RoE | Wiki

User Tools

Site Tools

Trace:
servers:nginx:lets_encrypt

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
servers:nginx:lets_encrypt [2018/12/08 16:29] – [Timer] Sean Rhoneservers:nginx:lets_encrypt [2019/06/28 17:14] Sean Rhone
Line 1: Line 1:
 +====== Information ======
  
 +  * Let's Encrypt ((https://letsencrypt.org))
 +  * [[Information:Realm of Espionage]]
 +
 +===== Prerequisites =====
 +
 +  * [[distros:fedora_server|Fedora Server]]
 +  * [[servers:nginx_php_php-fpm | nginx + PHP + PHP-FPM]] ((Certbot doesn't necessarily require nginx; if not using nginx, then port 443/tcp is likely needed to be opened and pre/post-hooks/service restarting changed))
 +
 +====== Dependencies ======
 +
 +****
 +
 +  sudo dnf install 'certbot'
 +
 +====== Settings ======
 +
 +  *  :!: Be sure to change the email address
 +  * :!: Any new domains added need to be added to Namecheap as well
 +  * ''must-staple = true'' is disabled due to being incompatible with Firefox ((last tested 2019/06/28 with Firefox 67.0.4; it didn't work; likely a config error on my part since this hasn't worked at all since 2018))
 +
 +  sudo -e '/etc/letsencrypt/cli-custom.ini'
 +
 +<code>
 +verbose = true
 +text = true
 +non-interactive = true
 +standalone = true
 +force-renewal = true
 +agree-tos = true
 +
 +email = espionage724@x
 +no-eff-email = true
 +
 +rsa-key-size = 4096
 +redirect = true
 +hsts = true
 +uir = true
 +staple-ocsp = true
 +
 +pre-hook = systemctl stop 'nginx'
 +post-hook = systemctl start 'nginx'
 +
 +domains = realmofespionage.xyz, blog.realmofespionage.xyz, files.realmofespionage.xyz, media.realmofespionage.xyz, social.realmofespionage.xyz, test.realmofespionage.xyz, wiki.realmofespionage.xyz</code>
 +
 +====== Obtain Certs ======
 +
 +  * :!: If it passes the dry run, remove the argument and re-run ((the dry run will likely fail the nginx restart step since the certs don't actually exist yet))
 +
 +  sudo 'certbot' 'certonly' --config '/etc/letsencrypt/cli-custom.ini' --dry-run
 +
 +====== Automatic Cert Renewal ======
 +
 +===== Service =====
 +
 +  sudo -e '/etc/systemd/system/certbot-renew-custom.service'
 +
 +<code>
 +[Service]
 +Type=oneshot
 +ExecStart='/usr/bin/certbot' 'certonly' --config '/etc/letsencrypt/cli-custom.ini' --quiet
 +ExecStartPost='/bin/sync'</code>
 +
 +===== Timer =====
 +
 +  sudo -e '/etc/systemd/system/certbot-renew-custom.timer' && sudo systemctl daemon-reload && sudo systemctl enable 'certbot-renew-custom.timer' --now
 +
 +<code>
 +[Unit]
 +Description=Let's Encrypt Certificate Renewal
 +After=network-online.target
 +Wants=network-online.target
 +
 +[Timer]
 +OnCalendar=weekly
 +Persistent=true
 +
 +[Install]
 +WantedBy=multi-user.target</code>
/var/www/wiki/data/pages/servers/nginx/lets_encrypt.txt · Last modified: 2024/02/07 16:00 by Sean Rhone