | ||
- | ssl_trusted_certificate /etc/letsencrypt/live/fqdn.testdomain.com/fullchain.pem; | ||
- | </code> | ||
- | ==== Apache Configuration ==== | ||
- | So each domain only need to redirect to HTTPS if URL requested is from acme. | ||
- | |||
- | <code conf domain.conf> | ||
- | RewriteEngine On | ||
- | RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC] | ||
- | RewriteCond %{HTTPS} off | ||
- | RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=302] | ||
- | </code> | ||
- | |||
- | |||
- | SSL configuration | ||
- | <code conf ssl.conf> | ||
- | SSLEngine on | ||
- | SSLCertificateFile "/etc/letsencrypt/live/fqdn.testdomain.com/cert.pem" | ||
- | SSLCertificateKeyFile "/etc/letsencrypt/live/fqdn.testdomain.com/privkey.pem" | ||
- | SSLCACertificatePath "/etc/letsencrypt/live/fqdn.testdomain.com/" | ||
- | SSLCertificateChainFile "/etc/letsencrypt/live/fqdn.testdomain.com/fullchain.pem" | ||
- | </code> | ||
- | ==== Cron setup ==== | ||
- | Now i have script which run every 11 week. | ||
- | |||
- | <code bash letsrenew> | ||
- | #!/usr/bin/env bash | ||
- | # | ||
- | ############# | ||
- | # | ||
- | # Renew Certificate using lets-encrypt | ||
- | # Author : Ketan Patel <k2patel.in> | ||
- | # License : BSD | ||
- | # | ||
- | ############# | ||
- | source /etc/bashrc | ||
- | |||
- | # Globals ( Please update ) | ||
- | # | ||
- | ldomains=('wiki.k2patel.in' 'www.k2patel.in' 'ip.k2patel.in' 'rpm.k2patel.in') | ||
- | LETSENCRYPT_HOME="/root/letsencrypt" | ||
- | WEBSERVER="nginx" | ||
- | |||
- | # Enable System level logging | ||
- | # Redirect log to logger | ||
- | exec 1> >(logger -t $(basename $0)) 2>&1 | ||
- | |||
- | for i in ${ldomains[@]} | ||
- | do | ||
- | ${LETSENCRYPT_HOME}/letsencrypt-auto certonly -c /etc/letsencrypt/config/${i}.conf --renew-by-default | ||
- | done | ||
- | |||
- | # Start web services | ||
- | if /usr/bin/systemctl restart ${WEBSERVER} ; then | ||
- | echo "Web service re-started after certificate renewal." | ||
- | else | ||
- | echo "Failed to start web services" | ||
- | fi | ||
- | </code> |