====== Let's Encrypt Certbot ======
The following walk through works on Debian 9, 10, and 11.

===== Installation =====
  - Install snapd<code>sudo apt update
sudo apt install snapd
sudo snap install core
sudo snap refresh core</code>
  - Remove previously installed certbot packages<code>sudo apt remove --purge certbot
sudo rm /usr/local/bin/certbot-auto</code>
  - Remove certbot renewal entry in crontab
  - Install certbot through snap<code>sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot</code>
  - Test automatic renewal<code>sudo certbot renew --dry-run</code>
  - Check that the certbot renewal service has been set up<code>systemctl list-timers</code>

===== Maintenance =====
  * If you have existing SSL VirtualHost definitions you need to copy a certificate from another site or webserver to /etc/letsencrypt/live and point the certificate in the virtual host file to that certificate before starting/restarting apache. This is necessary for certbot to run, and certbot will later replace the certificate with a valid one.
  * Run certbot and register sites:<code>certbot</code>
  * Check certificates:<code>certbot certificates</code>
  * Add domains to certificate:<code>certbot --expand -d example.com,www.example.com,click.example.com
certbot certonly --webroot --agree-tos -w /srv/www/letsencrypt/ --expand -d example.com,www.example.com,click.example.com</code>
  * Revoke and optionally delete certificate:<code>certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem</code>
  * Delete certificate:<code>certbot delete --cert-name www.example.com</code>
  * Delete listed domains:<code>certbot delete</code>
  * Remove and/or add domains from existing certificate:<code>certbot certonly --force-renew --cert-name mycertificate.com -d remove.mycertificate.com -d add.mycertificate.com</code>
  * Remove domain from certificate:
    - Delete certificate where domain is listed in
    - Change all apache conf files for the remaining domains in the deleted certificate to another certificate which is active
    - Recreate the certificate for the remaining domains<code>certbot -d example.com -d example.net</code> 
  * All sites must be accessible through port 80 when renewing certificates.

===== Disable =====
  * Comment the 2 //OnCalendar// lines in file ''/etc/systemd/system/snap.certbot.renew.timer'' which removes the times set when certbot is called<code>$ sudo vim /etc/systemd/system/snap.certbot.renew.timer
[Timer]
Unit=snap.certbot.renew.service
# OnCalendar=*-*-* 08:46
# OnCalendar=*-*-* 15:37</code>

===== OUTDATED: Crontab =====
  * Root<code>$ sudo crontab -e
35 3 * * 6 certbot renew && /etc/init.d/apache2 restart</code>

==== Links ====
  * [[https://certbot.eff.org/instructions?ws=apache&os=debianbuster|certbot instructions: Apache on Debian 10]]
  * [[https://eff-certbot.readthedocs.io/en/stable/uninstall.html|Uninstalling certbot-auto]]
  * [[https://github.com/certbot/certbot/issues/8555|How do I disable auto-renew without removing config files?]]
  * [[https://docs.digitalocean.com/products/networking/load-balancers/#lets-encrypt-ssl-certificates|Load Balancers]]