Letsencrypt.org: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
K (renew) |
K (renew) |
||
| (10 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
Let’s Encrypt is a free, automated, and open certificate authority | Let’s Encrypt is a free, automated, and open certificate authority | ||
https://letsencrypt.org/ | https://letsencrypt.org/ and https://letsencrypt.org/howitworks/ | ||
This setup is for multidomain setup. | |||
== Config == | == Config == | ||
| Zeile 13: | Zeile 15: | ||
authenticator = webroot | authenticator = webroot | ||
agree-tos = True | agree-tos = True | ||
renew-by-default = false | |||
# Uncomment to use a text interface instead of ncurses | # Uncomment to use a text interface instead of ncurses | ||
| Zeile 52: | Zeile 54: | ||
== Create certificate via webroot (recommended) == | == Create certificate via webroot (recommended) == | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
cd ~/letsencrypt | cd ~/letsencrypt | ||
./letsencrypt-auto certonly -d domain.tld -d www.domain.tld | ./letsencrypt-auto certonly -d domain.tld -d www.domain.tld | ||
| Zeile 67: | Zeile 68: | ||
#/etc/apache2/sites-available/domain.tld | #/etc/apache2/sites-available/domain.tld | ||
... | ... | ||
SSLCertificateFile /etc/letsencrypt/live/tld.com/ | SSLCertificateFile /etc/letsencrypt/live/tld.com/fullchain.pem | ||
SSLCertificateKeyFile /etc/letsencrypt/live/tld.com/privkey.pem | SSLCertificateKeyFile /etc/letsencrypt/live/tld.com/privkey.pem | ||
... | ... | ||
| Zeile 97: | Zeile 97: | ||
== Automatic renew certificates == | == Automatic renew certificates == | ||
see http://letsencrypt.readthedocs.org/en/latest/using.html#renewal | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
/root | #renew letsencrypt | ||
2 2 * * * /root/letsencrypt/letsencrypt-auto renew -q >> /var/log/le-renew.log | |||
</syntaxhighlight> | |||
to restart the services to load new certificates use renew_hook | |||
<syntaxhighlight lang="bash"> | |||
#/etc/letsencrypt/renewal/your.tld.conf | |||
... | |||
[renewalparams] | |||
... | |||
renew_hook = service postfix reload;service apache2 reload;service dovecot reload | |||
... | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Zeile 107: | Zeile 120: | ||
*https://community.letsencrypt.org/ | *https://community.letsencrypt.org/ | ||
*https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/38 | *https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/38 | ||
*https://eblog.damia.net/2015/12/03/lets-encrypt-automation-on-debian/ | |||
[[Kategorie:Security]] | [[Kategorie:Security]] | ||
[[Kategorie:WWW]] | [[Kategorie:WWW]] | ||
Aktuelle Version vom 25. August 2017, 00:13 Uhr
Let’s Encrypt is a free, automated, and open certificate authority https://letsencrypt.org/ and https://letsencrypt.org/howitworks/
This setup is for multidomain setup.
Config
/etc/letsencrypt/cli.ini
#use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = xxx@yyy.com
authenticator = webroot
agree-tos = True
renew-by-default = false
# Uncomment to use a text interface instead of ncurses
# text = True
# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
webroot-path = /srv/www/_webrootauth/
Prerequisite: Apache config
#/etc/apache2/conf.d/letsencrypt.conf
#let's encrypt global dir
Alias /.well-known/acme-challenge/ /srv/www/_webrootauth/.well-known/acme-challenge/
<IfModule mod_headers.c>
<LocationMatch "/.well-known/acme-challenge/*">
Header set Content-Type "text/plain"
</LocationMatch>
</IfModule>
<Directory "/srv/www/_webrootauth/.well-known/">
Order allow,deny
Allow from all
</Directory>
Create certificate via webroot (recommended)
cd ~/letsencrypt
./letsencrypt-auto certonly -d domain.tld -d www.domain.tld
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/domain.tld/fullchain.pem. Your cert will
expire on 2016-02-17. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
Add certificate to apache
#/etc/apache2/sites-available/domain.tld
...
SSLCertificateFile /etc/letsencrypt/live/tld.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/tld.com/privkey.pem
...
Create certificate manuell
cd ~/letsencrypt
./letsencrypt-auto certonly -a manual -d domain.tld -d www.domain.tld
Make sure your web server displays the following content at
http://www.domain.tld/.well-known/acme-challenge/a9q3mxxxxxxxZqxPKlKKI8KY before continuing:
a9q3mxxxxWo-W9ihRohAuoxxxxLeppj8qZj07JvRRAqRB4qSFg
with another shell under /srv/www/xxx/htdocs
umask 022
printf "%s" a9q3mxxxxWo-W9ihRohAuoxxxxLeppj8qZj07JvRRAqRB4qSFg > .well-known/acme-challenge/a9q3mxxxxxxxZqxPKlKKI8KY
Press ENTER to continue
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/tld.com/fullchain.pem. Your cert will
expire on 2016-02-05. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
Automatic renew certificates
see http://letsencrypt.readthedocs.org/en/latest/using.html#renewal
#renew letsencrypt
2 2 * * * /root/letsencrypt/letsencrypt-auto renew -q >> /var/log/le-renew.log
to restart the services to load new certificates use renew_hook
#/etc/letsencrypt/renewal/your.tld.conf
...
[renewalparams]
...
renew_hook = service postfix reload;service apache2 reload;service dovecot reload
...