certbot
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
certbot [2020-01-02 14:41:47] mi |
certbot [2022-12-13 12:26:37] (current) mi [Use cron instead of systemd timers] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| = certbot | = certbot | ||
| - | == Install in Jessie | + | == Install |
| + | |||
| + | === install in Jessie | ||
| For Debian 8 (Jessie): | For Debian 8 (Jessie): | ||
| Line 14: | Line 16: | ||
| Not sure if adding this is useful: ''certbot-auto --install-only'' | Not sure if adding this is useful: ''certbot-auto --install-only'' | ||
| - | == Install in Stretch | + | === install in Stretch |
| For Debian 9 (Stretch): | For Debian 9 (Stretch): | ||
| Line 35: | Line 37: | ||
| Or it is possible to use a temporary standalone server started by letsencrypt. The ''--standalone'' option will start it on all IPs. The ''--webroot'' option starts it only on a specific IP. | Or it is possible to use a temporary standalone server started by letsencrypt. The ''--standalone'' option will start it on all IPs. The ''--webroot'' option starts it only on a specific IP. | ||
| - | === Get certificate on specific IP(s)On a separate IP address | + | === Get certificate on specific IP |
| - | Create hooks in ''/etc/letsencrypt/renewal-hooks/pre'' and ''.../post'' dirs. | + | The ''python3 -m http.server'' command with the ''--bind'' option can only take a single IP. Without the option, it binds to all IPs. |
| + | |||
| + | <code> | ||
| + | dir=/var/lib/letsencrypt/tmpwww | ||
| + | ip=1.2.3.4 | ||
| + | name="example.com,www.example.com" | ||
| + | email=admin.letsencrypt@example.com | ||
| + | |||
| + | mkdir -p "$dir" | ||
| + | cd "$dir" | ||
| + | python3 -m http.server --bind $ip 80 & | ||
| + | pid=$! | ||
| + | </code> | ||
| + | |||
| + | If needed, open firewall on http port 80. Or if scripts exist already, add these hooks to the certbot commands below: | ||
| + | |||
| + | <code> | ||
| + | --pre-hook /etc/letsencrypt/renewal-hooks/pre/fw-certbot-open \ | ||
| + | --post-hook /etc/letsencrypt/renewal-hooks/post/fw-certbot-close | ||
| + | </code> | ||
| + | |||
| + | Test with dry-run: | ||
| + | |||
| + | certbot-auto certonly --dry-run --webroot --webroot-path "$dir" -d $name -n --agree-tos -m $email | ||
| + | |||
| + | Do it: | ||
| + | |||
| + | certbot-auto certonly --webroot --webroot-path "$dir" -d $name -n --agree-tos -m $email | ||
| + | |||
| + | And finally, stop the standalone web server: | ||
| + | |||
| + | kill $pid | ||
| + | |||
| + | Renewals should now work automatically with the cron job and scripts in /etc/letsencrypt/renewal-hooks/ | ||
| + | |||
| + | === Renewal-hooks | ||
| + | |||
| + | These will be used automatically on renew if placed in ''/etc/letsencrypt/renewal-hooks/pre'' and ''.../post'' dirs. | ||
| + | |||
| + | ==== /etc/letsencrypt/renewal-hooks/pre | ||
| + | |||
| + | <file bash fw-certbot-open>#!/bin/bash | ||
| + | |||
| + | # Open firewall to let certbot renew certificates | ||
| + | |||
| + | me=$(basename "$0") | ||
| + | |||
| + | logger -t "$me" "Opening port 80 for certbot" | ||
| + | |||
| + | iptables -I INPUT -p tcp --dport 80 -j NFLOG --nflog-prefix "nfl:ok-certbot " | ||
| + | iptables -I INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP for certbot" | ||
| + | </file> | ||
| <file bash certbot-webroot-start>#!/bin/bash | <file bash certbot-webroot-start>#!/bin/bash | ||
| Line 62: | Line 115: | ||
| done | done | ||
| + | </file> | ||
| + | |||
| + | ==== /etc/letsencrypt/renewal-hooks/post | ||
| + | |||
| + | <file bash fw-certbot-open>#!/bin/bash | ||
| + | |||
| + | # Removing firewall rules created for certbot renew certificates | ||
| + | |||
| + | me=$(basename "$0") | ||
| + | |||
| + | logger -t "$me" "Closing port 80 opened for certbot" | ||
| + | |||
| + | iptables -D INPUT -p tcp --dport 80 -j NFLOG --nflog-prefix "nfl:ok-certbot " | ||
| + | iptables -D INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP for certbot" | ||
| </file> | </file> | ||
| Line 75: | Line 142: | ||
| logger -t "$me" "Stopping server with pid in $f" | logger -t "$me" "Stopping server with pid in $f" | ||
| kill $(< "$f") && rm "$f" | kill $(< "$f") && rm "$f" | ||
| + | # or?: # kill $(ps ax | grep '[p]ython3 -m http.server' | awk '{print $1}') | ||
| done | done | ||
| </file> | </file> | ||
| + | ==== /etc/letsencrypt/renewal-hooks/deploy | ||
| - | certbot-auto certonly --test-cert --webroot --webroot-path "$dir" -d $name -n --agree-tos -m $email | + | <file bash reload>#!/bin/bash |
| - | If needed, add firewall scripts to open/close ports: | + | # Reloading services to refresh certificates |
| - | <code> | + | me=$(basename "$0") |
| - | --pre-hook /etc/letsencrypt/renewal-hooks/pre/fw-certbot-open \ | + | |
| - | --post-hook /etc/letsencrypt/renewal-hooks/post/fw-certbot-close | + | logger -t "$me" "Reloading postfix to refresh certificates." |
| - | </code> | + | postfix reload |
| + | (( $? != 0 )) && logger -t "$me" "ERROR with postfix reload." | ||
| + | |||
| + | logger -t "$me" "Reloading dovecot to refresh certificates." | ||
| + | doveadm reload | ||
| + | (( $? != 0 )) && logger -t "$me" "ERROR with doveadm reload." | ||
| + | |||
| + | logger -t "$me" "Reloading Apache to refresh certificates." | ||
| + | apachectl -t >/dev/null && apachectl graceful | ||
| + | (( $? != 0 )) && logger -t "$me" "ERROR with apachectl." | ||
| + | |||
| + | exit 0 | ||
| + | </file> | ||
| + | Once [[https://github.com/certbot/certbot/issues/6722|this]] has been fixed, these variables might also be used, eg. for logging: | ||
| + | |||
| + | logger -t "$me" "CERTBOT_DOMAIN=$CERTBOT_DOMAIN, CERTBOT_VALIDATION=$CERTBOT_VALIDATION, CERTBOT_TOKEN=$CERTBOT_TOKEN, CERTBOT_AUTH_OUTPUT=$CERTBOT_AUTH_OUTPUT" | ||
| + | |||
| + | |||
| + | ===Other options: | ||
| + | |||
| + | certbot-auto renew --cert-name $name --force-renewal | ||
| - | After testing, to replace certificate with a real one: | + | --test-cert |
| - | certbot-auto renew --cert-name $name --force-renewal --server https://acme-v02.api.letsencrypt.org/directory | + | See them all with ''certbot-auto --help all | less'' |
| See also: | See also: | ||
| + | * [[https://docs.python.org/3.5/library/http.server.html#http-server-cli]] "By default, server uses the current directory. The option -d/--directory ( new in version 3.7 ) specifies a directory to which it should serve the files. For example, the following command uses a specific directory: ''python -m http.server --directory /tmp/'' " | ||
| * [[https://github.com/certbot/certbot/issues/255|Standalone configurator: Dealing with existing processes that are listening on some, but not all, interfaces · Issue #255 · certbot/certbot]] | * [[https://github.com/certbot/certbot/issues/255|Standalone configurator: Dealing with existing processes that are listening on some, but not all, interfaces · Issue #255 · certbot/certbot]] | ||
| * [[https://github.com/certbot/certbot/issues/1515|Bind on a specific interface · Issue #1515 · certbot/certbot]] ( https://github.com/certbot/certbot/issues/1515#issuecomment-193790398 ) | * [[https://github.com/certbot/certbot/issues/1515|Bind on a specific interface · Issue #1515 · certbot/certbot]] ( https://github.com/certbot/certbot/issues/1515#issuecomment-193790398 ) | ||
| Line 99: | Line 189: | ||
| * [[https://github.com/certbot/certbot/issues/3489|Ability to set source IP · Issue #3489 · certbot/certbot]] | * [[https://github.com/certbot/certbot/issues/3489|Ability to set source IP · Issue #3489 · certbot/certbot]] | ||
| * [[https://github.com/certbot/certbot/pull/6007|WIP commit of adding a --source-address flag. by signop · Pull Request #6007 · certbot/certbot]] | * [[https://github.com/certbot/certbot/pull/6007|WIP commit of adding a --source-address flag. by signop · Pull Request #6007 · certbot/certbot]] | ||
| + | |||
| + | == Add host to existing certificate | ||
| + | |||
| + | View existing cert. | ||
| + | |||
| + | certbot certificates | ||
| + | |||
| + | Copy all hosts in existing cert. into comma-separated list, and add the new host. Then: | ||
| + | |||
| + | certbot --expand -d main.example.com,other.example.com,new.example.com | ||
| + | |||
| + | (Found on [[https://superuser.com/questions/1432541|How to add a domain to existing certificate generated by Let’s Encrypt/Certbot?]]) | ||
| == Configs | == Configs | ||
| Line 178: | Line 280: | ||
| ===== Use cron instead of systemd timers ===== | ===== Use cron instead of systemd timers ===== | ||
| + | |||
| + | I prefer crontab to the default systemd timers. So to disable the timers and use crontab instead: | ||
| <code bash> | <code bash> | ||
| Line 187: | Line 291: | ||
| m=$(( RANDOM % 60 )); h=$(( RANDOM % 24 )); d=$(( RANDOM % 7 )) | m=$(( RANDOM % 60 )); h=$(( RANDOM % 24 )); d=$(( RANDOM % 7 )) | ||
| - | echo "## Let's Encrypt SSL certificate renewal with certbot" | tee -a /etc/crontab | + | echo "## Let's Encrypt SSL cert. renewal, once per week" | tee -a /etc/crontab |
| - | echo "$m $h * * $d root /usr/bin/certbot -q renew" | tee -a /etc/crontab | + | echo "$m $h * * $d root /usr/bin/certbot -q renew" | tee -a /etc/crontab |
| - | # or | + | |
| - | echo "$m $h * * $d root certbot-auto -q renew" | tee -a /etc/crontab | + | |
| # dom=$(( 1+ RANDOM % 31 )) mon=$(( 1+ RANDOM % 12 )) | # dom=$(( 1+ RANDOM % 31 )) mon=$(( 1+ RANDOM % 12 )) | ||
/docs/dokuwiki/data/attic/certbot.1577972507.txt.gz · Last modified: 2020-01-02 14:41:47 by mi
Page Tools
