Differences

This shows you the differences between two versions of the page.

--- servers:nginx:lets_encrypt [2023/08/27 15:31] – Fedora Server -> openSUSE TW Sean Rhone
+++ servers:nginx:lets_encrypt [2024/02/07 16:00] (current) – old revision restored (2024/01/02 14:06) Sean Rhone
@@ Line 1: / Line 1: @@
+====== Information ======
+  * Let's Encrypt ((https://letsencrypt.org))
+  * Certbot ((https://certbot.eff.org))
+  * [[Information:Realm of Espionage]]
+===== Prerequisites =====
+  * [[distros:fedora_server|Fedora Server]]
+  * [[servers:nginx_php_php-fpm|nginx + PHP + PHP-FPM]] ((Certbot doesn't necessarily require nginx; if not using nginx, then port 443/tcp is likely needed to be opened and pre/post-hooks/service restarting changed))
+====== Dependencies ======
+****
+  sudo dnf install 'certbot'
+====== Settings ======
+  *  :!: Be sure to change the email address
+  * :!: Any new domains added need to be added to Namecheap as well
+  * ''must-staple = true'' is disabled due to being incompatible with Firefox ((last tested 2019/06/28 with Firefox 67.0.4; it didn't work; likely a config error on my part since this hasn't worked at all since 2018))
+  sudo mkdir -p '/etc/letsencrypt' && sudo -e '/etc/letsencrypt/cli-custom.ini'
+<code>
+verbose = true
+text = true
+non-interactive = true
+standalone = true
+force-renewal = true
+agree-tos = true
+##########
+#CHANGEME#
+##########
+email = espionage724@x
+##########
+#CHANGEME#
+##########
+no-eff-email = true
+rsa-key-size = 4096
+redirect = true
+hsts = true
+uir = true
+staple-ocsp = true
+pre-hook = systemctl stop 'nginx'
+post-hook = systemctl start 'nginx'
+domains = realmofespionage.xyz, blog.realmofespionage.xyz, files.realmofespionage.xyz, media.realmofespionage.xyz, social.realmofespionage.xyz, test.realmofespionage.xyz, wiki.realmofespionage.xyz, wow.realmofespionage.xyz
+# End</code>
+====== Obtain Certs ======
+  * :!: If it passes the dry run, remove the dry-run argument and re-run ((the dry run will likely fail the nginx restart step since the certs don't actually exist yet))
+  sudo 'certbot' 'certonly' --config '/etc/letsencrypt/cli-custom.ini' --dry-run
+====== Automatic Cert Renewal ======
+===== Disable Existing =====
+****
+  sudo systemctl disable --now 'certbot-renew' 'certbot-renew.timer'
+===== Service =====
+  sudo -e '/etc/systemd/system/certbot-renew-custom.service'
+<code>
+[Service]
+Type=oneshot
+ExecStart='/usr/bin/certbot' 'certonly' --config '/etc/letsencrypt/cli-custom.ini' --quiet
+ExecStartPost='/usr/bin/sync'
+# End</code>
+===== Timer =====
+  sudo -e '/etc/systemd/system/certbot-renew-custom.timer' && sudo systemctl daemon-reload && sudo systemctl enable 'certbot-renew-custom.timer' --now
+<code>
+[Unit]
+Description=Let's Encrypt Certificate Renewal
+After=network-online.target
+Wants=network-online.target
+[Timer]
+OnCalendar=weekly
+Persistent=true
+[Install]
+WantedBy=multi-user.target
+# End</code>