User Tools

Site Tools


servers:linux:nginx:lets_encrypt

Information

Prerequisites

Dependencies

sudo dnf install 'certbot'

Settings

  • :!: Be sure to change the email address
  • :!: Any new domains added need to be added to Namecheap as well
  • must-staple = true is disabled due to being incompatible with Firefox 4)
sudo mkdir -p '/etc/letsencrypt' && sudo -e '/etc/letsencrypt/cli-custom.ini'
verbose = true
text = true
non-interactive = true
standalone = true
force-renewal = true
agree-tos = true

##########
#CHANGEME#
##########

email = espionage724@x

##########
#CHANGEME#
##########

no-eff-email = true

rsa-key-size = 4096
redirect = true
hsts = true
uir = true
staple-ocsp = true

pre-hook = systemctl stop 'nginx'
post-hook = systemctl start 'nginx'

domains = realmofespionage.xyz, blog.realmofespionage.xyz, files.realmofespionage.xyz, media.realmofespionage.xyz, social.realmofespionage.xyz, test.realmofespionage.xyz, wiki.realmofespionage.xyz, wow.realmofespionage.xyz

# End

Obtain Certs

  • :!: If it passes the dry run, remove the dry-run argument and re-run 5)
sudo 'certbot' 'certonly' --config '/etc/letsencrypt/cli-custom.ini' --dry-run

Automatic Cert Renewal

Disable Existing

sudo systemctl disable --now 'certbot-renew' 'certbot-renew.timer'

Service

sudo -e '/etc/systemd/system/certbot-renew-custom.service'
[Service]
Type=oneshot
ExecStart='/usr/bin/certbot' 'certonly' --config '/etc/letsencrypt/cli-custom.ini' --quiet
ExecStartPost='/usr/bin/sync'

# End

Timer

sudo -e '/etc/systemd/system/certbot-renew-custom.timer' && sudo systemctl daemon-reload && sudo systemctl enable 'certbot-renew-custom.timer' --now
[Unit]
Description=Let's Encrypt Certificate Renewal
After=network-online.target
Wants=network-online.target

[Timer]
OnCalendar=weekly
Persistent=true

[Install]
WantedBy=multi-user.target

# End
3)
Certbot doesn't necessarily require nginx; if not using nginx then port 443/tcp likely needs to be opened and pre/post-hooks/service restarting changed
4)
last tested 2019/06/28 with Firefox 67.0.4; it didn't work; likely a config error on my part since this hasn't worked at all since 2018
5)
the dry run will likely fail the nginx restart step since the certs don't actually exist yet
/usr/local/www/wiki/data/pages/servers/linux/nginx/lets_encrypt.txt · Last modified: by Sean Rhone