Alma wiki

User Tools

Site Tools

Trace: certbot
certbot

This is an old revision of the document!

Table of Contents

certbot

Install in Stretch

For Debian 9 (Stretch): 

[ -f /etc/apt/sources.list.d/stretch-backports.list ] || cat <<'END' > /etc/apt/sources.list.d/stretch-backports.list
# https://backports.debian.org/Instructions/
deb http://deb.debian.org/debian stretch-backports main
END

apt update
apt install certbot python-certbot-apache -t stretch-backports

Configs

ln -sri /etc/letsencrypt/live/HOST.EXAMPLE.COM/cert.pem       /etc/ssl/
ln -sri /etc/letsencrypt/live/HOST.EXAMPLE.COM/fullchain.pem  /etc/ssl/
ln -sri /etc/letsencrypt/live/HOST.EXAMPLE.COM/privkey.pem    /etc/ssl/private/

Postfix main.cf

  1. postconf -n | grep 'smtpd_tls_.*_file'
smtpd_tls_key_file  = /etc/ssl/private/privkey.pem
smtpd_tls_cert_file = /etc/ssl/fullchain.pem

Proftpd tls.conf

  1. grep '^\s*TLSRSACertificate' /etc/proftpd/*.conf
  2. for example in tls.conf :
TLSRSACertificateFile		/etc/ssl/fullchain.pem
TLSRSACertificateKeyFile	/etc/ssl/private/privkey.pem
  1. Is this also needed?

TLSCACertificateFile /etc/ssl/fullchain.pem

Dovecot conf.d/10-ssl.conf

  1. doveconf -nPS | grep '^\s*ssl_'
  2. or to find the file (eg. /etc/dovecot/conf.d/10-ssl.conf)
  3. grep -r '^\s*ssl_' /etc/dovecot
ssl_cert=</etc/ssl/fullchain.pem
ssl_key=</etc/ssl/private/privkey.pem

Postgresql 9.6/main/postgresql.conf

Postgresql needs to be able to read these files as user "postgres". So they must be copied into it's config. dir. and chown'ed. Best done with a deploy-hook in /etc/letsencrypt/renewal-hooks/deploy/.

  1. psql -U postgres -c "SELECT name, setting, sourcefile, sourceline FROM pg_settings WHERE name LIKE 'ssl_%_file'"
  2. or in the file postgresql.conf:
  3. grep '^\s*ssl_.*_file' /etc/postgresql/9.6/main/postgresql.conf 
ssl_cert_file = '/etc/postgresql/9.6/main/fullchain.pem'  # (change requires restart)
ssl_key_file  = '/etc/postgresql/9.6/main/privkey.pem'    # (change requires restart)

Use cron instead of systemd timers

systemctl --all list-timers
 
systemctl stop    certbot.timer
systemctl disable certbot.timer
systemctl mask    certbot.timer
 
m=$(( RANDOM % 60 )); h=$(( RANDOM % 24 )); d=$(( RANDOM % 7 ))
echo "## Let's Encrypt SSL certificate renewal with certbot" | tee -a /etc/crontab
echo "$m $h * * $d root /usr/bin/certbot -q renew"           | tee -a /etc/crontab
 
# dom=$(( 1+ RANDOM % 31 )) mon=$(( 1+ RANDOM % 12 ))
, , , ,
/docs/dokuwiki/data/attic/certbot.1569849295.txt.gz · Last modified: 2019-09-30 15:14:55 by mi

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki