====== Information ======

  * Let's Encrypt ((https://letsencrypt.org/))
  * Certbot ((https://certbot.eff.org/))
  * [[information;realm_of_espionage|Realm of Espionage]]

===== Prerequisites =====

  * [[windows;10_ltsc_server|Windows 10 (21H2)]]
  * [[servers;windows;freenginx_php_php-cgi|freenginx]]

====== Install ======

===== Python =====

  * https://www.python.org/downloads/windows/
  * Last tested: ''python-3.14.3-amd64.exe'' ((2026/03/11: ''python-3.15.0a7-amd64.exe'' needed a Visual Studio build package for ''cffi'', which [[https://github.com/python-cffi/cffi/issues/23#issuecomment-1845861410|doesn't seem available pre-release]]; installing pre-selected VC build tools didn't work/likely needs more components))

  * Install ''pip'' ((nothing else (admin, PATH, etc) is required and can be unchecked))

===== Certbot =====

****

  "%LocalAppData%\Programs\Python\Python314\Scripts\pip.exe" install "certbot"

====== Settings ======

  * https://eff-certbot.readthedocs.io/en/latest/using.html#certbot-command-line-options

  * :!: Set ''email''

  MKDIR "%SystemDrive%\www\certbot"

  "%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\certbot\cli-custom.ini"

<code>
verbose = "true"
max-log-backups = "0"
text = "true"
non-interactive = "true"
standalone = "true"
force-renewal = "true"
agree-tos = "true"

########################################
email = espionage724@x
########################################

no-eff-email = "true"

rsa-key-size = "4096"
redirect = "true"
hsts = "true"
uir = "true"
staple-ocsp = "false"
key-type = "ecdsa"
elliptic-curve = "secp384r1"

domains = "realmofespionage.xyz, wiki.realmofespionage.xyz, media.realmofespionage.xyz, blog.realmofespionage.xyz, social.realmofespionage.xyz, forums.realmofespionage.xyz, status.realmofespionage.xyz, files.realmofespionage.xyz, test.realmofespionage.xyz"

# End</code>

====== Obtain Certs ======

  * :!: If it passes the dry run, remove the ''--dry-run'' argument and re-run

  "%SystemRoot%\System32\netsh.exe" advfirewall firewall add rule name="Certbot (Standalone)" dir="in" action="allow" program="%LocalAppData%\Programs\Python\Python314\python.exe" protocol="tcp" localport="80"

  "%LocalAppData%\Programs\Python\Python314\Scripts\certbot.exe" "certonly" --config "%SystemDrive%\www\certbot\cli-custom.ini" --dry-run

  "%SystemRoot%\System32\netsh.exe" advfirewall firewall delete rule name="Certbot (Standalone)"

====== Scripts ======

  MKDIR "%SystemDrive%\www\scripts\certbot"

  "%SystemRoot%\explorer.exe" "%SystemDrive%\www\scripts\certbot"

===== Renewal =====

  "%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\scripts\certbot\Renewal.bat"

<code>
@echo off

CD "%Temp%"

CALL "%SystemDrive%\www\scripts\certbot\Update.bat"

CALL "%SystemDrive%\www\scripts\nginx\Stop.bat"

TITLE Certbot Renewal

"%SystemRoot%\System32\netsh.exe" advfirewall firewall add rule name="Certbot (Standalone)" dir="in" action="allow" program="%LocalAppData%\Programs\Python\Python314\python.exe" protocol="tcp" localport="80"
"%LocalAppData%\Programs\Python\Python314\Scripts\certbot.exe" "certonly" --config "%SystemDrive%\www\certbot\cli-custom.ini" --quiet
"%SystemRoot%\System32\netsh.exe" advfirewall firewall delete rule name="Certbot (Standalone)"

CALL "%SystemDrive%\www\scripts\nginx\Start.bat"

:: End</code>

  "%SystemDrive%\www\scripts\certbot\Renewal.bat"

===== Update =====

  "%SystemRoot%\System32\notepad.exe" "%SystemDrive%\www\scripts\certbot\Update.bat"

<code>
@echo off

TITLE Certbot Update
CD "%Temp%"

"%LocalAppData%\Programs\Python\Python314\python.exe" -m "pip" install --upgrade "pip" --quiet

"%LocalAppData%\Programs\Python\Python314\Scripts\pip.exe" install --upgrade "certbot" --quiet

:: End</code>

  "%SystemDrive%\www\scripts\certbot\Update.bat"

====== Task Scheduler ======

===== Renewal =====

  * Weekly (Sunday) ''07:00:00 AM''

  "%SystemRoot%\System32\schtasks.exe" /Create /SC "WEEKLY" /D "SUN" /TN "Certbot Renewal" /TR "%SystemDrive%\www\scripts\certbot\Renewal.bat" /ST "07:00" /F

====== TODO ======

===== ACME Clients =====

  * https://letsencrypt.org/getting-started/#selecting-and-operating-an-acme-client-yourself
  * https://letsencrypt.org/docs/client-options/#clients-windows-/-iis
  * https://eff-certbot.readthedocs.io/en/stable/install.html#alternative-2-pip
  * https://certifytheweb.com/
  * https://simple-acme.com/