certbot
This is an old revision of the document!
Table of Contents
certbot
Install in Jessie
For Debian 8 (Jessie):
apt remove certbot wget https://dl.eff.org/certbot-auto mv certbot-auto /usr/local/bin/certbot-auto chown -c root /usr/local/bin/certbot-auto chmod -c 0755 /usr/local/bin/certbot-auto
Not sure if adding this is useful: certbot-auto --install-only
Install in Stretch
For Debian 9 (Stretch):
[ -f /etc/apt/sources.list.d/stretch-backports.list ] || cat <<'END' > /etc/apt/sources.list.d/stretch-backports.list # https://backports.debian.org/Instructions/ deb http://deb.debian.org/debian stretch-backports main END apt update apt install certbot python-certbot-apache -t stretch-backports
Get first certificate(s)
This will aslo create the /etc/letsencrypt/ and /var/lib/letsencrypt/ directories if needed
On a separate IP address
If a web server is running, but the certificate should be delivered for another IP/name on that host:
- start a separate web server:
dir=/var/lib/letsencrypt/tmpwww ip=a.b.c.d ## <-- IP to be used for validation name=ftp.example.com email=letsencrypt@example.com mkdir -p "$dir" cd "$dir" python3 -m http.server --bind $ip 80 & pid=$!
certbot-auto certonly --test-cert --webroot --webroot-path "$dir" -d $name -n --agree-tos -m $email
If needed, add firewall scripts to open/close ports:
--pre-hook /etc/letsencrypt/renewal-hooks/pre/fw-certbot-open \ --post-hook /etc/letsencrypt/renewal-hooks/post/fw-certbot-close
After testing, to replace certificate with a real one:
certbot-auto renew --cert-name $name --force-renewal --server https://acme-v02.api.letsencrypt.org/directory
See also:
Configs
ln -sri /etc/letsencrypt/live/HOST.EXAMPLE.COM/cert.pem /etc/ssl/ ln -sri /etc/letsencrypt/live/HOST.EXAMPLE.COM/fullchain.pem /etc/ssl/ ln -sri /etc/letsencrypt/live/HOST.EXAMPLE.COM/privkey.pem /etc/ssl/private/
Postfix main.cf
# postconf -n | grep 'smtpd_tls_.*_file'
smtpd_tls_key_file = /etc/ssl/private/privkey.pem smtpd_tls_cert_file = /etc/ssl/fullchain.pem
Proftpd tls.conf
# grep '^\s*TLSRSACertificate' /etc/proftpd/*.conf # for example in tls.conf :
TLSRSACertificateFile /etc/ssl/fullchain.pem TLSRSACertificateKeyFile /etc/ssl/private/privkey.pem
# Is this also needed? TLSCACertificateFile /etc/ssl/fullchain.pem
Dovecot conf.d/10-ssl.conf
# doveconf -nPS | grep '^\s*ssl_' # or to find the file (eg. /etc/dovecot/conf.d/10-ssl.conf) # grep -r '^\s*ssl_' /etc/dovecot
ssl_cert=</etc/ssl/fullchain.pem ssl_key=</etc/ssl/private/privkey.pem
Postgresql 9.6/main/postgresql.conf
Postgresql needs to be able to read these files as user "postgres". So they must be copied into it's config. dir. and chown'ed. Best done with a deploy-hook in /etc/letsencrypt/renewal-hooks/deploy/ :
- 10-certbot-postgresql
#!/bin/bash verbose=1 if (( verbose )); then echo "Running $0" v_cp="-v" v_cw="-c" fi cp $v_cp /etc/letsencrypt/live/m1.almanet.ch/{fullchain,privkey}.pem /etc/postgresql/9.6/main/ chown $v_cw postgres:postgres /etc/postgresql/9.6/main/*.pem
# psql -U postgres -c "SELECT name, setting, sourcefile, sourceline FROM pg_settings WHERE name LIKE 'ssl_%_file'" # or in the file postgresql.conf: # grep '^\s*ssl_.*_file' /etc/postgresql/9.6/main/postgresql.conf
ssl_cert_file = '/etc/postgresql/9.6/main/fullchain.pem' # (change requires restart) ssl_key_file = '/etc/postgresql/9.6/main/privkey.pem' # (change requires restart)
Use cron instead of systemd timers
systemctl --all list-timers systemctl stop certbot.timer systemctl disable certbot.timer systemctl mask certbot.timer m=$(( RANDOM % 60 )); h=$(( RANDOM % 24 )); d=$(( RANDOM % 7 )) echo "## Let's Encrypt SSL certificate renewal with certbot" | tee -a /etc/crontab echo "$m $h * * $d root /usr/bin/certbot -q renew" | tee -a /etc/crontab # dom=$(( 1+ RANDOM % 31 )) mon=$(( 1+ RANDOM % 12 ))
/docs/dokuwiki/data/attic/certbot.1571163326.txt.gz · Last modified: 2019-10-15 20:15:26 by mi
