SSL CERTS FOR FREE

INSTALLATION

FROM SOURCE

git clone https://github.com/certbot/certbot.git
cd certbot/

NETBSD

echo $PKG_PATH
pkg_add py37-certbot
ln -s /usr/pkg/bin/certbot-3.7 /usr/pkg/bin/certbot
ln -s /usr/pkg/etc/letsencrypt /etc/letsencrypt

DEBIAN/UBUNTU

apt-get install certbot
#apt-get install python-certbot-apache
#apt-get install python-certbot-nginx

USAGE

STANDALONE

in case you do not have a webserver over there

./certbot-auto -h
./certbot-auto certonly --standalone -d DOMAIN.TLD

WEBSERVER PORT 80

you got a webserver up and running already

domain=DOMAIN.TLD
#./letsencrypt-auto -h
#./letsencrypt-auto certonly
#./certbot-auto certonly --webroot /data/www/$domain -d $domain
certbot certonly --webroot -d $domain
--> /data/www/DOMAIN.TLD

for multiple domains at once

#./certbot-auto certonly --webroot /data/www/DOMAIN1,2 -d DOMAIN1 -d DOMAIN2
--> and answer the questions

ACCEPTANCE

validate the result like a fanatic

ls -lkF /etc/letsencrypt/live/$domain/fullchain.pem
ls -lkF /etc/letsencrypt/live/$domain/privkey.pem
cat /etc/letsencrypt/live/$domain/fullchain.pem
/usr/bin/openssl x509 -in /etc/letsencrypt/live/$domain/fullchain.pem -noout -text | grep -A3 Valid
#/usr/local/bin/openssl x509 -in /etc/letsencrypt/live/$domain/fullchain.pem -noout -text | grep -A3 Valid

we do not need to keep track of the expiration dates ourselves. An appropriate cron job against the renew command will deal with it just fine. It is one day less every time anyway, which is difficult to track.

MAINTENANCE

display certificates

certbot certificates

delete

certbot delete --cert-name DOMAIN.TLD

revoke

certbot revoke --cert-path path/to/cert...

delete a certificate (interactive)

certbot delete

RENEW

DO NOT FORGET TO KEEP THE SERVICE UP ON PORT 80 for that matter. Beware there is a limit of 5 attemps per hour

There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems.

DO NOT FORGET TO CHECK YOUR DS RECORD IN CASE YOU ARE DOING DNSSEC, otherwise you might get

Domain: os3.su
Type:   connection
Detail: dns :: DNS problem: SERVFAIL looking up A for os3.su

let’s ATTEMPT to renew all domains at once every five days AND DO NOT FORGET TO RELOAD THE DAEMON TO TAKE THE NEW CERT INTO CONSIDERATION

crontab -e

0 5 */5 * * /usr/pkg/bin/certbot renew && /root/RELOAD-SSL 2>&1

make sure the various ssl engines you are using get reloaded in there, and in case it needs to. As an alternative, you could also play with --renew-hook

vi /root/RELOAD-SSL

#!/bin/ksh

/root/RESTART-STUNNEL

#self verbose but goes to stderr
/usr/sbin/postfix reload

echo -n /usr/local/sbin/dovecot reload...
/usr/local/sbin/dovecot reload && echo done || echo FAIL  

chmod +x /root/RELOAD-SSL

as for RESTART-STUNNEL see over there

it is otherwise possible to renew all domains independently for better timing but the renew command skips the non-eligible certs anyway

#0 HOUR DAY * * cd /root/certbot && git pull && ./letsencrypt-auto renew -d DOMAIN.TLD

REFERENCES

ACME Client Implementations https://letsencrypt.org/docs/client-options/

Getting Started https://letsencrypt.org/getting-started/

Get your site on Lock https:// https://certbot.eff.org/

Letsencrypt friendly nginx configuration https://imil.net/blog/2016/03/12/Letsencrypt-friendly-nginx-configuration/

Renewing certificates https://certbot.eff.org/docs/using.html#renewing-certificates

Donating to ISRG https://letsencrypt.org/donate

Donating to EFF https://eff.org/donate-le

TRASH / OBSOLETE

#apt-get install software-properties-common
#add-apt-repository ppa:certbot/certbot
#apt-get update

Nethence | Pub | Lab | Pbraun | SNE Russia