====== Let's Encrypt (Certbot)  ======

  * [[https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx]]
  * [[https://certbot.eff.org/docs/install.html]]


===== Installation =====

==== Ubuntu ====

mit snapd installieren

==== FreeBSD ====

Paketnamen:
  security/py-certbot
  security/py-certbot-dns-cloudflare

<file bash>
Installing py37-certbot-1.14.0,1...
This port installs the "standalone" client only, which does not use and
is not the certbot-auto bootstrap/wrapper script.

The simplest form of usage to obtain certificates is:

 # sudo certbot certonly --standalone -d <domain>, [domain2, ... domainN]>

NOTE:

The client requires the ability to bind on TCP port 80 or 443 (depending
on the --preferred-challenges option used). If a server is running on that
port, it will need to be temporarily stopped so that the standalone server
can listen on that port to complete the challenge authentication process.

For more information on the 'standalone' mode, see:

  https://certbot.eff.org/docs/using.html#standalone

The certbot plugins to support apache and nginx certificate installation
will be made available in the following ports:

 * Apache plugin: security/py-certbot-apache
 * Nginx plugin: security/py-certbot-nginx

In order to automatically renew the certificates, add this line to
/etc/periodic.conf:

    weekly_certbot_enable="YES"

More config details in the certbot periodic script:

    /usr/local/etc/periodic/weekly/500.certbot-3.7

</file>

===== Konfiguration =====

  * https://certbot.eff.org/docs/using.html

Cloudflare API Token einsetzen:

<code properties /etc/letsencrypt/cloudflare.ini>
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = API-TOKEN
</code>

===== Certbot mit Cloudflare-Plugin =====


==== Zertifikat erstellen ====

=== Optionen ===

  * Mit ''%%--cert-name%%'' kann man einen anderen Namen vergeben und somit ECDSA und RSA parallel betreiben
  * Möglichkeiten für ''%%--key-type%%'': ''ecdsa'' oder ''rsa''
  * Möglichkeiten für ''%%--elliptic-curve%%'': ''secp384r1'' oder ''secp256r1'' (''secp521r1'' wird so gut wie gar nicht unterstützt)


=== Script ===

<code bash /usr/local/sbin/certbot-create.sh>
#!/usr/bin/env bash

if test -z "${DOMAIN}" || test -z "${EMAIL}"
then
    printf '\nPlease specify domain and email like this before running the script:\nDOMAIN="example.com" EMAIL="letsencrypt@example.com" certbot-create.sh\n\n'
    exit
fi

EC_NAME="${EC_NAME:-secp384r1}"
RSA_SIZE="${RSA_SIZE:-4096}"

certbot_create () {
    certbot certonly -d "${DOMAIN}" -d "*.${DOMAIN}" -n -m "${EMAIL}" --agree-tos --no-eff-email --expand --key-type "${KEY_TYPE}" --elliptic-curve "${EC_NAME}" --rsa-key-size "${RSA_SIZE}" --cert-name "${KEY_TYPE}-${DOMAIN}" --preferred-challenges dns --dns-cloudflare --dns-cloudflare-propagation-seconds 30 --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini
}

KEY_TYPE="ecdsa"
certbot_create

KEY_TYPE="rsa"
certbot_create

</code>


=== Manuell ===

  > DOMAIN="example.com"
  > EMAIL="letsencrypt@example.com"
  
  > EC_NAME="secp384r1"
  > RSA_SIZE="4096"
  
  # choose one
  
  # ECDSA
  > KEY_TYPE="ecdsa"
  # RSA
  > KEY_TYPE="rsa"
  
  > certbot certonly -d "${DOMAIN}" -d "*.${DOMAIN}" -n -m "${EMAIL}" --agree-tos --no-eff-email --expand --key-type "${KEY_TYPE}" --elliptic-curve "${EC_NAME}" --rsa-key-size "${RSA_SIZE}" --cert-name "${KEY_TYPE}-${DOMAIN}" --preferred-challenges dns --dns-cloudflare --dns-cloudflare-propagation-seconds 30 --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini


==== Zertifikat erneuern ====

  > certbot renew
  > certbot renew --post-hook /usr/local/sbin/certbot-post-hook.sh

mit ''%%--dry-run%%'' und ''%%--test-cert%%'' kann man testen (siehe man page) \\
mit ''%%--force-renewal%%'' kann man eine Erneuerung erzwingen


==== aktuelle Zertifikate auflisten und Details anzeigen ====

  > certbot certificates
  Saving debug log to /var/log/letsencrypt/letsencrypt.log
  
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Found the following certs:
    Certificate Name: domain.de
      Serial Number: 3e9470e7f5c730e3e2da4640e61a01f23f6
      Key Type: RSA
      Domains: domain.de *.domain.de
      Expiry Date: 2021-10-16 22:06:27+00:00 (INVALID: EXPIRED)
      Certificate Path: /usr/local/etc/letsencrypt/live/domain.de/fullchain.pem
      Private Key Path: /usr/local/etc/letsencrypt/live/domain.de/privkey.pem
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


==== crontab ====

zertifikate wöchentlich erneuern (falls kurz vorm ablaufen):

<code bash /etc/cron.d/certbot>
@weekly root certbot renew > /var/log/certbot.log 2>&1
</code>


=== mit hook ===

z.b. bei tatsächlicher erneuerung chain.pem bündeln (für nginx directive ''ssl_trusted_certificate'') und nginx neustarten

<code bash /etc/cron.d/certbot>
@weekly root certbot renew --post-hook /usr/local/sbin/certbot-post-hook.sh
</code>

<code bash /usr/local/sbin/certbot-post-hook.sh>
#!/usr/bin/env bash

cat /etc/letsencrypt/live/*/chain.pem > /etc/letsencrypt/live/chain.pem
systemctl restart nginx 2> /dev/null
</code>