Differences

This shows you the differences between two versions of the page.

--- certbot [2019-09-16 14:11:30]
mi
+++ certbot [2022-12-13 12:26:37] (current)
mi [Use cron instead of systemd timers]
@@ Line 1: / Line 1: @@
-====== certbot ======
+= certbot
+== Install
+=== install in Jessie
+For Debian 8 (Jessie):
+<code>
+apt remove certbot
+wget https://dl.eff.org/certbot-auto
+mv certbot-auto /usr/local/bin/certbot-auto
+chown -c root /usr/local/bin/certbot-auto
+chmod -c 0755 /usr/local/bin/certbot-auto
+</code>
+Not sure if adding this is useful: ''certbot-auto --install-only''
+=== install in Stretch
+For Debian 9 (Stretch):
+<code>
+[ -f /etc/apt/sources.list.d/stretch-backports.list ] || cat <<'END' > /etc/apt/sources.list.d/stretch-backports.list
+# https://backports.debian.org/Instructions/
+deb http://deb.debian.org/debian stretch-backports main
+END
+apt update
+apt install certbot python-certbot-apache -t stretch-backports
+</code>
+== Get first certificate(s)
+This will aslo create the ''/etc/letsencrypt/'' and ''/var/lib/letsencrypt/'' directories if needed
+Apache can be configured to [[https://httpd.apache.org/docs/2.4/bind.html|listen on specific IPs:ports]] (''Listen IP:port'' in ''/etc/apache2/ports.conf'').
+Or it is possible to use a temporary standalone server started by letsencrypt. The ''--standalone'' option will start it on all IPs. The ''--webroot'' option starts it only on a specific IP.
+=== Get certificate on specific IP
+The ''python3 -m http.server'' command with the ''--bind'' option can only take a single IP. Without the option, it binds to all IPs.
+<code>
+dir=/var/lib/letsencrypt/tmpwww
+ip=1.2.3.4
+name="example.com,www.example.com"
+email=admin.letsencrypt@example.com
+mkdir -p "$dir"
+cd "$dir"
+python3 -m http.server --bind $ip 80 &
+pid=$!
+</code>
+If needed, open firewall on http port 80. Or if scripts exist already, add these hooks to the certbot commands below:
+<code>
+--pre-hook  /etc/letsencrypt/renewal-hooks/pre/fw-certbot-open \
+--post-hook /etc/letsencrypt/renewal-hooks/post/fw-certbot-close
+</code>
+Test with dry-run:
+  certbot-auto certonly --dry-run --webroot --webroot-path "$dir" -d $name -n --agree-tos -m $email
+Do it:
+  certbot-auto certonly --webroot --webroot-path "$dir" -d $name -n --agree-tos -m $email
+And finally, stop the standalone web server:
+  kill $pid
+Renewals should now work automatically with the cron job and scripts in /etc/letsencrypt/renewal-hooks/
+=== Renewal-hooks
+These will be used automatically on renew if placed in ''/etc/letsencrypt/renewal-hooks/pre'' and ''.../post'' dirs.
+==== /etc/letsencrypt/renewal-hooks/pre
+<file bash fw-certbot-open>#!/bin/bash
+# Open firewall to let certbot renew certificates
+me=$(basename "$0")
+logger -t "$me" "Opening port 80 for certbot"
+iptables -I INPUT -p tcp --dport 80 -j NFLOG --nflog-prefix  "nfl:ok-certbot "
+iptables -I INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP for certbot"
+</file>
+<file bash certbot-webroot-start>#!/bin/bash
+# Create webroot and web server for certbot renewal
+me=$(basename "$0")
+dir=/var/lib/letsencrypt/tmpwww
+ips="1.2.3.4 10.11.12.13" ## <-- IPs to be used for validation
+mkdir -p "$dir"
+cd "$dir"
+declare -a pids
+for ip in $ips; do
+	logger -t "$me" "Starting server on $ip in $dir"
+	nohup python3 -m http.server --bind $ip 80 &>/dev/null &
+	pid=$!
+	pids+=($pid)
+	echo "$pid" > "$dir/certbot-webroot-$$-$pid.pid"
+done
+</file>
+==== /etc/letsencrypt/renewal-hooks/post
+<file bash fw-certbot-open>#!/bin/bash
+# Removing firewall rules created for certbot renew certificates
+me=$(basename "$0")
+logger -t "$me" "Closing port 80 opened for certbot"
+iptables -D INPUT -p tcp --dport 80 -j NFLOG --nflog-prefix  "nfl:ok-certbot "
+iptables -D INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP for certbot"
+</file>
+<file bash certbot-webroot-stop>#!/bin/bash
+# Stop webroot web server used for certbot renewal
+me=$(basename "$0")
+dir=/var/lib/letsencrypt/tmpwww
+for f in $dir/certbot-webroot-*.pid; do
+	logger -t "$me" "Stopping server with pid in $f"
+	kill $(< "$f") && rm "$f"
+	# or?: # kill $(ps ax | grep '[p]ython3 -m http.server' | awk '{print $1}')
+done
+</file>
+==== /etc/letsencrypt/renewal-hooks/deploy
+<file bash reload>#!/bin/bash
+# Reloading services to refresh certificates
+me=$(basename "$0")
+logger -t "$me" "Reloading postfix to refresh certificates."
+postfix reload
+(( $? != 0 )) && logger -t "$me" "ERROR with postfix reload."
+logger -t "$me" "Reloading dovecot to refresh certificates."
+doveadm reload
+(( $? != 0 )) && logger -t "$me" "ERROR with doveadm reload."
+logger -t "$me" "Reloading Apache to refresh certificates."
+apachectl -t >/dev/null && apachectl graceful
+(( $? != 0 )) && logger -t "$me" "ERROR with apachectl."
+exit 0
+</file>
+Once [[https://github.com/certbot/certbot/issues/6722|this]] has been fixed, these variables might also be used, eg. for logging:
+  logger -t "$me" "CERTBOT_DOMAIN=$CERTBOT_DOMAIN, CERTBOT_VALIDATION=$CERTBOT_VALIDATION, CERTBOT_TOKEN=$CERTBOT_TOKEN, CERTBOT_AUTH_OUTPUT=$CERTBOT_AUTH_OUTPUT"
+===Other options:
+  certbot-auto renew --cert-name $name --force-renewal
+  --test-cert
+See them all with ''certbot-auto --help all | less''
+See also:
+  * [[https://docs.python.org/3.5/library/http.server.html#http-server-cli]] "By default, server uses the current directory. The option -d/--directory ( new in version 3.7 ) specifies a directory to which it should serve the files. For example, the following command uses a specific directory: ''python -m http.server --directory /tmp/'' "
+  * [[https://github.com/certbot/certbot/issues/255|Standalone configurator: Dealing with existing processes that are listening on some, but not all, interfaces · Issue #255 · certbot/certbot]]
+  * [[https://github.com/certbot/certbot/issues/1515|Bind on a specific interface · Issue #1515 · certbot/certbot]] ( https://github.com/certbot/certbot/issues/1515#issuecomment-193790398 )
+  * [[https://github.com/certbot/certbot/pull/5990|Add support for specifying source_address to ClientNetwork. by signop · Pull Request #5990 · certbot/certbot]]
+  * [[https://github.com/certbot/certbot/issues/3489|Ability to set source IP · Issue #3489 · certbot/certbot]]
+  * [[https://github.com/certbot/certbot/pull/6007|WIP commit of adding a --source-address flag. by signop · Pull Request #6007 · certbot/certbot]]
+== Add host to existing certificate
+View existing cert.
+  certbot certificates
+Copy all hosts in existing cert. into comma-separated list, and add the new host. Then:
+  certbot --expand -d main.example.com,other.example.com,new.example.com
+(Found on [[https://superuser.com/questions/1432541|How to add a domain to existing certificate generated by Let’s Encrypt/Certbot?]])
+== Configs
+<code>
+ln -sri /etc/letsencrypt/live/HOST.EXAMPLE.COM/cert.pem       /etc/ssl/
+ln -sri /etc/letsencrypt/live/HOST.EXAMPLE.COM/fullchain.pem  /etc/ssl/
+ln -sri /etc/letsencrypt/live/HOST.EXAMPLE.COM/privkey.pem    /etc/ssl/private/
+</code>
+=== Postfix main.cf
+<code># postconf -n | grep 'smtpd_tls_.*_file'
+</code>
+  smtpd_tls_key_file  = /etc/ssl/private/privkey.pem
+  smtpd_tls_cert_file = /etc/ssl/fullchain.pem
+=== Proftpd tls.conf
+<code>
+# grep '^\s*TLSRSACertificate' /etc/proftpd/*.conf
+# for example in tls.conf :
+</code>
+  TLSRSACertificateFile		/etc/ssl/fullchain.pem
+  TLSRSACertificateKeyFile	/etc/ssl/private/privkey.pem
+<code>
+# Is this also needed?
+TLSCACertificateFile		/etc/ssl/fullchain.pem
+</code>
+=== Dovecot conf.d/10-ssl.conf
+<code>  # doveconf -nPS | grep '^\s*ssl_'
+  # or to find the file (eg. /etc/dovecot/conf.d/10-ssl.conf)
+  # grep -r '^\s*ssl_' /etc/dovecot
+</code>
+  ssl_cert=</etc/ssl/fullchain.pem
+  ssl_key=</etc/ssl/private/privkey.pem
+=== Postgresql 9.6/main/postgresql.conf
+Postgresql needs to be able to read these files as user "postgres". So they must be copied into it's config. dir. and chown'ed. Best done with a deploy-hook in ''/etc/letsencrypt/renewal-hooks/deploy/'' :
+<file bash 10-certbot-postgresql>
+#!/bin/bash
+## Postgresql needs to be able to read these files as user "postgres".
+## So they must be copied into it's config. dir. and chown'ed.
+verbose=1
+if (( verbose )); then
+	echo "Running $0"
+	v_cp="-v"
+	v_cw="-c"
+fi
+cp $v_cp /etc/letsencrypt/live/m1.almanet.ch/{fullchain,privkey}.pem /etc/postgresql/9.6/main/
+chown $v_cw postgres:postgres /etc/postgresql/9.6/main/*.pem
+# Reload is not enough! Restart is needed.
+# Will not be needed from version 10
+systemctl restart postgresql
+</file>
+<code># psql -U postgres -c "SELECT name, setting, sourcefile, sourceline FROM pg_settings WHERE name LIKE 'ssl_%_file'"
+# or in the file postgresql.conf:
+# grep '^\s*ssl_.*_file' /etc/postgresql/9.6/main/postgresql.conf
+</code>
+  ssl_cert_file = '/etc/postgresql/9.6/main/fullchain.pem'  # (change requires restart)
+  ssl_key_file  = '/etc/postgresql/9.6/main/privkey.pem'    # (change requires restart)
 ===== Use cron instead of systemd timers =====
-  systemctl --all list-timers
+I prefer crontab to the default systemd timers. So to disable the timers and use crontab instead:
-  systemctl stop certbot.timer
+<code bash>
-  systemctl disable certbot.timer
+systemctl --all list-timers
-  systemctl mask certbot.timer
+systemctl stop    certbot.timer
-  m=$(( RANDOM % 59 )); h=$(( RANDOM % 24 )); d=$(( RANDOM % 7 ))
+systemctl disable certbot.timer
-  echo "## Let's Encrypt SSL certificate renewal with certbot" | tee -a /etc/crontab
+systemctl mask    certbot.timer
-  echo "$m $h * * $d root /usr/bin/certbot renew"              | tee -a /etc/crontab
+m=$(( RANDOM % 60 )); h=$(( RANDOM % 24 )); d=$(( RANDOM % 7 ))
+echo "## Let's Encrypt SSL cert. renewal, once per week" | tee -a /etc/crontab
+echo "$m $h * * $d root /usr/bin/certbot -q renew"       | tee -a /etc/crontab
+# dom=$(( 1+ RANDOM % 31 )) mon=$(( 1+ RANDOM % 12 ))
+</code>
+{{tag>public linux debian systemd ssl}}

Alma wiki

User Tools

Site Tools

Differences

Page Tools