User Tools

Site Tools


servers:nginx:lets_encrypt

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
servers:nginx:lets_encrypt [2018/12/08 16:29] – [Timer] Sean Rhoneservers:nginx:lets_encrypt [2019/06/28 17:15] – Change back to Fedora Server Sean Rhone
Line 1: Line 1:
 +====== Information ======
  
 +  * Let's Encrypt ((https://letsencrypt.org))
 +  * Certbot ((https://certbot.eff.org))
 +  * [[Information:Realm of Espionage]]
 +
 +===== Prerequisites =====
 +
 +  * [[distros:fedora_server|Fedora Server]]
 +  * [[servers:nginx_php_php-fpm | nginx + PHP + PHP-FPM]] ((Certbot doesn't necessarily require nginx; if not using nginx, then port 443/tcp is likely needed to be opened and pre/post-hooks/service restarting changed))
 +
 +====== Dependencies ======
 +
 +****
 +
 +  sudo dnf install 'certbot'
 +
 +====== Settings ======
 +
 +  *  :!: Be sure to change the email address
 +  * :!: Any new domains added need to be added to Namecheap as well
 +  * ''must-staple = true'' is disabled due to being incompatible with Firefox ((last tested 2019/06/28 with Firefox 67.0.4; it didn't work; likely a config error on my part since this hasn't worked at all since 2018))
 +
 +  sudo -e '/etc/letsencrypt/cli-custom.ini'
 +
 +<code>
 +verbose = true
 +text = true
 +non-interactive = true
 +standalone = true
 +force-renewal = true
 +agree-tos = true
 +
 +email = espionage724@x
 +no-eff-email = true
 +
 +rsa-key-size = 4096
 +redirect = true
 +hsts = true
 +uir = true
 +staple-ocsp = true
 +
 +pre-hook = systemctl stop 'nginx'
 +post-hook = systemctl start 'nginx'
 +
 +domains = realmofespionage.xyz, blog.realmofespionage.xyz, files.realmofespionage.xyz, media.realmofespionage.xyz, social.realmofespionage.xyz, test.realmofespionage.xyz, wiki.realmofespionage.xyz</code>
 +
 +====== Obtain Certs ======
 +
 +  * :!: If it passes the dry run, remove the argument and re-run ((the dry run will likely fail the nginx restart step since the certs don't actually exist yet))
 +
 +  sudo 'certbot' 'certonly' --config '/etc/letsencrypt/cli-custom.ini' --dry-run
 +
 +====== Automatic Cert Renewal ======
 +
 +===== Service =====
 +
 +  sudo -e '/etc/systemd/system/certbot-renew-custom.service'
 +
 +<code>
 +[Service]
 +Type=oneshot
 +ExecStart='/usr/bin/certbot' 'certonly' --config '/etc/letsencrypt/cli-custom.ini' --quiet
 +ExecStartPost='/bin/sync'</code>
 +
 +===== Timer =====
 +
 +  sudo -e '/etc/systemd/system/certbot-renew-custom.timer' && sudo systemctl daemon-reload && sudo systemctl enable 'certbot-renew-custom.timer' --now
 +
 +<code>
 +[Unit]
 +Description=Let's Encrypt Certificate Renewal
 +After=network-online.target
 +Wants=network-online.target
 +
 +[Timer]
 +OnCalendar=weekly
 +Persistent=true
 +
 +[Install]
 +WantedBy=multi-user.target</code>
/var/www/wiki/data/pages/servers/nginx/lets_encrypt.txt · Last modified: 2024/02/07 16:00 by Sean Rhone