Letsencrypt.org

Aus crazylinux.de
Zur Navigation springen Zur Suche springen

Let’s Encrypt is a free, automated, and open certificate authority https://letsencrypt.org/ and https://letsencrypt.org/howitworks/

This setup is for multidomain setup.

Config

/etc/letsencrypt/cli.ini

#use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

server = https://acme-v01.api.letsencrypt.org/directory

email = xxx@yyy.com

authenticator = webroot 

agree-tos = True

renew-by-default = false

# Uncomment to use a text interface instead of ncurses
# text = True

# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01

# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
webroot-path = /srv/www/_webrootauth/

Prerequisite: Apache config

#/etc/apache2/conf.d/letsencrypt.conf
        #let's encrypt global dir

        Alias /.well-known/acme-challenge/ /srv/www/_webrootauth/.well-known/acme-challenge/

        <IfModule mod_headers.c>
          <LocationMatch "/.well-known/acme-challenge/*">
              Header set Content-Type "text/plain"
          </LocationMatch>
         </IfModule>

        <Directory "/srv/www/_webrootauth/.well-known/">
                Order allow,deny
                Allow from all
        </Directory>

Create certificate via webroot (recommended)

cd ~/letsencrypt
./letsencrypt-auto certonly -d domain.tld -d www.domain.tld

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/domain.tld/fullchain.pem. Your cert will
   expire on 2016-02-17. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.

Add certificate to apache

#/etc/apache2/sites-available/domain.tld
...
SSLCertificateFile /etc/letsencrypt/live/tld.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/tld.com/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/tld.com/privkey.pem
...

Create certificate manuell

cd ~/letsencrypt
./letsencrypt-auto certonly -a manual -d domain.tld -d www.domain.tld

Make sure your web server displays the following content at
http://www.domain.tld/.well-known/acme-challenge/a9q3mxxxxxxxZqxPKlKKI8KY before continuing:
a9q3mxxxxWo-W9ihRohAuoxxxxLeppj8qZj07JvRRAqRB4qSFg

with another shell under /srv/www/xxx/htdocs
umask 022
printf "%s" a9q3mxxxxWo-W9ihRohAuoxxxxLeppj8qZj07JvRRAqRB4qSFg > .well-known/acme-challenge/a9q3mxxxxxxxZqxPKlKKI8KY

Press ENTER to continue

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/tld.com/fullchain.pem. Your cert will
   expire on 2016-02-05. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.

Automatic renew certificates

see http://letsencrypt.readthedocs.org/en/latest/using.html#renewal or


from community: https://community.letsencrypt.org/t/how-to-completely-automating-certificate-renewals-on-debian/5615

#renew letsencrypt
30 23 * * *   /some_dir/bin/le-renew.sh  --renew-all>/dev/null

Links