RoE | Wiki

User Tools

Site Tools

Trace: lets_encrypt samba
servers:bsd:nginx:lets_encrypt

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
servers:bsd:nginx:lets_encrypt [2024/11/30 11:32] – created Sean Rhoneservers:bsd:nginx:lets_encrypt [2025/08/27 22:45] (current) – [Obtain Certs] Sean Rhone
Line 7: Line 7:
 ===== Prerequisites ===== ===== Prerequisites =====
  
-  * [[bsd:server:freebsd_14.2|FreeBSD 14.2]] +  * [[bsd:server:freebsd_14.3|FreeBSD 14.3]] 
-  * [[servers:bsd:freenginx_php_php-fpm|freenginx + PHP + PHP-FPM]] ((Certbot doesn't necessarily require nginx; if not using nginx then port 443/tcp likely needs to be opened and pre/post-hooks/service restarting changed))+  * [[servers:bsd:nginx_php_php-fpm|nginx + PHP + PHP-FPM]]
  
 ====== Dependencies ====== ====== Dependencies ======
  
-  su -l+  su -
  
   pkg install 'py311-certbot'   pkg install 'py311-certbot'
Line 18: Line 18:
 ====== Settings ====== ====== Settings ======
  
-  *  :!: Be sure to change the email address+  su -
  
-  su -+  mkdir -p '/usr/local/etc/letsencrypt' && ee '/usr/local/etc/letsencrypt/cli-custom.ini'
- +
-  ee '/usr/local/etc/letsencrypt/cli-custom.ini'+
  
 <code> <code>
Line 48: Line 46:
 hsts = true hsts = true
 uir = true uir = true
-staple-ocsp = true+staple-ocsp = false
  
-pre-hook = service 'nginx' stop +domains = realmofespionage.xyz, blog.realmofespionage.xyz, files.realmofespionage.xyz, media.realmofespionage.xyz, wiki.realmofespionage.xyz
-post-hook = service 'nginx' start +
- +
-domains = realmofespionage.xyz, blog.realmofespionage.xyz, files.realmofespionage.xyz, media.realmofespionage.xyz, social.realmofespionage.xyz, test.realmofespionage.xyz, wiki.realmofespionage.xyz, wow.realmofespionage.xyz+
  
 # End</code> # End</code>
Line 59: Line 54:
 ====== Obtain Certs ====== ====== Obtain Certs ======
  
-  * :!: If it passes the dry run, remove the dry-run argument and re-run ((the dry run will likely fail the nginx restart step since the certs don't actually exist yet))+  * :!: If it passes the dry run, remove the ''--dry-run'' argument and re-run
  
-  su -l+  su -
  
   certbot 'certonly' --config '/usr/local/etc/letsencrypt/cli-custom.ini' --dry-run   certbot 'certonly' --config '/usr/local/etc/letsencrypt/cli-custom.ini' --dry-run
  
-====== Automatic Cert Renewal ======+===== Temp Commands =====
  
-  * :!: Everything below TODO+===== Obtain Updated Certs =====
  
-===== Disable Existing =====+  * TODO: ''su - root -c'' one-shot
  
-****+  su -
  
-  sudo systemctl disable --now 'certbot-renew' 'certbot-renew.timer'+  service 'nginxstop
  
-===== Service =====+  certbot 'certonly' --config '/usr/local/etc/letsencrypt/cli-custom.ini'
  
-  sudo -e '/etc/systemd/system/certbot-renew-custom.service'+  service 'nginx' start
  
-<code> +====== Automatic Cert Renewal ======
-[Service] +
-Type=oneshot +
-ExecStart='/usr/bin/certbot' 'certonly' --config '/etc/letsencrypt/cli-custom.ini' --quiet +
-ExecStartPost='/usr/bin/sync'+
  
-# End</code> +  * TODO
- +
-===== Timer ===== +
- +
-  sudo -e '/etc/systemd/system/certbot-renew-custom.timer' && sudo systemctl daemon-reload && sudo systemctl enable 'certbot-renew-custom.timer' --now +
- +
-<code> +
-[Unit] +
-Description=Let's Encrypt Certificate Renewal +
-After=network-online.target +
-Wants=network-online.target +
- +
-[Timer] +
-OnCalendar=weekly +
-Persistent=true +
- +
-[Install] +
-WantedBy=multi-user.target +
- +
-# End</code>+
  
/usr/local/www/wiki/data/attic/servers/bsd/nginx/lets_encrypt.1732984336.txt.gz · Last modified: by Sean Rhone