====== Information ======
* Let's Encrypt ((https://letsencrypt.org))
* Certbot ((https://certbot.eff.org))
* [[Information:Realm of Espionage]]
===== Prerequisites =====
* [[linux:distros:server:fedora_server|Fedora Server]]
* [[servers;linux;nginx_php_php-fpm|nginx + PHP + PHP-FPM]] ((Certbot doesn't necessarily require nginx; if not using nginx then port 443/tcp likely needs to be opened and pre/post-hooks/service restarting changed))
====== Dependencies ======
****
sudo dnf install 'certbot'
====== Settings ======
* :!: Be sure to change the email address
* :!: Any new domains added need to be added to Namecheap as well
* ''must-staple = true'' is disabled due to being incompatible with Firefox ((last tested 2019/06/28 with Firefox 67.0.4; it didn't work; likely a config error on my part since this hasn't worked at all since 2018))
sudo mkdir -p '/etc/letsencrypt' && sudo -e '/etc/letsencrypt/cli-custom.ini'
verbose = true
text = true
non-interactive = true
standalone = true
force-renewal = true
agree-tos = true
##########
#CHANGEME#
##########
email = espionage724@x
##########
#CHANGEME#
##########
no-eff-email = true
rsa-key-size = 4096
redirect = true
hsts = true
uir = true
staple-ocsp = true
pre-hook = systemctl stop 'nginx'
post-hook = systemctl start 'nginx'
domains = realmofespionage.xyz, blog.realmofespionage.xyz, files.realmofespionage.xyz, media.realmofespionage.xyz, social.realmofespionage.xyz, test.realmofespionage.xyz, wiki.realmofespionage.xyz, wow.realmofespionage.xyz
# End
====== Obtain Certs ======
* :!: If it passes the dry run, remove the dry-run argument and re-run ((the dry run will likely fail the nginx restart step since the certs don't actually exist yet))
sudo 'certbot' 'certonly' --config '/etc/letsencrypt/cli-custom.ini' --dry-run
====== Automatic Cert Renewal ======
===== Disable Existing =====
****
sudo systemctl disable --now 'certbot-renew' 'certbot-renew.timer'
===== Service =====
sudo -e '/etc/systemd/system/certbot-renew-custom.service'
[Service]
Type=oneshot
ExecStart='/usr/bin/certbot' 'certonly' --config '/etc/letsencrypt/cli-custom.ini' --quiet
ExecStartPost='/usr/bin/sync'
# End
===== Timer =====
sudo -e '/etc/systemd/system/certbot-renew-custom.timer' && sudo systemctl daemon-reload && sudo systemctl enable 'certbot-renew-custom.timer' --now
[Unit]
Description=Let's Encrypt Certificate Renewal
After=network-online.target
Wants=network-online.target
[Timer]
OnCalendar=weekly
Persistent=true
[Install]
WantedBy=multi-user.target
# End