---
title: 'Let''s Encrypt'
date: 2021-11-13T15:06:57Z
draft: false
---

## create certificate
```
certbot certonly --email contact@br0tkasten.de --webroot -w /var/www/certbot/htdocs -d log.br0tkasten.de
```

## Apache config
Default VirtualHost for HTTP (Port 80) mapping /.well-known/acme-challenge of any domain hosted on my webserver
to the same location in filesystem (/var/www/certbot/htdocs/.well-known/acme-challenge/)
This makes renew and create certificates very easy.

```
<VirtualHost 185.170.112.162:80 [2a03:4000:15:68::1]:80>
        CustomLog /var/log/httpd/access.log combined
        ErrorLog /var/log/httpd/error.log

        Alias /.well-known/acme-challenge/ /var/www/certbot/htdocs/.well-known/acme-challenge/
        <Location "/.well-known/acme-challenge">
                Require all granted
                Options None
                AllowOverride None
                ForceType text/plain
                RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
        </Location>

        RewriteEngine On
        RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
        RewriteCond %{HTTPS} off
        RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [last,redirect=301]
</VirtualHost>
```

## renew certificates
### systemd service
```
cat > /etc/systemd/system/certbot.service << EOF
[Unit]
Description=Let's Encrypt renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --agree-tos
EOF
```

### systemd timer
```
[Unit]
Description=Twice daily renewal of Let's Encrypt's certificates

[Timer]
OnCalendar=0/12:00:00
RandomizedDelaySec=1h
Persistent=true

[Install]
WantedBy=timers.target
```

### enable certbot timer
```
systemctl start certbot.timer
systemctl enable certbot.timer
```

## renewal hooks

### restart httpd after renewal
```
cat > /etc/letsencrypt/renewal-hooks/httpd.sh << EOF
#!/bin/sh

systemctl restart httpd
EOF
```

### restart mail container
```
cat > /etc/letsencrypt/renewal-hooks/mail.sh << EOF
#!/bin/sh

lxc-stop -r -n 'mail'
EOF
```