Let's Encrypt (certobt)

Request certificate with web root verification

certbot certonly --webroot -w /var/www/html/certbot -d notes.company.com

Show certificates

certbot certificates

Show renew timer

cat /usr/lib/systemd/system/certbot.timer

Add deploy hook to reboot services (to pick up certificate)

• Restart services
• Downloads Let's Encrypt root certificates for StrongSwan
• Builds MKDocs site
• Upgrades PIP packages

nano /etc/letsencrypt/cli.ini


deploy-hook = "service dumbproxy restart ; service nginx restart; wget --quiet https://letsencrypt.org/certs/isrgrootx1.pem -O /etc/swanctl/x509ca/isrgrootx1.pem; wget --quiet https://letsencrypt.org/certs/isrg-root-x2.pem -O /etc/swanctl/x509ca/isrg-root-x2.pem; wget --quiet https://letsencrypt.org/certs/2024/e5.pem -O /etc/swanctl/x509ca/e5.pem; wget --quiet https://letsencrypt.org/certs/2024/e6.pem -O /etc/swanctl/x509ca/e6.pem; wget --quiet https://letsencrypt.org/certs/2024/r10.pem -O /etc/swanctl/x509ca/r10.pem; wget --quiet https://letsencrypt.org/certs/2024/r11.pem -O /etc/swanctl/x509ca/r11.pem; service strongswan restart; (cd /var/www/html/mkdocs/blog/fic && mkdocs build); (cd /var/www/html/mkdocs/blog/tech && mkdocs build); (cd /var/www/html/mkdocs/commands && mkdocs build); (cd /var/www/html/mkdocs/notes && mkdocs build); (cd /var/www/html/mkdocs/quotes && mkdocs build); pip install --upgrade `pip list --format=freeze | cut -d '=' -f 1`"

Install Let's Encrypt

Prerequisites: - nginx - published http port - external DNS record pointing to your let's encrypt server

• Install certbot

apt install certbot

• Create http folder on web server

mkdir -p /var/www/html/certbot/.well-known/acme-challenge/

• Configure nginx

/etc/nginx/sites-available/default

server {
    listen  80;
    # Let's Encrypt
    server_name company.com sites.company.com;
    location /.well-known/acme-challenge/ {
        default_type    text/plain;
        root    /var/www/html/certbot;
        try_files   $uri =404;
    }
}

• Issue first certificate

certbot certonly --webroot -w /var/www/html/certbot -d site.company.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/site.company.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/site.company.com/privkey.pem
This certificate expires on 2022-11-05.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

• Check issued certificates

ls -la /etc/letsencrypt/live/site.company.com/

where: - fullchain.pem - certificate chain including certificate for domain - privkey.pem - private key

• Show certificate

certbot certificates

• Configure service restart after certificate renewal

/etc/letsencrypt/cli.ini

deploy-hook = "service nginx restart"

• Test renew process

certbot renew --dry-run

• Renew certificate task

/usr/lib/systemd/system/certbot.timer


[Unit]
Description=Run certbot renew

[Timer]
OnCalendar=weekly
RandomizedDelaySec=12hours
Persistent=true

[Install]
WantedBy=timers.target

• Run timer

systemctl start certbot.timer

• Show timers

systemctl list-timers

• Show cronjob

cat /etc/cron.d/certbot

• Enable service for auto start

systemctl enable certbot.service
systemctl enable certbot.timer

• Configure ACL to allow non-root access to certificate and keys

apt install acl
setfacl -R -d -m  u:dumbproxy:rX /etc/letsencrypt/
setfacl -R -m  u:dumbproxy:rX /etc/letsencrypt/
getfacl /etc/letsencrypt/

Let's Encrypt expand existing certificate with new names

certbot certonly --cert-name gamelton.me --webroot -w /var/www/html/certbot -d gamelton.me -d newname.gamelton.me

Let's Encrypt troubleshoot

https://letsdebug.net/ https://unboundtest.com/ https://check-your-website.server-daten.de/