update certbot instructions

This commit is contained in:
Miraty 2024-02-10 17:48:40 +01:00
parent b748304c65
commit a62f948d02

View file

@ -153,14 +153,22 @@ certbot register --no-eff-email
certbot register --no-eff-email --test-cert certbot register --no-eff-email --test-cert
``` ```
Copy and adapt `certbot.ini` in `/etc/letsencrypt/cli.ini` Copy and adapt `certbot.ini` in `/etc/letsencrypt/servnest.ini`
Install the Certbot deploy hook: Install the Certbot deploy hook:
```shell ```shell
cp certbot-deploy-hook.sh /root/certbot-deploy-hook.sh cp certbot-deploy-hook.sh /root/
chmod +x /root/certbot-deploy-hook.sh chmod +x /root/certbot-deploy-hook.sh
``` ```
Getting a Let's Encrypt certificate for a wildcard domain requires an ACME [DNS challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge).
```shell
cp certbot-dns-challenge-hook.sh /root/
cp certbot-dns-cleanup-hook.sh /root/
chmod +x /root/certbot-dns-challenge-hook.sh /root/certbot-dns-cleanup-hook.sh
certbot certonly --manual -d "*.ht.servnest.example" --non-interactive --manual-auth-hook /root/certbot-dns-challenge-hook.sh --manual-cleanup-hook /root/certbot-dns-cleanup-hook.sh
```
### nginx ### nginx
nginx is used for 2 purposes: nginx is used for 2 purposes:
@ -188,16 +196,10 @@ This configuration listens on `[::1]:42443`, `127.0.0.1:42443`, `[::1]:42080` an
Once this configuration is put in place, replace self-signed certificates by Let's Encrypt certificates: Once this configuration is put in place, replace self-signed certificates by Let's Encrypt certificates:
```shell ```shell
certbot certonly -d "ht.servnest.example" certbot certonly --config "/etc/letsencrypt/servnest.ini" -d "ht.servnest.example"
certbot certonly -d "servnest.example" certbot certonly --config "/etc/letsencrypt/servnest.ini" -d "servnest.example"
``` ```
Getting a Let's Encrypt certificate for a wildcard domain requires an ACME [DNS challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge). The following command asks to setup a DNS record, this can be done by editing `/srv/servnest/reg/servnest.example` then reload configuration using `knotc zone-reload servnest.example`.
```shell
certbot certonly --manual -d "*.ht.servnest.example"
```
This method also requires manual operations for renewal.
The nginx configuration provided above uses the self-signed key pair at the locations set in the `openssl` command above. Replace those by the ones Certbot told you and reload nginx configuration. The nginx configuration provided above uses the self-signed key pair at the locations set in the `openssl` command above. Replace those by the ones Certbot told you and reload nginx configuration.
Allow nginx to access certificates: Allow nginx to access certificates:
@ -210,7 +212,7 @@ chown root:nginx /etc/letsencrypt/archive/ /etc/letsencrypt/live/
### Apache HTTP Server ### Apache HTTP Server
Apache in distributions is usually named `httpd`, `apache` or `apache2`. Adapt these instructions as appropriate. Apache in distributions is usually named `httpd`, `apache` or `apache2`. Adapt the following instructions as appropriate.
Apache configuration is inside the `apache/` directory. It runs Apache inside a chroot, though it is not required by the ServNest design. Some paths may need adaptation according to the distribution used (e.g. modules or logs). Apache configuration is inside the `apache/` directory. It runs Apache inside a chroot, though it is not required by the ServNest design. Some paths may need adaptation according to the distribution used (e.g. modules or logs).