Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- let_s_encrypt [2024-07-27 21:39:49] – [Manuell] david
+++ let_s_encrypt [2024-07-27 22:24:26] (aktuell) – gelöscht david
@@ Zeile 1: / Zeile 1: @@
-====== Let's Encrypt (Certbot)  ======
-  * [[https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx]]
-  * [[https://certbot.eff.org/docs/install.html]]
-===== Installation =====
-==== Ubuntu ====
-mit snapd installieren
-==== FreeBSD ====
-Paketnamen:
-  security/py-certbot
-  security/py-certbot-dns-cloudflare
-<file bash>
-Installing py37-certbot-1.14.0,1...
-This port installs the "standalone" client only, which does not use and
-is not the certbot-auto bootstrap/wrapper script.
-The simplest form of usage to obtain certificates is:
- # sudo certbot certonly --standalone -d <domain>, [domain2, ... domainN]>
-NOTE:
-The client requires the ability to bind on TCP port 80 or 443 (depending
-on the --preferred-challenges option used). If a server is running on that
-port, it will need to be temporarily stopped so that the standalone server
-can listen on that port to complete the challenge authentication process.
-For more information on the 'standalone' mode, see:
-  https://certbot.eff.org/docs/using.html#standalone
-The certbot plugins to support apache and nginx certificate installation
-will be made available in the following ports:
- * Apache plugin: security/py-certbot-apache
- * Nginx plugin: security/py-certbot-nginx
-In order to automatically renew the certificates, add this line to
-/etc/periodic.conf:
-    weekly_certbot_enable="YES"
-More config details in the certbot periodic script:
-    /usr/local/etc/periodic/weekly/500.certbot-3.7
-</file>
-===== Konfiguration =====
-  * https://certbot.eff.org/docs/using.html
-Cloudflare API Token einsetzen:
-<code properties /etc/letsencrypt/cloudflare.ini>
-# Cloudflare API token used by Certbot
-dns_cloudflare_api_token = API-TOKEN
-</code>
-===== Certbot mit Cloudflare-Plugin =====
-==== Zertifikat erstellen ====
-=== Optionen ===
-  * Mit ''%%--cert-name%%'' kann man einen anderen Namen vergeben und somit ECDSA und RSA parallel betreiben
-  * Möglichkeiten für ''%%--key-type%%'': ''ecdsa'' oder ''rsa''
-  * Möglichkeiten für ''%%--elliptic-curve%%'': ''secp384r1'' oder ''secp256r1'' (''secp521r1'' wird so gut wie gar nicht unterstützt)
-=== Script ===
-<code bash /usr/local/sbin/certbot-create.sh>
-#!/usr/bin/env bash
-if test -z "${DOMAIN}" || test -z "${EMAIL}"
-then
-    printf '\nPlease specify domain and email like this before running the script:\nDOMAIN="example.com" EMAIL="letsencrypt@example.com" certbot-create.sh\n\n'
-    exit
-fi
-certbot_create () {
-    certbot certonly -d "${DOMAIN}" -d "*.${DOMAIN}" -n -m ${EMAIL} --agree-tos --no-eff-email --expand --key-type "${KEY_TYPE}" --elliptic-curve secp384r1 --rsa-key-size 4096 --cert-name "${KEY_TYPE}-${DOMAIN}" --preferred-challenges dns --dns-cloudflare --dns-cloudflare-propagation-seconds 30 --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini
-}
-KEY_TYPE="ecdsa"
-certbot_create
-KEY_TYPE="rsa"
-certbot_create
-</code>
-=== Manuell ===
-  > DOMAIN="example.com"
-  > EMAIL="letsencrypt@example.com"
-  ECDSA
-  > KEY_TYPE="ecdsa"
-  RSA
-  > KEY_TYPE="rsa"
-  certbot certonly -d "${DOMAIN}" -d "*.${DOMAIN}" -n -m "${EMAIL}" --agree-tos --no-eff-email --key-type ${KEY_TYPE} --elliptic-curve secp384r1 --rsa-key-size 4096 --cert-name ${KEY_TYPE}-${DOMAIN} --preferred-challenges dns --dns-cloudflare --dns-cloudflare-propagation-seconds 30 --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini
-==== Zertifikat erneuern ====
-  > certbot renew
-mit ''%%--dry-run%%'' und ''%%--test-cert%%'' kann man testen (siehe man page) \\
-mit ''%%--force-renewal%%'' kann man eine Erneuerung erzwingen
-==== aktuelle Zertifikate auflisten und Details anzeigen ====
-  > certbot certificates
-  Saving debug log to /var/log/letsencrypt/letsencrypt.log
-  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-  Found the following certs:
-    Certificate Name: domain.de
-      Serial Number: 3e9470e7f5c730e3e2da4640e61a01f23f6
-      Key Type: RSA
-      Domains: domain.de *.domain.de
-      Expiry Date: 2021-10-16 22:06:27+00:00 (INVALID: EXPIRED)
-      Certificate Path: /usr/local/etc/letsencrypt/live/domain.de/fullchain.pem
-      Private Key Path: /usr/local/etc/letsencrypt/live/domain.de/privkey.pem
-  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-==== Crontab ====
-Zertifikate wöchentlich und beim Systemstart erneuern:
-<code bash /etc/cron.d/certbot>
-MAILTO=""
-@reboot root /usr/bin/certbot renew > /var/log/certbot.log 2>&1
-@weekly root /usr/bin/certbot renew > /var/log/certbot.log 2>&1
-</code>