Wissen

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Sie befinden sich hier: Start » let_s_encrypt
Zuletzt angesehen: drucker ffmpeg_metadata_tag hdd
let_s_encrypt

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen RevisionVorhergehende Überarbeitung
Nächste Überarbeitung		Vorhergehende Überarbeitung
let_s_encrypt [2024-07-27 22:20:54] – [mit hook] davidlet_s_encrypt [2024-07-27 22:24:26] (aktuell) – gelöscht david
Zeile 1: Zeile 1:
-====== Let's Encrypt (Certbot)  ====== 
- 
-  * [[https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx]] 
-  * [[https://certbot.eff.org/docs/install.html]] 
- 
- 
-===== Installation ===== 
- 
-==== Ubuntu ==== 
- 
-mit snapd installieren 
- 
-==== FreeBSD ==== 
- 
-Paketnamen: 
-  security/py-certbot 
-  security/py-certbot-dns-cloudflare 
- 
-<file bash> 
-Installing py37-certbot-1.14.0,1... 
-This port installs the "standalone" client only, which does not use and 
-is not the certbot-auto bootstrap/wrapper script. 
- 
-The simplest form of usage to obtain certificates is: 
- 
- # sudo certbot certonly --standalone -d <domain>, [domain2, ... domainN]> 
- 
-NOTE: 
- 
-The client requires the ability to bind on TCP port 80 or 443 (depending 
-on the --preferred-challenges option used). If a server is running on that 
-port, it will need to be temporarily stopped so that the standalone server 
-can listen on that port to complete the challenge authentication process. 
- 
-For more information on the 'standalone' mode, see: 
- 
-  https://certbot.eff.org/docs/using.html#standalone 
- 
-The certbot plugins to support apache and nginx certificate installation 
-will be made available in the following ports: 
- 
- * Apache plugin: security/py-certbot-apache 
- * Nginx plugin: security/py-certbot-nginx 
- 
-In order to automatically renew the certificates, add this line to 
-/etc/periodic.conf: 
- 
-    weekly_certbot_enable="YES" 
- 
-More config details in the certbot periodic script: 
- 
-    /usr/local/etc/periodic/weekly/500.certbot-3.7 
- 
-</file> 
- 
-===== Konfiguration ===== 
- 
-  * https://certbot.eff.org/docs/using.html 
- 
-Cloudflare API Token einsetzen: 
- 
-<code properties /etc/letsencrypt/cloudflare.ini> 
-# Cloudflare API token used by Certbot 
-dns_cloudflare_api_token = API-TOKEN 
-</code> 
- 
-===== Certbot mit Cloudflare-Plugin ===== 
- 
- 
-==== Zertifikat erstellen ==== 
- 
-=== Optionen === 
- 
-  * Mit ''%%--cert-name%%'' kann man einen anderen Namen vergeben und somit ECDSA und RSA parallel betreiben 
-  * Möglichkeiten für ''%%--key-type%%'': ''ecdsa'' oder ''rsa'' 
-  * Möglichkeiten für ''%%--elliptic-curve%%'': ''secp384r1'' oder ''secp256r1'' (''secp521r1'' wird so gut wie gar nicht unterstützt) 
- 
- 
-=== Script === 
- 
-<code bash /usr/local/sbin/certbot-create.sh> 
-#!/usr/bin/env bash 
- 
-if test -z "${DOMAIN}" || test -z "${EMAIL}" 
-then 
-    printf '\nPlease specify domain and email like this before running the script:\nDOMAIN="example.com" EMAIL="letsencrypt@example.com" certbot-create.sh\n\n' 
-    exit 
-fi 
- 
-certbot_create () { 
-    certbot certonly -d "${DOMAIN}" -d "*.${DOMAIN}" -n -m "${EMAIL}" --agree-tos --no-eff-email --expand --key-type "${KEY_TYPE}" --elliptic-curve "${EC_NAME}" --rsa-key-size "${RSA_SIZE}" --cert-name "${KEY_TYPE}-${DOMAIN}" --preferred-challenges dns --dns-cloudflare --dns-cloudflare-propagation-seconds 30 --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini 
-} 
- 
-KEY_TYPE="ecdsa" 
-EC_NAME="secp384r1" 
-certbot_create 
- 
-KEY_TYPE="rsa" 
-RSA_SIZE="4096" 
-certbot_create 
- 
-</code> 
- 
- 
-=== Manuell === 
- 
-  > DOMAIN="example.com" 
-  > EMAIL="letsencrypt@example.com" 
-   
-  ECDSA 
-  > KEY_TYPE="ecdsa" 
-  > EC_NAME="secp384r1" 
-  RSA 
-  > KEY_TYPE="rsa" 
-  > RSA_SIZE="4096" 
-   
-  > certbot certonly -d "${DOMAIN}" -d "*.${DOMAIN}" -n -m "${EMAIL}" --agree-tos --no-eff-email --expand --key-type "${KEY_TYPE}" --elliptic-curve "${EC_NAME}" --rsa-key-size "${RSA_SIZE}" --cert-name "${KEY_TYPE}-${DOMAIN}" --preferred-challenges dns --dns-cloudflare --dns-cloudflare-propagation-seconds 30 --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini 
- 
- 
-==== Zertifikat erneuern ==== 
- 
-  > certbot renew 
- 
-mit ''%%--dry-run%%'' und ''%%--test-cert%%'' kann man testen (siehe man page) \\ 
-mit ''%%--force-renewal%%'' kann man eine Erneuerung erzwingen 
- 
- 
-==== aktuelle Zertifikate auflisten und Details anzeigen ==== 
- 
-  > certbot certificates 
-  Saving debug log to /var/log/letsencrypt/letsencrypt.log 
-   
-  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
-  Found the following certs: 
-    Certificate Name: domain.de 
-      Serial Number: 3e9470e7f5c730e3e2da4640e61a01f23f6 
-      Key Type: RSA 
-      Domains: domain.de *.domain.de 
-      Expiry Date: 2021-10-16 22:06:27+00:00 (INVALID: EXPIRED) 
-      Certificate Path: /usr/local/etc/letsencrypt/live/domain.de/fullchain.pem 
-      Private Key Path: /usr/local/etc/letsencrypt/live/domain.de/privkey.pem 
-  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- 
- 
-==== crontab ==== 
- 
-zertifikate wöchentlich erneuern (falls kurz vorm ablaufen): 
- 
-<code bash /etc/cron.d/certbot> 
-MAILTO="" 
-@weekly root certbot renew > /var/log/certbot.log 2>&1 
-</code> 
- 
- 
-=== mit hook === 
- 
-z.b. bei tatsächlicher erneuerung nginx neustarten 
- 
-<code bash /etc/cron.d/certbot> 
-@weekly root certbot renew --post-hook /usr/local/sbin/certbot-post-hook.sh 
-</code> 
- 
-<code bash /usr/local/sbin/certbot-post-hook.sh> 
-#!/usr/bin/env bash 
- 
-service nginx restart 2> /dev/null 
-</code> 
- 
  
/home/http/wiki/data/attic/let_s_encrypt.1722118854.txt · Zuletzt geändert: von david