certbot.rst 4.79 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
.. _hosting.certbot:

=====================================
Using Certbot/Let's encrypt with Lino
=====================================

`What's Certbot? <https://certbot.eff.org/about/>`__

The recommended way to activate Certbot on a :term:`Lino server` is by using the
``--https`` option of :cmd:`getlino configure`.

This option will:

- install `certbot` or `certbot-auto` (unless one of them is already installed)

- add an entry to your :file:`/etc/crontab` that will run :cmd:`certbot-auto
  renew` automatically every 12 hours.

On a Lino server with ``--https`` option, ``getlino startsite`` will
automatically do the following.

- create the nginx config file in :file:`/etc/nginx/sites-available`
- enable the site by linking it to :file:`/etc/nginx/sites-enabled`
- restart the nginx service
- run :cmd:`certbot-auto` to register the new site at certbot as being served on this
  server.

Read the docs:

- https://certbot.eff.org/docs/using.html
- https://certbot.eff.org/lets-encrypt/debianbuster-nginx


.. highlight:: console

Troubleshooting
===============

Here are some hints for playing around manually when something doesn't work as
expected.

You can run :cmd:`certbot-auto` at any moment in interactive mode::

  $ certbot-auto
  Requesting to rerun /usr/local/bin/certbot-auto with root privileges...
  Saving debug log to /var/log/letsencrypt/letsencrypt.log
  Plugins selected: Authenticator nginx, Installer nginx

  Which names would you like to activate HTTPS for?
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1: example.com
  2: lists.example.com
  3: www.example.com
  4: emil.example.com
  5: jane.example.com
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Select the appropriate numbers separated by commas and/or spaces, or leave input
  blank to select all options shown (Enter 'c' to cancel): c

The ``certificates`` command displays information about every certificate
managed by certbot::

  $ certbot-auto certificates

How to remove a certbot certificate? E.g. after moving some site to a new
server, you should instruct certbot on the old server to no longer ask for a
certificate for that site::

  $ certbot delete --certname www.example.com-0001

How to manually add a certificate for a new site on your server::

  $ certbot-auto -d www.example.com


You can create certificates that cover multiple domains::

  $ certbot-auto -d one.example.com -d two.example.com

How to install certbot using the Debian package::

  $ sudo apt-get install certbot python-certbot-nginx
  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  certbot is already the newest version (0.31.0-1).
  python-certbot-nginx is already the newest version (0.31.0-1).
  0 upgraded, 0 newly installed, 0 to remove and 124 not upgraded.


Messy certificates
==================

There are different ways to mess up certificates.  For example you can have a
certificate that covers a domain which is already covered by another
certificate.

How to see all certificates that cover a given domain?

::

  $ certbot-auto certificates | grep mydomain.org

How to see all enabled sites and the certificate they use::

  $ cd /etc/nginx/sites-enabled
  $ grep ssl_certificate_key *

How to set the email address used by the ACME server for sending notifications::

  $ certbot-auto update_account --email postmaster@mydomain.org

How to delete a certificate::

  $ certbot-auto delete --cert-name team.mydomain.org
  Requesting to rerun /usr/local/bin/certbot-auto with root privileges...
  Saving debug log to /var/log/letsencrypt/letsencrypt.log

  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Deleted all files relating to certificate team.mydomain.org.
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  (master) luc@lf:/usr/bin$

How to update the domain(s) covered by a certificate::

  $ certbot-auto certonly -d new.mydomain.org --cert-name old.mydomain.org

One certificate covering many domains
=====================================

The following is probably bad practice. It is easier to maintain an individual
certificate for each subdomain.

On LF we have a lot of subdomains, but no wildcard certificate. Here is how to
maintain the list of domains for a given certificate in a separate file.

Let's say you have a certificate named ``example.com``, and you have a lot of
subdomains that you want to cover using that same certificate.

Create a file named :file:`~/domains.txt` with one line per domain, each line
starts with `-d`::

  -d example.com
  -d www.example.com
  -d sub1.example.com
  ...
  -d sub9.example.com

You can now update this file at any moment and then run the following to updated
your certificate::

  $ xargs -a ~/domains.txt certbot-auto certonly --cert-name example.com