Table of Contents

Let's encrypt or Certbot

How exactly it works.

You have two modes. First is very simple but hard to maintain and sometimes results in stopped web server (apache/nginx/…) and never re-run again. Second is more difficult, but it is the one you want.

First method

works like this: stop webserver, run certbot and listen on :80 to prove you're the owner of the website, start webserver. The trap is obvious. If you try to automatize it into a cron script it could hang on certbot thus never starts webserver again. Here is on-line command

First run

 certbot certonly -d www.mydomain.cz --pre-hook="service nginx stop" --post-hook="service nginx start"

Renew

 certbot renew --pre-hook="service nginx stop" --post-hook="service nginx start"

Second method

1. You create some dir /var/www/I/like/it/here

2. Add to your website or many websites an exception

Nginx 

  location /.well-known {
     root /var/www/I/like/it/here/;
}

Be careful, nginx appends the location itself. Here it adds .well-known to the /i/like/it/here/.

Apache2: 

        
          alias "/.well-known" /var/www/letsencrypt/.well-known
          
         <directory "var/www/letsencrypt">
                Allowoverride None
                Options MultiViews
         </Directory>

3. When you call certbot with webroot parameter 

   certbot certonly --webroot  -d novyweb.starlab.cz -w /var/www/letsencrypt/

here is the HTTP GET code what the remote server asks for: 

GET /.well-known/acme-challenge/Rrc-EMcYmhRM7ETvn8Hs8TcAh9FgHiUAxfkoHEjX7Kc HTTP/1.1
Host: novyweb.starlab.cz
User-Agent: Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)
Accept: */*
Accept-Encoding: gzip
Connection: close

4. And renew is easy allways the same 

  certbot renew --webroot -w /var/www/I/like/it/here

DNS auth

  /usr/src/certbot-auto certonly --manual --preferred-challenges=dns --email firma@example.cz -d example.com -d *.example.com

Be careful with wsgi proxy

Proxy goes first then aliases. You have to create an exeption for .well-known. Showing just apache2 config line 

   ProxyPass /.well-known !

Nice source

 
linux/certbot/deep.txt · Last modified: 2020/03/27 12:46 by admin