refactoring and cleanup
This commit is contained in:
90
content/linux/lets-encrypt.md
Normal file
90
content/linux/lets-encrypt.md
Normal file
@ -0,0 +1,90 @@
|
||||
---
|
||||
title: 'Let''s Encrypt'
|
||||
menu:
|
||||
main:
|
||||
parent: Linux
|
||||
---
|
||||
|
||||
## create certificate
|
||||
```
|
||||
certbot certonly --email contact@br0tkasten.de --webroot -w /var/www/certbot/htdocs -d log.br0tkasten.de
|
||||
```
|
||||
|
||||
## Apache config
|
||||
Default VirtualHost for HTTP (Port 80) mapping /.well-known/acme-challenge of any domain hosted on my webserver
|
||||
to the same location in filesystem (/var/www/certbot/htdocs/.well-known/acme-challenge/)
|
||||
This makes renew and create certificates very easy.
|
||||
|
||||
```
|
||||
<VirtualHost 185.170.112.162:80 [2a03:4000:15:68::1]:80>
|
||||
CustomLog /var/log/httpd/access.log combined
|
||||
ErrorLog /var/log/httpd/error.log
|
||||
|
||||
Alias /.well-known/acme-challenge/ /var/www/certbot/htdocs/.well-known/acme-challenge/
|
||||
<Location "/.well-known/acme-challenge">
|
||||
Require all granted
|
||||
Options None
|
||||
AllowOverride None
|
||||
ForceType text/plain
|
||||
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
|
||||
</Location>
|
||||
|
||||
RewriteEngine On
|
||||
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
|
||||
RewriteCond %{HTTPS} off
|
||||
RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [last,redirect=301]
|
||||
</VirtualHost>
|
||||
```
|
||||
|
||||
## renew certificates
|
||||
### systemd service
|
||||
```
|
||||
cat > /etc/systemd/system/certbot.service << EOF
|
||||
[Unit]
|
||||
Description=Let's Encrypt renewal
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/certbot renew --quiet --agree-tos
|
||||
EOF
|
||||
```
|
||||
|
||||
### systemd timer
|
||||
```
|
||||
[Unit]
|
||||
Description=Twice daily renewal of Let's Encrypt's certificates
|
||||
|
||||
[Timer]
|
||||
OnCalendar=0/12:00:00
|
||||
RandomizedDelaySec=1h
|
||||
Persistent=true
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
```
|
||||
|
||||
### enable certbot timer
|
||||
```
|
||||
systemctl start certbot.timer
|
||||
systemctl enable certbot.timer
|
||||
```
|
||||
|
||||
## renewal hooks
|
||||
|
||||
### restart httpd after renewal
|
||||
```
|
||||
cat > /etc/letsencrypt/renewal-hooks/httpd.sh << EOF
|
||||
#!/bin/sh
|
||||
|
||||
systemctl restart httpd
|
||||
EOF
|
||||
```
|
||||
|
||||
### restart mail container
|
||||
```
|
||||
cat > /etc/letsencrypt/renewal-hooks/mail.sh << EOF
|
||||
#!/bin/sh
|
||||
|
||||
lxc-stop -r -n 'mail'
|
||||
EOF
|
||||
```
|
||||
Reference in New Issue
Block a user