servers:linux:nginx:lets_encrypt
Table of Contents
Information
Prerequisites
Dependencies
sudo dnf install 'certbot'
Settings
- Be sure to change the email address
- Any new domains added need to be added to Namecheap as well
must-staple = true
is disabled due to being incompatible with Firefox 4)
sudo mkdir -p '/etc/letsencrypt' && sudo -e '/etc/letsencrypt/cli-custom.ini'
verbose = true text = true non-interactive = true standalone = true force-renewal = true agree-tos = true ########## #CHANGEME# ########## email = espionage724@x ########## #CHANGEME# ########## no-eff-email = true rsa-key-size = 4096 redirect = true hsts = true uir = true staple-ocsp = true pre-hook = systemctl stop 'nginx' post-hook = systemctl start 'nginx' domains = realmofespionage.xyz, blog.realmofespionage.xyz, files.realmofespionage.xyz, media.realmofespionage.xyz, social.realmofespionage.xyz, test.realmofespionage.xyz, wiki.realmofespionage.xyz, wow.realmofespionage.xyz # End
Obtain Certs
- If it passes the dry run, remove the dry-run argument and re-run 5)
sudo 'certbot' 'certonly' --config '/etc/letsencrypt/cli-custom.ini' --dry-run
Automatic Cert Renewal
Disable Existing
sudo systemctl disable --now 'certbot-renew' 'certbot-renew.timer'
Service
sudo -e '/etc/systemd/system/certbot-renew-custom.service'
[Service] Type=oneshot ExecStart='/usr/bin/certbot' 'certonly' --config '/etc/letsencrypt/cli-custom.ini' --quiet ExecStartPost='/usr/bin/sync' # End
Timer
sudo -e '/etc/systemd/system/certbot-renew-custom.timer' && sudo systemctl daemon-reload && sudo systemctl enable 'certbot-renew-custom.timer' --now
[Unit] Description=Let's Encrypt Certificate Renewal After=network-online.target Wants=network-online.target [Timer] OnCalendar=weekly Persistent=true [Install] WantedBy=multi-user.target # End
3)
Certbot doesn't necessarily require nginx; if not using nginx then port 443/tcp likely needs to be opened and pre/post-hooks/service restarting changed
4)
last tested 2019/06/28 with Firefox 67.0.4; it didn't work; likely a config error on my part since this hasn't worked at all since 2018
5)
the dry run will likely fail the nginx restart step since the certs don't actually exist yet
/usr/local/www/wiki/data/pages/servers/linux/nginx/lets_encrypt.txt · Last modified: by Sean Rhone