Letsencrypt.org

Aus crazylinux.de
Wechseln zu: Navigation, Suche

Let’s Encrypt is a free, automated, and open certificate authority https://letsencrypt.org/ and https://letsencrypt.org/howitworks/

This setup is for multidomain setup.

1 Config

/etc/letsencrypt/cli.ini

#use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

server = https://acme-v01.api.letsencrypt.org/directory

email = xxx@yyy.com

authenticator = webroot 

agree-tos = True

renew-by-default = false

# Uncomment to use a text interface instead of ncurses
# text = True

# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01

# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
webroot-path = /srv/www/_webrootauth/

2 Prerequisite: Apache config

#/etc/apache2/conf.d/letsencrypt.conf
        #let's encrypt global dir

        Alias /.well-known/acme-challenge/ /srv/www/_webrootauth/.well-known/acme-challenge/

        <IfModule mod_headers.c>
          <LocationMatch "/.well-known/acme-challenge/*">
              Header set Content-Type "text/plain"
          </LocationMatch>
         </IfModule>

        <Directory "/srv/www/_webrootauth/.well-known/">
                Order allow,deny
                Allow from all
        </Directory>

3 Create certificate via webroot (recommended)

cd ~/letsencrypt
./letsencrypt-auto certonly -d domain.tld -d www.domain.tld

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/domain.tld/fullchain.pem. Your cert will
   expire on 2016-02-17. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.

Add certificate to apache

#/etc/apache2/sites-available/domain.tld
...
SSLCertificateFile /etc/letsencrypt/live/tld.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/tld.com/privkey.pem
...

4 Create certificate manuell

cd ~/letsencrypt
./letsencrypt-auto certonly -a manual -d domain.tld -d www.domain.tld

Make sure your web server displays the following content at
http://www.domain.tld/.well-known/acme-challenge/a9q3mxxxxxxxZqxPKlKKI8KY before continuing:
a9q3mxxxxWo-W9ihRohAuoxxxxLeppj8qZj07JvRRAqRB4qSFg

with another shell under /srv/www/xxx/htdocs
umask 022
printf "%s" a9q3mxxxxWo-W9ihRohAuoxxxxLeppj8qZj07JvRRAqRB4qSFg > .well-known/acme-challenge/a9q3mxxxxxxxZqxPKlKKI8KY

Press ENTER to continue

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/tld.com/fullchain.pem. Your cert will
   expire on 2016-02-05. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.

5 Automatic renew certificates

see http://letsencrypt.readthedocs.org/en/latest/using.html#renewal

#renew letsencrypt
2 2 * * *               /root/letsencrypt/letsencrypt-auto  renew -q >> /var/log/le-renew.log

to restart the services to load new certificates use renew_hook


#/etc/letsencrypt/renewal/your.tld.conf
...
[renewalparams]
...
 renew_hook = service postfix reload;service apache2 reload;service dovecot reload
...

6 Links