mit snapd installieren
Paketnamen:
security/py-certbot security/py-certbot-dns-cloudflare
Installing py37-certbot-1.14.0,1... This port installs the "standalone" client only, which does not use and is not the certbot-auto bootstrap/wrapper script. The simplest form of usage to obtain certificates is: # sudo certbot certonly --standalone -d <domain>, [domain2, ... domainN]> NOTE: The client requires the ability to bind on TCP port 80 or 443 (depending on the --preferred-challenges option used). If a server is running on that port, it will need to be temporarily stopped so that the standalone server can listen on that port to complete the challenge authentication process. For more information on the 'standalone' mode, see: https://certbot.eff.org/docs/using.html#standalone The certbot plugins to support apache and nginx certificate installation will be made available in the following ports: * Apache plugin: security/py-certbot-apache * Nginx plugin: security/py-certbot-nginx In order to automatically renew the certificates, add this line to /etc/periodic.conf: weekly_certbot_enable="YES" More config details in the certbot periodic script: /usr/local/etc/periodic/weekly/500.certbot-3.7
Cloudflare API Token einsetzen:
# Cloudflare API token used by Certbot dns_cloudflare_api_token = API-TOKEN
--cert-name kann man einen anderen Namen vergeben und somit ECDSA und RSA parallel betreiben--key-type: ecdsa oder rsa--elliptic-curve: secp384r1 oder secp256r1 (secp521r1 wird so gut wie gar nicht unterstützt)#!/usr/bin/env bash if test -z "${DOMAIN}" || test -z "${EMAIL}" then printf '\nPlease specify domain and email like this before running the script:\nDOMAIN="example.com" EMAIL="letsencrypt@example.com" certbot-create.sh\n\n' exit fi EC_NAME="${EC_NAME:-secp384r1}" RSA_SIZE="${RSA_SIZE:-4096}" certbot_create () { certbot certonly -d "${DOMAIN}" -d "*.${DOMAIN}" -n -m "${EMAIL}" --agree-tos --no-eff-email --expand --key-type "${KEY_TYPE}" --elliptic-curve "${EC_NAME}" --rsa-key-size "${RSA_SIZE}" --cert-name "${KEY_TYPE}-${DOMAIN}" --preferred-challenges dns --dns-cloudflare --dns-cloudflare-propagation-seconds 30 --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini } KEY_TYPE="ecdsa" certbot_create KEY_TYPE="rsa" certbot_create
> DOMAIN="example.com"
> EMAIL="letsencrypt@example.com"
> EC_NAME="secp384r1"
> RSA_SIZE="4096"
# choose one
# ECDSA
> KEY_TYPE="ecdsa"
# RSA
> KEY_TYPE="rsa"
> certbot certonly -d "${DOMAIN}" -d "*.${DOMAIN}" -n -m "${EMAIL}" --agree-tos --no-eff-email --expand --key-type "${KEY_TYPE}" --elliptic-curve "${EC_NAME}" --rsa-key-size "${RSA_SIZE}" --cert-name "${KEY_TYPE}-${DOMAIN}" --preferred-challenges dns --dns-cloudflare --dns-cloudflare-propagation-seconds 30 --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini
> certbot renew > certbot renew --post-hook /usr/local/sbin/certbot-post-hook.sh
mit --dry-run und --test-cert kann man testen (siehe man page)
mit --force-renewal kann man eine Erneuerung erzwingen
> certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: domain.de
Serial Number: 3e9470e7f5c730e3e2da4640e61a01f23f6
Key Type: RSA
Domains: domain.de *.domain.de
Expiry Date: 2021-10-16 22:06:27+00:00 (INVALID: EXPIRED)
Certificate Path: /usr/local/etc/letsencrypt/live/domain.de/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/domain.de/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
zertifikate wöchentlich erneuern (falls kurz vorm ablaufen):
@weekly root certbot renew > /var/log/certbot.log 2>&1
z.b. bei tatsächlicher erneuerung chain.pem bündeln (für nginx directive ssl_trusted_certificate) und nginx neustarten
@weekly root certbot renew --post-hook /usr/local/sbin/certbot-post-hook.sh
#!/usr/bin/env bash cat /etc/letsencrypt/live/*/chain.pem > /etc/letsencrypt/live/chain.pem systemctl restart nginx 2> /dev/null