User Tools

Site Tools


letsencrypt

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
letsencrypt [2016/04/27 06:49]
k2patel created
letsencrypt [2018/09/25 10:44] (current)
k2patel
Line 1: Line 1:
-====== Letsencrypt ======+====== Letsencrypt ​| Certbot ​======
  
 +Now they renamed it from Letsencrypt to Certbot.\\
 +Working on script to reflect the change but i have to make sure it does not change | Break all required dependencies.\\
 Great thing happen securing internet servers, And it's Free.\\ Great thing happen securing internet servers, And it's Free.\\
 But there is catch, You have to renew your certificated Often.\\ But there is catch, You have to renew your certificated Often.\\
 Since they provided tool to do so, i don't think there is problem at all.\\ Since they provided tool to do so, i don't think there is problem at all.\\
 +
 +One thing, i've noticed that on AWS, some how authentication using the webroot method fails.\\
 +So i had to use http method, which works perfectly fine.\\
 +But, renewal works without any issue using webroot.\\
  
 First install command line API tool. First install command line API tool.
Line 15: Line 21:
 </​code>​ </​code>​
  
 +==== configuration for certificate request / location ====
 //It is good idea to create config file for each certificate because we can use it for renewal// //It is good idea to create config file for each certificate because we can use it for renewal//
  
 <code ini sample_config>​ <code ini sample_config>​
 # Domain which you are trying to get certificate for; # Domain which you are trying to get certificate for;
 +# multiple domain like aliases can be saperated by comma
 +# e.g. domains = wiki.k2patel.in,​ dokuwiki.k2patel.in
 domains = wiki.k2patel.in domains = wiki.k2patel.in
  
Line 38: Line 47:
 </​code>​ </​code>​
  
 +==== Nginx configuration ====
 +I'm using https redirect for my hosts so i use following code on each domain.\\
 +Works fine for me.
  
 +<code conf nginx.conf>​
 +    if ($request_uri !~ "​^/​.well-known/​acme-challenge/​(.*)"​) {
 +        rewrite ​    ​^(.*) ​  ​https://​$host$1 permanent;
 +    }
 +    location /​.well-known/​acme-challenge {
 +        root /​var/​www/​letsencrypt;​
 +    }
 +</​code>​
 +
 +
 +SSL Configuration
 +<code conf ssl.conf>​
 +    ssl on;
 +    ssl_certificate_key /​etc/​letsencrypt/​live/​fqdn.testdomain.com/​privkey.pem;​
 +    ssl_certificate /​etc/​letsencrypt/​live/​fqdn.testdomain.com/​fullchain.pem;​
 +    ssl_trusted_certificate /​etc/​letsencrypt/​live/​fqdn.testdomain.com/​fullchain.pem;​
 +</​code>​
 +==== Apache Configuration ====
 +So each domain only need to redirect to HTTPS if URL requested is from acme.
 +
 +<code conf domain.conf>​
 +        RewriteEngine On
 +        RewriteCond %{REQUEST_URI} !^/​.well-known/​acme-challenge [NC]
 +        RewriteCond %{HTTPS} off
 +        RewriteRule ^(.*)$ https://​%{HTTP_HOST}%{REQUEST_URI} [L,R=302]
 +</​code>​
 +
 +
 +SSL configuration
 +<code conf ssl.conf>​
 +        SSLEngine on
 +        SSLCertificateFile ​     "/​etc/​letsencrypt/​live/​fqdn.testdomain.com/​cert.pem"​
 +        SSLCertificateKeyFile ​  "/​etc/​letsencrypt/​live/​fqdn.testdomain.com/​privkey.pem"​
 +        SSLCACertificatePath ​   "/​etc/​letsencrypt/​live/​fqdn.testdomain.com/"​
 +        SSLCertificateChainFile "/​etc/​letsencrypt/​live/​fqdn.testdomain.com/​fullchain.pem"​
 +</​code>​
 +==== Cron setup ====
 +Now i have script which run every 11 week.
 +
 +<code bash letsrenew>​
 +#​!/​usr/​bin/​env bash
 +#
 +#############​
 +#
 +# Renew Certificate using lets-encrypt
 +# Author : Ketan Patel <​k2patel.in>​
 +# License : BSD
 +#
 +#############​
 +source /etc/bashrc
 +
 +# Globals ( Please update )
 +#
 +ldomains=('​wiki.k2patel.in'​ '​www.k2patel.in'​ '​ip.k2patel.in'​ '​rpm.k2patel.in'​)
 +LETSENCRYPT_HOME="/​root/​letsencrypt"​
 +WEBSERVER="​nginx"​
 +
 +# Enable System level logging
 +# Redirect log to logger
 +exec 1> >(logger -t $(basename $0)) 2>&1
 +
 +for i in ${ldomains[@]}
 +  do
 +    ${LETSENCRYPT_HOME}/​letsencrypt-auto certonly -c /​etc/​letsencrypt/​config/​${i}.conf --renew-by-default
 +  done
 +
 +# Start web services
 +if /​usr/​bin/​systemctl restart ${WEBSERVER} ; then
 +   echo "Web service re-started after certificate renewal."​
 +else
 +   echo "​Failed to start web services"​
 +fi
 +</​code>​
letsencrypt.1461754165.txt.gz ยท Last modified: 2016/04/27 06:49 by k2patel