90 lines
2.0 KiB
Markdown
90 lines
2.0 KiB
Markdown
---
|
|
title: 'Let''s Encrypt'
|
|
date: 2021-11-13T15:06:57Z
|
|
draft: false
|
|
---
|
|
|
|
## create certificate
|
|
```
|
|
certbot certonly --email contact@br0tkasten.de --webroot -w /var/www/certbot/htdocs -d log.br0tkasten.de
|
|
```
|
|
|
|
## Apache config
|
|
Default VirtualHost for HTTP (Port 80) mapping /.well-known/acme-challenge of any domain hosted on my webserver
|
|
to the same location in filesystem (/var/www/certbot/htdocs/.well-known/acme-challenge/)
|
|
This makes renew and create certificates very easy.
|
|
|
|
```
|
|
<VirtualHost 185.170.112.162:80 [2a03:4000:15:68::1]:80>
|
|
CustomLog /var/log/httpd/access.log combined
|
|
ErrorLog /var/log/httpd/error.log
|
|
|
|
Alias /.well-known/acme-challenge/ /var/www/certbot/htdocs/.well-known/acme-challenge/
|
|
<Location "/.well-known/acme-challenge">
|
|
Require all granted
|
|
Options None
|
|
AllowOverride None
|
|
ForceType text/plain
|
|
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
|
|
</Location>
|
|
|
|
RewriteEngine On
|
|
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
|
|
RewriteCond %{HTTPS} off
|
|
RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [last,redirect=301]
|
|
</VirtualHost>
|
|
```
|
|
|
|
## renew certificates
|
|
### systemd service
|
|
```
|
|
cat > /etc/systemd/system/certbot.service << EOF
|
|
[Unit]
|
|
Description=Let's Encrypt renewal
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/usr/bin/certbot renew --quiet --agree-tos
|
|
EOF
|
|
```
|
|
|
|
### systemd timer
|
|
```
|
|
[Unit]
|
|
Description=Twice daily renewal of Let's Encrypt's certificates
|
|
|
|
[Timer]
|
|
OnCalendar=0/12:00:00
|
|
RandomizedDelaySec=1h
|
|
Persistent=true
|
|
|
|
[Install]
|
|
WantedBy=timers.target
|
|
```
|
|
|
|
### enable certbot timer
|
|
```
|
|
systemctl start certbot.timer
|
|
systemctl enable certbot.timer
|
|
```
|
|
|
|
## renewal hooks
|
|
|
|
### restart httpd after renewal
|
|
```
|
|
cat > /etc/letsencrypt/renewal-hooks/httpd.sh << EOF
|
|
#!/bin/sh
|
|
|
|
systemctl restart httpd
|
|
EOF
|
|
```
|
|
|
|
### restart mail container
|
|
```
|
|
cat > /etc/letsencrypt/renewal-hooks/mail.sh << EOF
|
|
#!/bin/sh
|
|
|
|
lxc-stop -r -n 'mail'
|
|
EOF
|
|
```
|