Let's Encrypt: Difference between revisions

From Han Wiki
Jump to navigation Jump to search
→‎Adding multiple domain names for a certificate: Getting certificates for a separate server using manual mode
mNo edit summary
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
* ''Last tested on Ubuntu 14.04.2 LTS (trusty) | easy | less than ten minutes | 27 June 2016''
You can find all about '''Let's Encrypt''' initiative at their [https://letsencrypt.org/ website].  
You can find all about '''Let's Encrypt''' initiative at their [https://letsencrypt.org/ website].  
The most current instruction can be found at [https://www.eff.org/ EFF]'s [https://certbot.eff.org/ certbot] site.
The most current instruction can be found at [https://www.eff.org/ EFF]'s [https://certbot.eff.org/ certbot] site.
Line 6: Line 4:
This one is for Ubuntu 14.04 (trusty) and pursues the easier-to-use option. I'm assuming that you have a sudo access, although that isn't an absolute requirement.
This one is for Ubuntu 14.04 (trusty) and pursues the easier-to-use option. I'm assuming that you have a sudo access, although that isn't an absolute requirement.


== Installation ==
= Installation =
''Last tested on Ubuntu 14.04 LTS (trusty)''
{{Testedon|2016-06-27|Ubuntu 14.04.2 LTS}}


Note: On Ubuntu 16.04.01 LTS (xenial), you can just run <code>apt install letsencrypt</code> and use <span class="package">letsencrypt</span> in place of <span class="package">certbot-auto</span> command in the following instruction.  It's the equivalent program, so there doesn't seem to be any issues with parameters used here.
Note: On Ubuntu 16.04.01 LTS (xenial), you can just run <code>apt install letsencrypt</code> and use <span class="package">letsencrypt</span> in place of <span class="package">certbot-auto</span> command in the following instruction.  It's the equivalent program, so there doesn't seem to be any issues with parameters used here.
Line 35: Line 33:
<code>certbot-auto</code> creates a folder in <span class="path">/etc/letsencrypt/</span> as a default.
<code>certbot-auto</code> creates a folder in <span class="path">/etc/letsencrypt/</span> as a default.


== Adding more domains ==
 
= List the certificates =
 
<syntaxhighlight lang="console">
$ certbot-auto certificates
</syntaxhighlight>
 
= Adding more domains =
{{Testedon|2016-06-27|Ubuntu 14.04.2 LTS}}


After the initial installation, if you need to add more domains you can do it directly from the CLI.
After the initial installation, if you need to add more domains you can do it directly from the CLI.
Line 43: Line 49:
</syntaxhighlight>
</syntaxhighlight>


== Configuring to auto-renew certificate ==
= Configuring to auto-renew certificate =
{{Testedon|2016-06-27|Ubuntu 14.04.2 LTS}}


<code>certbot-auto</code> can also auto-renew certificates by adding a command as a cronjob.
<code>certbot-auto</code> can also auto-renew certificates by adding a command as a cronjob.
Line 57: Line 64:
</syntaxhighlight>
</syntaxhighlight>


== Adding multiple domain names for a certificate ==
= Adding multiple domain names for a certificate =
{{Testedon|2016-06-27|Ubuntu 14.04.2 LTS}}


You can use one certificate for multiple domains. The certificate is generated, but you need to install it yourself.
You can use one certificate for multiple domains. The certificate is generated, but you need to install it yourself.


<source lang="bash" highlight="1">
<syntaxhighlight lang="bash" highlight="1">
$ certbot-auto certonly --webroot -w /srv/www/mysite.com/ -d www.mysite.com -d mysite.com -w /srv/www/blog.mysite.com/ -d blog.mysite.com
$ certbot-auto certonly --webroot -w /srv/www/mysite.com/ -d www.mysite.com -d mysite.com -w /srv/www/blog.mysite.com/ -d blog.mysite.com


Line 75: Line 83:
   Donating to ISRG / Let's Encrypt:  https://letsencrypt.org/donate
   Donating to ISRG / Let's Encrypt:  https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
   Donating to EFF:                    https://eff.org/donate-le
</source>
</syntaxhighlight>


== Getting certificates for a separate server using manual mode ==
= Getting certificates for a separate server using manual mode =
{{Testedon|2016-06-27|Ubuntu 14.04.2 LTS}}


This will start an interactively, manual mode.
This will start an interactively, manual mode.


<source lang="bash" highlight="1">
<syntaxhighlight lang="bash" highlight="1">
$ certbot-auto certonly --manual -d test.com -d www.test.com
$ certbot-auto certonly --manual -d test.com -d www.test.com
</source>
</syntaxhighlight>
 
 
= Revoking and/or deleting certificates =
{{Testedon|2022-03-24|Ubuntu 20.04.4 LTS (focal)}}
 
The optional <span class="package">reason</span> flag can have the following values:
<span class="param">unspecified</span> (default), <span class="param">keycompromise</span>, <span class="param">affiliationchanged</span>, <span class="param">superseded</span>, and <span class="param">cessationofoperation</span>.
 
<syntaxhighlight lang="bash">
$ certbot-auto revoke --cert-path /etc/letsencrypt/live/bamboo.domain.com/cert.pem --reason cessationofoperation
</syntaxhighlight>
 
Revoke AND delete
 
<syntaxhighlight lang="bash">
$ sudo letsencrypt revoke --cert-path /etc/letsencrypt/live/mydomain.com/fullchain.pem --delete-after-revoke --reason superseded
</syntaxhighlight>
 
 
== Deleting certificate files ==
 
<syntaxhighlight lang="console">
$ certbot-auto delete --cert-name domain.com
</syntaxhighlight>
 
= Generating a certificate for wildcard subdomains =
{{Testedon|2022-03-24|Ubuntu 20.04.4 LTS (focal)}}
 
You need to be able to update the DNS zone file for the domain.  Usually, this is referred to as DNS records, and many registrars have a way for you to update the records.  For this, you should be able to add a TXT record.
 
<syntaxhighlight lang="console" highlight="1,2">
$ sudo letsencrypt certonly --manual -d 'mydomain.com,*.mydomain.com' --agree-tos --no-bootstrap --manual-public-ip-logging-ok \
    --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mydomain.com
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.mydomain.com with the following value:
 
w_DD-eTEIk4VxoNFBm6VbLTkNkcD1pml_DYpzIRtK7M
 
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
 
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/mydomain.com/privkey.pem
  Your cert will expire on 2018-12-08. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot-auto
  again. To non-interactively renew *all* of your certificates, run
  "certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
 
  Donating to ISRG / Let's Encrypt:  https://letsencrypt.org/donate
  Donating to EFF:                    https://eff.org/donate-le
 
</syntaxhighlight>
 
= Resources =
 
[https://linuxtechlab.com/complete-guide-to-configure-ssl-on-nginx-with-lets-encrypt-ubuntu-centos-rhel/ Complete guide to configure SSL on Nginx with Let’s Encrypt for Ubuntu/CentOS/RHEL] ([https://private.michaelhan.net/snapshots/nginx-1.pdf Snapshot])

Latest revision as of 07:51, 31 August 2023

You can find all about Let's Encrypt initiative at their website. The most current instruction can be found at EFF's certbot site.

This one is for Ubuntu 14.04 (trusty) and pursues the easier-to-use option. I'm assuming that you have a sudo access, although that isn't an absolute requirement.

Installation

  • Last tested on Ubuntu 14.04.2 LTS (2016-06-27)

Note: On Ubuntu 16.04.01 LTS (xenial), you can just run apt install letsencrypt and use letsencrypt in place of certbot-auto command in the following instruction. It's the equivalent program, so there doesn't seem to be any issues with parameters used here.

Download the executable and make it executable.

$ sudo wget https://dl.eff.org/certbot-auto
--2016-06-27 18:36:18--  https://dl.eff.org/certbot-auto
Resolving dl.eff.org (dl.eff.org)... 173.239.79.196
Connecting to dl.eff.org (dl.eff.org)|173.239.79.196|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44115 (43K) [text/plain]
Saving to: ‘certbot-auto’

100%[======================================================================================================================================================>] 44,115      --.-K/s   in 0.001s

2016-06-27 18:36:18 (67.8 MB/s) - ‘certbot-auto’ saved [44115/44115]

$ sudo chmod a+x certbot-auto

I prefer to have this type of executable in /usr/local/bin/ folder. It will make it available for other users as well as make it easy add as a cronjob. The ownership is already correct if you used sudo.

Typing sudo certbot-auto --apache in CLI will get you to an interactive menu that will list out all of your domains on Apache2 and will easily generate certificates and even add those Apache directives in the respective virtual domain configuration files (not 100%, but works most of the time).

certbot-auto creates a folder in /etc/letsencrypt/ as a default.


List the certificates

$ certbot-auto certificates

Adding more domains

  • Last tested on Ubuntu 14.04.2 LTS (2016-06-27)

After the initial installation, if you need to add more domains you can do it directly from the CLI.

$ sudo certbot-auto run --apache -d mydomain.net

Configuring to auto-renew certificate

  • Last tested on Ubuntu 14.04.2 LTS (2016-06-27)

certbot-auto can also auto-renew certificates by adding a command as a cronjob.

0 1,13 * * * /usr/local/bin/certbot-auto renew --quiet --no-self-upgrade

Use crontab to update the cron jobs, and add the above line.

$ sudo crontab -e

Adding multiple domain names for a certificate

  • Last tested on Ubuntu 14.04.2 LTS (2016-06-27)

You can use one certificate for multiple domains. The certificate is generated, but you need to install it yourself.

$ certbot-auto certonly --webroot -w /srv/www/mysite.com/ -d www.mysite.com -d mysite.com -w /srv/www/blog.mysite.com/ -d blog.mysite.com

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/mysite.com/fullchain.pem. Your cert
   will expire on 2016-09-26. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Getting certificates for a separate server using manual mode

  • Last tested on Ubuntu 14.04.2 LTS (2016-06-27)

This will start an interactively, manual mode.

$ certbot-auto certonly --manual -d test.com -d www.test.com


Revoking and/or deleting certificates

  • Last tested on Ubuntu 20.04.4 LTS (focal) (2022-03-24)

The optional reason flag can have the following values: unspecified (default), keycompromise, affiliationchanged, superseded, and cessationofoperation.

$ certbot-auto revoke --cert-path /etc/letsencrypt/live/bamboo.domain.com/cert.pem --reason cessationofoperation

Revoke AND delete

$ sudo letsencrypt revoke --cert-path /etc/letsencrypt/live/mydomain.com/fullchain.pem --delete-after-revoke --reason superseded


Deleting certificate files

$ certbot-auto delete --cert-name domain.com

Generating a certificate for wildcard subdomains

  • Last tested on Ubuntu 20.04.4 LTS (focal) (2022-03-24)

You need to be able to update the DNS zone file for the domain. Usually, this is referred to as DNS records, and many registrars have a way for you to update the records. For this, you should be able to add a TXT record.

$ sudo letsencrypt certonly --manual -d 'mydomain.com,*.mydomain.com' --agree-tos --no-bootstrap --manual-public-ip-logging-ok \
    --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mydomain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.mydomain.com with the following value:

w_DD-eTEIk4VxoNFBm6VbLTkNkcD1pml_DYpzIRtK7M

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.com/privkey.pem
   Your cert will expire on 2018-12-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Resources

Complete guide to configure SSL on Nginx with Let’s Encrypt for Ubuntu/CentOS/RHEL (Snapshot)