Letsencrypt / certbot
Notes
- Make sure you have a basic working Apache environment before running letsencrypt
TODO: use new stuff from https://www.ullright.org/ullWiki/show/migrate-owncloud-to-nextcloud - Letsencrypt can only parse files with ONE vhost definition!
- "certbot-auto" does not exist on recent installations with ppa. Use "certbot" instead.
Ubuntu 16.04, 18.04
- https://certbot.eff.org/
-
apt-get install software-properties-common
- add-apt-repository ppa:certbot/certbot
- apt-get install certbot
- certbot --apache
- Test at https://www.ssllabs.com/ssltest/
Apache only ssl
vi etc/apache2/ports.confComment out"Listen 80"
Deactivate all sites except /etc/apache2/sites-available/000-default-le-ssl.confvi /etc/apache2/sites-available/000-default-le-ssl.conf
List certificates
- certbot certificates
Delete certificate
- certbot delete
- Choose your certificate from the list and enter the number
Troubleshooting
- openssl s_client -showcerts -connect server.example.com:443
- https://www.ssllabs.com/ssltest/analyze.html
Ubuntu 18.04 DNS Challenge
Obtaining a certificate is quite cumbersome, you have to repeat the process every 3 month.
TODO: check out automatic update via dynamic DNS
- Configure quick DNS zone update (example for Hetzner, 15min)
-
$TTL 900 @ IN SOA ns1.first-ns.de. postmaster.robot.first-ns.de. ( 2019082401 ; serial 900 ; refresh 600 ; retry 604800 ; expire 900 ) ; minimum
-
- Install certbot
-
add-apt-repository ppa:certbot/certbot
-
apt update
-
apt install certbot
-
- certbot -d myhost.example.com --manual --preferred-challenges dns certonly
- Create DNS entry, remove the domain from the name!!!
-
_acme-challenge.myhost IN TXT "asdf42asdf42asdf42asdf42asdf42asdf42"
-
- Test if the entry is already available (in another terminal)
- dig -t txt _acme-challenge.myhost.example.com
- If your local nameserver is slow, use a generic one (example: google DNS)
- echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf
- systemd-resolve --flush-caches
- Create DNS entry, remove the domain from the name!!!
Ubuntu 14.04
Installation
- Make sure apache configs are ok and apache restart works without problems
- cd /usr/local/bin
- wget https://dl.eff.org/certbot-auto
- chmod a+x certbot-auto
- certbot-auto
- vi /etc/crontab
-
# Renew letsencrypt https certificates 33 11,22 * * * root certbot-auto renew --quiet --no-self-upgrade
-
Manual Certificates
- certbot-auto certonly --apache --domains www.example.com
- -> at vhost selection type "c" to cancel
- vi /etc/apache2/sites-available/example.com
-
<IfModule mod_ssl.c> <VirtualHost *:443> ... SSLEngine on SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem </VirtualHost> </IfModule> # Alternative names and force ssl redirect <VirtualHost *:80> ServerName www.example.com ServerAlias example.com RewriteEngine on RewriteRule ^ https://www.example.com%{REQUEST_URI} [L,QSA,R=permanent] </VirtualHost>
-
- apache2ctl configtest
- apache2ctl restart
Move / Merge certificates
- rsync -av --keep-dirlinks /mnt/etc/letsencrypt/archive/ /etc/letsencrypt/archive/
- rsync -av --keep-dirlinks /mnt/etc/letsencrypt/live/ /etc/letsencrypt/live/
- rsync -av --keep-dirlinks /mnt/etc/letsencrypt/renewal/ /etc/letsencrypt/renewal/
Upgrade from Ubuntu 12.04 to 14.04
- Error:
-
Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt: Traceback (most recent call last): File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module> from certbot.main import main File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 11, in <module> from acme import jose File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/__init__.py", line 37, in <module> from acme.jose.interfaces import JSONDeSerializable File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/interfaces.py", line 9, in <module> from acme.jose import util File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/util.py", line 5, in <module> import OpenSSL File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/__init__.py", line 8, in <module> from OpenSSL import rand, crypto, SSL File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/crypto.py", line 1, in <module> import datetime ImportError: No module named datetime
-
- mv /opt/eff.org/certbot /opt/eff.org/certbot.old
- certbot-auto