this certbot guide is deprecated by dehydrated (a much nicer ACME client)
git clone https://github.com/certbot/certbot.git cd certbot/
echo $PKG_PATH pkg_add py37-certbot ln -s /usr/pkg/bin/certbot-3.7 /usr/pkg/bin/certbot ln -s /usr/pkg/etc/letsencrypt /etc/letsencrypt
apt-get install certbot #apt-get install python-certbot-apache #apt-get install python-certbot-nginx
in case you do not have a webserver over there
./certbot-auto -h ./certbot-auto certonly --standalone -d DOMAIN.TLD
you got a webserver up and running already
domain=DOMAIN.TLD #./letsencrypt-auto -h #./letsencrypt-auto certonly #./certbot-auto certonly --webroot /data/www/$domain -d $domain certbot certonly --webroot -d $domain --> /data/www/DOMAIN.TLD
for multiple domains at once
#./certbot-auto certonly --webroot /data/www/DOMAIN1,2 -d DOMAIN1 -d DOMAIN2 --> and answer the questions
validate the result like a fanatic
ls -lkF /etc/letsencrypt/live/$domain/fullchain.pem ls -lkF /etc/letsencrypt/live/$domain/privkey.pem cat /etc/letsencrypt/live/$domain/fullchain.pem /usr/bin/openssl x509 -in /etc/letsencrypt/live/$domain/fullchain.pem -noout -text | grep -A3 Valid #/usr/local/bin/openssl x509 -in /etc/letsencrypt/live/$domain/fullchain.pem -noout -text | grep -A3 Valid
we do not need to keep track of the expiration dates ourselves. An appropriate cron job against the renew command will deal with it just fine. It is one day less every time anyway, which is difficult to track.
display certificates
certbot certificates
delete
certbot delete --cert-name DOMAIN.TLD
revoke
certbot revoke --cert-path path/to/cert...
delete a certificate (interactive)
certbot delete
DO NOT FORGET TO KEEP THE SERVICE UP ON PORT 80 for that matter. Beware there is a limit of 5 attemps per hour
There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems.
DO NOT FORGET TO CHECK YOUR DS RECORD IN CASE YOU ARE DOING DNSSEC, otherwise you might get
Domain: os3.su Type: connection Detail: dns :: DNS problem: SERVFAIL looking up A for os3.su
let’s ATTEMPT to renew all domains at once every five days AND DO NOT FORGET TO RELOAD THE DAEMON TO TAKE THE NEW CERT INTO CONSIDERATION
crontab -e 0 5 */5 * * /usr/pkg/bin/certbot renew && /root/RELOAD-SSL 2>&1
make sure the various ssl engines you are using get reloaded in there, and in case it needs to. As an alternative, you could also play with --renew-hook
vi /root/RELOAD-SSL #!/bin/ksh /root/RESTART-STUNNEL #self verbose but goes to stderr /usr/sbin/postfix reload echo -n /usr/local/sbin/dovecot reload... /usr/local/sbin/dovecot reload && echo done || echo FAIL chmod +x /root/RELOAD-SSL
as for RESTART-STUNNEL see over there
it is otherwise possible to renew all domains independently for better timing but the renew command skips the non-eligible certs anyway
#0 HOUR DAY * * cd /root/certbot && git pull && ./letsencrypt-auto renew -d DOMAIN.TLD
ACME Client Implementations https://letsencrypt.org/docs/client-options/
Getting Started https://letsencrypt.org/getting-started/
Get your site on Lock https:// https://certbot.eff.org/
Letsencrypt friendly nginx configuration https://imil.net/blog/2016/03/12/Letsencrypt-friendly-nginx-configuration/
Renewing certificates https://certbot.eff.org/docs/using.html#renewing-certificates
Donating to ISRG https://letsencrypt.org/donate
Donating to EFF https://eff.org/donate-le
Challenge Types https://letsencrypt.org/docs/challenge-types/
DNS providers who easily integrate with Let’s Encrypt DNS validation https://community.letsencrypt.org/t/dns-providers-who-easily-integrate-with-lets-encrypt-dns-validation/86438
Acme DNS-01 validation with LuaDNS for LetsEncrypt Certificates on CentOS v7.x https://plone.lucidsolutions.co.nz/web/pki/letsencrypt/acme-dns-01-validation-with-namecheap-for-letsencrypt-certificates
#apt-get install software-properties-common #add-apt-repository ppa:certbot/certbot #apt-get update