Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
deb11:certbot [2021/12/24 13:18] Bernard Condraudeb11:certbot [2023/03/06 11:32] – [Maintenance] Bernard Condrau
Line 1: Line 1:
-====== Certbot ======+====== Let's Encrypt Certbot ====== 
 +The following walk through works on Debian 9, 10, and 11. 
 + 
 +===== Installation =====
   - Install snapd<code>sudo apt update   - Install snapd<code>sudo apt update
 sudo apt install snapd sudo apt install snapd
 sudo snap install core sudo snap install core
 sudo snap refresh core</code> sudo snap refresh core</code>
 +  - Remove previously installed certbot packages<code>sudo apt remove --purge certbot
 +sudo rm /usr/local/bin/certbot-auto</code>
 +  - Remove certbot renewal entry in crontab
 +  - Install certbot through snap<code>sudo snap install --classic certbot
 +sudo ln -s /snap/bin/certbot /usr/bin/certbot</code>
 +  - Test automatic renewal<code>sudo certbot renew --dry-run</code>
 +  - Check that the certbot renewal service has been set up<code>systemctl list-timers</code>
 +
 +===== Maintenance =====
 +  * If you have existing SSL VirtualHost definitions you need to copy a certificate from another site or webserver to /etc/letsencrypt/live and point the certificate in the virtual host file to that certificate before starting/restarting apache. This is necessary for certbot to run, and certbot will later replace the certificate with a valid one.
 +  * Run certbot and register sites:<code>certbot</code>
 +  * Check certificates:<code>certbot certificates</code>
 +  * Add domains to certificate:<code>certbot --expand -d example.com,www.example.com,click.example.com
 +certbot certonly --webroot --agree-tos -w /srv/www/letsencrypt/ --expand -d example.com,www.example.com,click.example.com</code>
 +  * Revoke and optionally delete certificate:<code>certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem</code>
 +  * Delete certificate:<code>certbot delete --cert-name www.example.com</code>
 +  * Delete listed domains:<code>certbot delete</code>
 +  * Remove and/or add domains from existing certificate:<code>certbot certonly --force-renew --cert-name mycertificate.com -d remove.mycertificate.com -d add.mycertificate.com</code>
 +  * Remove domain from certificate:
 +    - Delete certificate where domain is listed in
 +    - Change all apache conf files for the remaining domains in the deleted certificate to another certificate which is active
 +    - Recreate the certificate for the remaining domains<code>certbot -d example.com -d example.net</code> 
 +  * All sites must be accessible through port 80 when renewing certificates.
 +
 +===== Disable =====
 +  * Comment the 2 //OnCalendar// lines in file ''/etc/systemd/system/snap.certbot.renew.timer'' which removes the times set when certbot is called<code>$ sudo vim /etc/systemd/system/snap.certbot.renew.timer
 +[Timer]
 +Unit=snap.certbot.renew.service
 +# OnCalendar=*-*-* 08:46
 +# OnCalendar=*-*-* 15:37</code>
 +
 +===== OUTDATED: Crontab =====
 +  * Root<code>$ sudo crontab -e
 +35 3 * * 6 certbot renew && /etc/init.d/apache2 restart</code>
 +
 +==== Links ====
 +  * [[https://certbot.eff.org/instructions?ws=apache&os=debianbuster|certbot instructions: Apache on Debian 10]]
 +  * [[https://eff-certbot.readthedocs.io/en/stable/uninstall.html|Uninstalling certbot-auto]]
 +  * [[https://github.com/certbot/certbot/issues/8555|How do I disable auto-renew without removing config files?]]

Know How

© 2007-2024 Bernard Condrau - Powered by DokuWiki