2.0 KiB
2.0 KiB
| title | date | draft |
|---|---|---|
| Let's Encrypt | 2021-11-13T15:06:57Z | false |
create certificate
certbot certonly --email contact@br0tkasten.de --webroot -w /var/www/certbot/htdocs -d log.br0tkasten.de
Apache config
Default VirtualHost for HTTP (Port 80) mapping /.well-known/acme-challenge of any domain hosted on my webserver to the same location in filesystem (/var/www/certbot/htdocs/.well-known/acme-challenge/) This makes renew and create certificates very easy.
<VirtualHost 185.170.112.162:80 [2a03:4000:15:68::1]:80>
CustomLog /var/log/httpd/access.log combined
ErrorLog /var/log/httpd/error.log
Alias /.well-known/acme-challenge/ /var/www/certbot/htdocs/.well-known/acme-challenge/
<Location "/.well-known/acme-challenge">
Require all granted
Options None
AllowOverride None
ForceType text/plain
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
</Location>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
RewriteCond %{HTTPS} off
RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [last,redirect=301]
</VirtualHost>
renew certificates
systemd service
cat > /etc/systemd/system/certbot.service << EOF
[Unit]
Description=Let's Encrypt renewal
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --agree-tos
EOF
systemd timer
[Unit]
Description=Twice daily renewal of Let's Encrypt's certificates
[Timer]
OnCalendar=0/12:00:00
RandomizedDelaySec=1h
Persistent=true
[Install]
WantedBy=timers.target
enable certbot timer
systemctl start certbot.timer
systemctl enable certbot.timer
renewal hooks
restart httpd after renewal
cat > /etc/letsencrypt/renewal-hooks/httpd.sh << EOF
#!/bin/sh
systemctl restart httpd
EOF
restart mail container
cat > /etc/letsencrypt/renewal-hooks/mail.sh << EOF
#!/bin/sh
lxc-stop -r -n 'mail'
EOF