beenull/docs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update certbot instructions

Browse source
This commit is contained in:
Miraty 2024-02-10 17:48:40 +01:00
parent b748304c65
commit a62f948d02
1 changed files with 13 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
back/installation.en.md
View file

@ -153,14 +153,22 @@ certbot register --no-eff-email
certbot register --no-eff-email --test-cert
```
Copy and adapt `certbot.ini` in `/etc/letsencrypt/cli.ini`
Copy and adapt `certbot.ini` in `/etc/letsencrypt/servnest.ini`
Install the Certbot deploy hook:
```shell
cp certbot-deploy-hook.sh /root/certbot-deploy-hook.sh
cp certbot-deploy-hook.sh /root/
chmod +x /root/certbot-deploy-hook.sh
```
Getting a Let's Encrypt certificate for a wildcard domain requires an ACME [DNS challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge).
```shell
cp certbot-dns-challenge-hook.sh /root/
cp certbot-dns-cleanup-hook.sh /root/
chmod +x /root/certbot-dns-challenge-hook.sh /root/certbot-dns-cleanup-hook.sh
certbot certonly --manual -d "*.ht.servnest.example" --non-interactive --manual-auth-hook /root/certbot-dns-challenge-hook.sh --manual-cleanup-hook /root/certbot-dns-cleanup-hook.sh
```
### nginx
nginx is used for 2 purposes:
@ -188,16 +196,10 @@ This configuration listens on `[::1]:42443`, `127.0.0.1:42443`, `[::1]:42080` an
Once this configuration is put in place, replace self-signed certificates by Let's Encrypt certificates:
```shell
certbot certonly -d "ht.servnest.example"
certbot certonly -d "servnest.example"
certbot certonly --config "/etc/letsencrypt/servnest.ini" -d "ht.servnest.example"
certbot certonly --config "/etc/letsencrypt/servnest.ini" -d "servnest.example"
```
Getting a Let's Encrypt certificate for a wildcard domain requires an ACME [DNS challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge). The following command asks to setup a DNS record, this can be done by editing `/srv/servnest/reg/servnest.example` then reload configuration using `knotc zone-reload servnest.example`.
```shell
certbot certonly --manual -d "*.ht.servnest.example"
```
This method also requires manual operations for renewal.
The nginx configuration provided above uses the self-signed key pair at the locations set in the `openssl` command above. Replace those by the ones Certbot told you and reload nginx configuration.
Allow nginx to access certificates:
@ -210,7 +212,7 @@ chown root:nginx /etc/letsencrypt/archive/ /etc/letsencrypt/live/
### Apache HTTP Server
Apache in distributions is usually named `httpd`, `apache` or `apache2`. Adapt these instructions as appropriate.
Apache in distributions is usually named `httpd`, `apache` or `apache2`. Adapt the following instructions as appropriate.
Apache configuration is inside the `apache/` directory. It runs Apache inside a chroot, though it is not required by the ServNest design. Some paths may need adaptation according to the distribution used (e.g. modules or logs).