let_s_encrypt
Dies ist eine alte Version des Dokuments!
Inhaltsverzeichnis
Let's Encrypt (Certbot)
Installation
Ubuntu
mit snapd installieren
FreeBSD
Paketnamen:
security/py-certbot security/py-certbot-dns-cloudflare
Installing py37-certbot-1.14.0,1... This port installs the "standalone" client only, which does not use and is not the certbot-auto bootstrap/wrapper script. The simplest form of usage to obtain certificates is: # sudo certbot certonly --standalone -d <domain>, [domain2, ... domainN]> NOTE: The client requires the ability to bind on TCP port 80 or 443 (depending on the --preferred-challenges option used). If a server is running on that port, it will need to be temporarily stopped so that the standalone server can listen on that port to complete the challenge authentication process. For more information on the 'standalone' mode, see: https://certbot.eff.org/docs/using.html#standalone The certbot plugins to support apache and nginx certificate installation will be made available in the following ports: * Apache plugin: security/py-certbot-apache * Nginx plugin: security/py-certbot-nginx In order to automatically renew the certificates, add this line to /etc/periodic.conf: weekly_certbot_enable="YES" More config details in the certbot periodic script: /usr/local/etc/periodic/weekly/500.certbot-3.7
Konfiguration
Cloudflare API Token einsetzen:
- /etc/letsencrypt/cloudflare.ini
# Cloudflare API token used by Certbot dns_cloudflare_api_token = API-TOKEN
Certbot mit Cloudflare-Plugin
Zertifikat erstellen
- mit
–cert-namekann man einen anderen Namen vergeben und somit RSA und ECC parallel betreiben
- certbot-create-cert.sh
#!/usr/bin/env bash DOMAIN="example.com" EMAIL="letsencrypt@example.com" certbot_create_cert () { certbot certonly -n --agree-tos --no-eff-email --elliptic-curve secp384r1 --rsa-key-size 4096 --preferred-challenges dns --dns-cloudflare --dns-cloudflare-propagation-seconds 30 --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -m $EMAIL --key-type $KEY_TYPE -d ${DOMAIN},*.${DOMAIN} --cert-name ${KEY_TYPE}_-_${DOMAIN} } KEY_TYPE="ecdsa" certbot_create_cert KEY_TYPE="rsa" certbot_create_cert
RSA
> certbot certonly -n --agree-tos --no-eff-email --elliptic-curve secp384r1 --rsa-key-size 4096 --preferred-challenges dns --dns-cloudflare --dns-cloudflare-propagation-seconds 30 --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -m letsencrypt@example.com --key-type rsa -d example.com,*.example.com
ECDSA
> certbot certonly -n --agree-tos --no-eff-email --elliptic-curve secp384r1 --rsa-key-size 4096 --preferred-challenges dns --dns-cloudflare --dns-cloudflare-propagation-seconds 30 --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -m letsencrypt@example.com --key-type ecdsa -d example.com,*.example.com
Optionen
- Möglichkeiten für
--key-type:rsaoderecdsa - Möglichkeiten für
--elliptic-curve:secp384r1odersecp256r1(secp521r1wird von fast keinem Client unterstützt)
Zertifikat erneuern
> certbot renew
mit --dry-run und --test-cert kann man testen (siehe man page)
mit --force-renewal kann man eine Erneuerung erzwingen
aktuelle Zertifikate auflisten und Details anzeigen
> certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: domain.de
Serial Number: 3e9470e7f5c730e3e2da4640e61a01f23f6
Key Type: RSA
Domains: domain.de *.domain.de
Expiry Date: 2021-10-16 22:06:27+00:00 (INVALID: EXPIRED)
Certificate Path: /usr/local/etc/letsencrypt/live/domain.de/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/domain.de/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Crontab
Jede Woche um 00:00 Uhr Zertifikate erneuern:
0 0 * * 1 certbot renew
/home/http/wiki/data/attic/let_s_encrypt.1656975032.txt · Zuletzt geändert: von david