Let's Encrypt

From The Brainwrecked Wiki
Jump to navigation Jump to search

Prerequisites

Web Server
For automation of the certificate generation/renewal process.

Required Packages

sudo pacman -Syu certbot[-nginx|-apache]

Web Server Configuration

NginX Configuration

# ACME challenge
location ^~ /.well-known {
	allow			all;
	alias			/var/lib/letsencrypt/$host/.well-known;
	default_type		"text/plain";
	try_files		$uri =404;
}

Apache Configuration

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/$host/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

Other Web Servers

All other web servers will have to use the webroot method

Generating Certificates

sudo certbot certonly --email <email> [--nginx|--apache|--webroot -w /var/lib/letsencrypt/$host -d $host] --agree-tos

The nginx and apache plugins will guide you and help automate the process.

Renewing Certificates automatically

These will automatically renew your certificates every 2 months on the first Sunday of the month at 4am.

Systemd

/etc/systemd/system/certbot.service
[Unit]
Description=Let's Encrypt renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --agree-tos --no-redirect
/etc/systemd/system/certbot.timer
[Unit]
Description=Bi-monthly renewal of Let's Encrypt's certificates

[Timer]
OnCalendar=Sun *-1,3,5,7,9,11-1..7 04:00:00
RandomizedDelaySec=1h
Persistent=true

[Install]
WantedBy=timers.target

Crontab

0 4 1-7 2-12/2 0 /usr/bin/certbot renew --agree-tos --no-redirect
Retrieved from "https://wiki.bwt.com.de/index.php?title=Let%27s_Encrypt&oldid=369"