Difference between revisions of "Certbot"

From wikieduonline
Jump to navigation Jump to search
 
(59 intermediate revisions by the same user not shown)
Line 1: Line 1:
<code>certbot</code><ref>https://certbot.eff.org/docs/intro.html</ref> is a fully-featured, extensible client for the Let’s Encrypt CA (or any other CA that speaks the [[ACME]] protocol defined in 2015-2016) that can automate the tasks of obtaining certificates and configuring webservers to use them. This client runs on Unix-based operating systems.
+
<code>certbot</code><ref>https://certbot.eff.org/docs/intro.html</ref> is a fully-featured, extensible client for the [[Let’s Encrypt]] [[CA]] (or any other CA that speaks the [[ACME]] protocol defined in 2015-2016) that can automate the tasks of obtaining certificates and configuring webservers to use them. This client runs on Unix-based operating systems.
  
* <code>apt install certbot</code>
 
  
 +
== Installation ==
 +
* Ubuntu: <code>[[apt install]] certbot</code>
 +
* [[macOS]]: <code>[[brew install]] certbot</code>
  
[[Ubuntu]]:
+
You can additionally install [[Plugins (certbot)|certbot plugins]]:
* Binaries: <code>certbot</code> and <code>letscrypt</code>
+
* <code>python3-certbot-apache</code>
* Renewals configuration: <code>/etc/cron.d/certbot</code>
+
* <code>python3-certbot-dns-cloudflare</code>
 +
* <code>[[python3-certbot-dns-digitalocean]]</code>
 +
* <code>[[python3-certbot-dns-dnsimple]]</code>
 +
* <code>python3-certbot-dns-google</code>
 +
* <code>python3-certbot-dns-rfc2136</code>
 +
* <code>python3-certbot-dns-route53</code>
 +
* <code>[[python3-certbot-nginx]]</code>
 +
 
 +
== [[Ubuntu]] files ==
 +
* Binaries: <code>certbot</code> and <code>[[letscrypt]]</code>
 +
* Configuration files:
 +
::<code>[[/etc/letsencrypt/]]</code>
 +
::<code>[[/etc/letsencrypt/renewal/]]</code>
 +
* Renewals configuration: <code>/etc/cron.d/certbot]]</code>
 +
* Logs: <code>[[/var/log/letsencrypt/letsencrypt.log]]</code>
  
 
== Examples ==
 
== Examples ==
To request a certificate:
 
* Stop your webserver: <code>systemctl nginx stop</code>
 
* <code>certbot certonly --standalone --preferred-challenges http -d YOUR_DOMAIN_NAME.com</code>
 
* <code>certbot certonly --standalone --agree-tos --preferred-challenges dns -d *.YOUR_DOMAIN_NAME.com</code>
 
  
 +
* <code>[[certbot (command)|certbot]] -d YOUR_DOMAIN_NAME.com --manual --[[preferred-challenges]] [[dns]] [[certonly]]</code>
  
  
<code>[[nginx.conf]]</code>
+
Create a wildcard certificate:
:<code>[[ssl_certificate]]     /etc/letsencrypt/live/www.example.com/fullchain.pem;</code>
+
[[certbot (command)|certbot]] -d *.YOUR_DOMAIN_NAME.com --manual --preferred-challenges dns certonly
:<code>ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;</code>
+
 
  
  
 +
=== Request a certificate ===
 +
* List certificates: <code>[[certbot certificates]]</code>
 +
* <code>[[certbot renew]]</code>
 +
* <code>[[certbot renew --force-renewal]]</code>
 +
* <code>[[certbot delete]] --cert-name YOUR_CERT_NAME</code>
 +
* Changing a Certificdate's Domain<ref>https://certbot.eff.org/docs/using.html#changing-a-certificate-s-domains</ref>: <code>certbot certonly --cert-name example.com -d example.org,www.example.org</code>
 +
* Automated renewals: <code>[[systemctl list-timers]]</code>
  
  
 +
* Stop your webserver:
 +
: <code>[[systemctl]] stop nginx</code>
 +
* <code>[[certbot certonly]] --standalone --preferred-challenges http -d YOUR_DOMAIN_NAME.com</code>
 +
 +
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an [[authenticator plugin]] that can do challenges over DNS.
  
<code>certonly --standalone</code>
 
  
<pre>
+
* <code>certbot certonly --standalone --agree-tos --preferred-challenges [[dns]] -d *.YOUR_DOMAIN_NAME.com</code> (You will be asked for information)
certbot --nginx
+
None of the preferred challenges are supported by the selected plugin
Saving debug log to /var/log/letsencrypt/letsencrypt.log
 
The requested nginx plugin does not appear to be installed
 
</pre>
 
  
<pre>
 
certbot certificates
 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
 
  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
No certs found.
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
</pre>
 
  
<pre>
+
<code>[[nginx.conf]]</code>
certbot renew
+
:<code>[[ssl_certificate]]    /etc/letsencrypt/live/www.example.com/fullchain.pem;</code>
Saving debug log to /var/log/letsencrypt/letsencrypt.log
+
:<code>ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;</code>
  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
:<code>openssl x509 -text -noout -in cert.pem</code>
  
No renewals were attempted.
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
</pre>
 
  
<pre>
 
certbot delete --cert-name YOUR_CERT_NAME
 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
 
  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
<code>certbot certonly --standalone</code>
Deleted all files relating to certificate YOUR_CERT_NAME.
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
</pre>
 
  
 +
 +
[[certbot --nginx]]
 +
Saving debug log to /var/log/letsencrypt/letsencrypt.log
 +
The requested nginx plugin does not appear to be installed
  
* Changing a Certificdate's Domain<ref>https://certbot.eff.org/docs/using.html#changing-a-certificate-s-domains</ref>: <code>certbot certonly --cert-name example.com -d example.org,www.example.org</code>
 
* Automated renewals: <code>[[systemctl list-timers]]</code>
 
  
 
== Activities ==
 
== Activities ==
 
* Read <code>certbot</code> [[certbot changelog]]: https://github.com/certbot/certbot/blob/master/certbot/CHANGELOG.md
 
* Read <code>certbot</code> [[certbot changelog]]: https://github.com/certbot/certbot/blob/master/certbot/CHANGELOG.md
 +
* <code>[[certbot renew]]</code>
 +
* [[Certbot renew configuration examples]]
 +
* [[acme.sh]]
  
 
== See also ==
 
== See also ==
* {{HTTPS}}
+
* {{certbot cmd}}
 +
* {{certbot}}
 
* {{CA}}
 
* {{CA}}
* {{DNS}}
 
  
 
[[Category:IT Security]]
 
[[Category:IT Security]]

Latest revision as of 09:34, 2 June 2022

certbot[1] is a fully-featured, extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol defined in 2015-2016) that can automate the tasks of obtaining certificates and configuring webservers to use them. This client runs on Unix-based operating systems.


Installation[edit]

You can additionally install certbot plugins:

Ubuntu files[edit]

  • Binaries: certbot and letscrypt
  • Configuration files:
/etc/letsencrypt/
/etc/letsencrypt/renewal/

Examples[edit]


Create a wildcard certificate:

certbot -d *.YOUR_DOMAIN_NAME.com --manual --preferred-challenges dns certonly


Request a certificate[edit]


  • Stop your webserver:
systemctl stop nginx
  • certbot certonly --standalone --preferred-challenges http -d YOUR_DOMAIN_NAME.com
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.


  • certbot certonly --standalone --agree-tos --preferred-challenges dns -d *.YOUR_DOMAIN_NAME.com (You will be asked for information)
None of the preferred challenges are supported by the selected plugin


nginx.conf

ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
openssl x509 -text -noout -in cert.pem


certbot certonly --standalone


certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested nginx plugin does not appear to be installed


Activities[edit]

See also[edit]

  • https://certbot.eff.org/docs/intro.html
  • https://certbot.eff.org/docs/using.html#changing-a-certificate-s-domains
  • Advertising: