Differences

This shows you the differences between two versions of the page.

--- servers:bsd:nginx:lets_encrypt [2024/12/01 00:39] – Sean Rhone
+++ servers:bsd:nginx:lets_encrypt [2025/10/30 23:37] (current) – [Prerequisites] Sean Rhone
@@ Line 7: / Line 7: @@
 ===== Prerequisites =====
-  * [[bsd:server:freebsd_14.2|FreeBSD 14.2]]
+  * [[bsd:server:freebsd_15.0|FreeBSD 15.0]]
-  * [[servers:bsd:freenginx_php_php-fpm|freenginx + PHP + PHP-FPM]] ((Certbot doesn't necessarily require nginx; if not using nginx then port 443/tcp likely needs to be opened and pre/post-hooks/service restarting changed))
+  * [[servers:bsd:freenginx_php_php-fpm|freenginx]]
 ====== Dependencies ======
@@ Line 18: / Line 18: @@
 ====== Settings ======
-  *  :!: Be sure to change the email address
+  * :!: Set email
   su -
-  ee '/usr/local/etc/letsencrypt/cli-custom.ini'
+  mkdir -p '/usr/local/etc/letsencrypt' && ee '/usr/local/etc/letsencrypt/cli-custom.ini'
 <code>
@@ Line 32: / Line 32: @@
 agree-tos = true
-##########
+##################################################
-#CHANGEME#
-##########
 email = espionage724@x
+##################################################
-##########
-#CHANGEME#
-##########
 no-eff-email = true
@@ Line 48: / Line 42: @@
 hsts = true
 uir = true
-staple-ocsp = true
+staple-ocsp = false
-pre-hook = service 'nginx' stop
+domains = realmofespionage.xyz, blog.realmofespionage.xyz, files.realmofespionage.xyz, forums.realmofespionage.xyz, media.realmofespionage.xyz, wiki.realmofespionage.xyz, social.realmofespionage.xyz, test.realmofespionage.xyz
-post-hook = service 'nginx' start
-domains = realmofespionage.xyz, blog.realmofespionage.xyz, files.realmofespionage.xyz, media.realmofespionage.xyz, social.realmofespionage.xyz, test.realmofespionage.xyz, wiki.realmofespionage.xyz, wow.realmofespionage.xyz
 # End</code>
@@ Line 59: / Line 50: @@
 ====== Obtain Certs ======
-  * :!: If it passes the dry run, remove the dry-run argument and re-run ((the dry run will likely fail the nginx restart step since the certs don't actually exist yet))
+  * :!: If it passes the dry run, remove the ''--dry-run'' argument and re-run
   su -
@@ Line 65: / Line 56: @@
   certbot 'certonly' --config '/usr/local/etc/letsencrypt/cli-custom.ini' --dry-run
-====== Automatic Cert Renewal ======
+====== Scripts ======
-  * :!: Everything below TODO
+===== Renewal =====
-===== Disable Existing =====
+  mkdir -p ~/'.local/scripts/www/certbot' && ee ~/'.local/scripts/www/certbot/certbot-renewal.sh' && chmod +x ~/'.local/scripts/www/certbot/certbot-renewal.sh'
-****
+<code>
+#!/bin/sh
-  sudo systemctl disable --now 'certbot-renew' 'certbot-renew.timer'
+service 'nginx' stop
-===== Service =====
+certbot 'certonly' --config '/usr/local/etc/letsencrypt/cli-custom.ini' --quiet
-  sudo -e '/etc/systemd/system/certbot-renew-custom.service'
+service 'nginx' start
-<code>
-[Service]
-Type=oneshot
-ExecStart='/usr/bin/certbot' 'certonly' --config '/etc/letsencrypt/cli-custom.ini' --quiet
-ExecStartPost='/usr/bin/sync'
 # End</code>
-===== Timer =====
+  ~/'.local/scripts/www/certbot/certbot-renewal.sh'
-  sudo -e '/etc/systemd/system/certbot-renew-custom.timer' && sudo systemctl daemon-reload && sudo systemctl enable 'certbot-renew-custom.timer' --now
+  su 'root' -c ~/'.local/scripts/www/certbot/certbot-renewal.sh'
-<code>
+  ssh '192.168.1.152' -t "su 'root' -c ~/'.local/scripts/www/certbot/certbot-renewal.sh'"
-[Unit]
-Description=Let's Encrypt Certificate Renewal
-After=network-online.target
-Wants=network-online.target
-[Timer]
+====== Automatic Cert Renewal ======
-OnCalendar=weekly
-Persistent=true
-[Install]
+  * TODO
-WantedBy=multi-user.target
-# End</code>