SSL CERTS FOR FREE

INSTALLATION

FROM SOURCE

git clone https://github.com/certbot/certbot.git
cd certbot/

NETBSD

echo $PKG_PATH
pkg_add py37-certbot
ln -s /usr/pkg/bin/certbot-3.7 /usr/pkg/bin/certbot
ln -s /usr/pkg/etc/letsencrypt /etc/letsencrypt

DEBIAN/UBUNTU

apt-get install certbot
#apt-get install python-certbot-apache
#apt-get install python-certbot-nginx

USAGE

STANDALONE

in case you do not have a webserver over there

./certbot-auto -h
./certbot-auto certonly --standalone -d DOMAIN.TLD

WEBSERVER PORT 80

you got a webserver up and running already

domain=DOMAIN.TLD
#./letsencrypt-auto -h
#./letsencrypt-auto certonly
#./certbot-auto certonly --webroot /data/www/$domain -d $domain
certbot certonly --webroot -d $domain
--> /data/www/DOMAIN.TLD

for multiple domains at once

#./certbot-auto certonly --webroot /data/www/DOMAIN1,2 -d DOMAIN1 -d DOMAIN2
--> and answer the questions

ACCEPTANCE

validate the result like a fanatic

ls -lkF /etc/letsencrypt/live/$domain/fullchain.pem
ls -lkF /etc/letsencrypt/live/$domain/privkey.pem
cat /etc/letsencrypt/live/$domain/fullchain.pem
/usr/bin/openssl x509 -in /etc/letsencrypt/live/$domain/fullchain.pem -noout -text | grep -A3 Valid
#/usr/local/bin/openssl x509 -in /etc/letsencrypt/live/$domain/fullchain.pem -noout -text | grep -A3 Valid

we do not need to keep track of the expiration dates ourselves. An appropriate cron job against the renew command will deal with it just fine. It is one day less every time anyway, which is difficult to track.

MAINTENANCE

display certificates

certbot certificates

revoke

certbot revoke --cert-path path/to/cert...

delete a certificate (interactive)

certbot delete

RENEW

DO NOT FORGET TO KEEP THE SERVICE UP ON PORT 80 for that matter. Beware there is a limit of 5 attemps per hour

DO NOT FORGET TO CHECK YOUR DS IN CASE YOU ARE DOING DNSSEC, otherwise you might get

Domain: os3.su
Type:   connection
Detail: dns :: DNS problem: SERVFAIL looking up A for os3.su

There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems.

let’s ATTEMPT to renew all domains at once every five days

crontab -e

0 5 */5 * * /usr/pkg/bin/certbot renew

and make sure the ssl engine gets reloaded in there, in case it needs to. As an alternative, you can play with --renew-hook.

it is also possible to renew all domains independently for better timing but the renew skips the non-eligible certs anyway

#0 HOUR DAY * * cd /root/certbot && git pull && ./letsencrypt-auto renew -d DOMAIN.TLD

AND DO NOT FORGET TO RELOAD THE DAEMON TO TAKE THE NEW CERT INTO CONSIDERATION

REFERENCES

TRASH / OBSOLETE

#apt-get install software-properties-common
#add-apt-repository ppa:certbot/certbot
#apt-get update

Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml