Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
deb11:certbot [2021/12/24 13:18] Bernard Condraudeb11:certbot [2023/03/06 12:39] (current) – [Links] Bernard Condrau
Line 1: Line 1:
-====== Certbot ======+====== Let's Encrypt Certbot ====== 
 +The following walk through works on Debian 9, 10, and 11. 
 + 
 +===== Installation =====
   - Install snapd<code>sudo apt update   - Install snapd<code>sudo apt update
 sudo apt install snapd sudo apt install snapd
 sudo snap install core sudo snap install core
 sudo snap refresh core</code> sudo snap refresh core</code>
 +  - Remove previously installed certbot packages<code>sudo apt remove --purge certbot
 +sudo rm /usr/local/bin/certbot-auto</code>
 +  - Remove certbot renewal entry in crontab
 +  - Install certbot through snap<code>sudo snap install --classic certbot
 +sudo ln -s /snap/bin/certbot /usr/bin/certbot</code>
 +  - Test automatic renewal<code>sudo certbot renew --dry-run</code>
 +  - Check that the certbot renewal service has been set up<code>systemctl list-timers</code>
 +
 +===== Maintenance =====
 +  * If you have existing SSL VirtualHost definitions you need to copy a certificate from another site or webserver to /etc/letsencrypt/live and point the certificate in the virtual host file to that certificate before starting/restarting apache. This is necessary for certbot to run, and certbot will later replace the certificate with a valid one.
 +  * Run certbot and register sites:<code>certbot</code>
 +  * Check certificates:<code>certbot certificates</code>
 +  * Add domains to certificate:<code>certbot --expand -d example.com,www.example.com,click.example.com
 +certbot certonly --webroot --agree-tos -w /srv/www/letsencrypt/ --expand -d example.com,www.example.com,click.example.com</code>
 +  * Revoke and optionally delete certificate:<code>certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem</code>
 +  * Delete certificate:<code>certbot delete --cert-name www.example.com</code>
 +  * Delete listed domains:<code>certbot delete</code>
 +  * Remove and/or add domains from existing certificate:<code>certbot certonly --force-renew --cert-name mycertificate.com -d remove.mycertificate.com -d add.mycertificate.com</code>
 +  * Remove domain from certificate:
 +    - Delete certificate where domain is listed in
 +    - Change all apache conf files for the remaining domains in the deleted certificate to another certificate which is active
 +    - Recreate the certificate for the remaining domains<code>certbot -d example.com -d example.net</code> 
 +  * All sites must be accessible through port 80 when renewing certificates.
 +
 +===== Disable =====
 +  * Comment the 2 //OnCalendar// lines in file ''/etc/systemd/system/snap.certbot.renew.timer'' which removes the times set when certbot is called<code>$ sudo vim /etc/systemd/system/snap.certbot.renew.timer
 +[Timer]
 +Unit=snap.certbot.renew.service
 +# OnCalendar=*-*-* 08:46
 +# OnCalendar=*-*-* 15:37</code>
 +
 +===== OUTDATED: Crontab =====
 +  * Root<code>$ sudo crontab -e
 +35 3 * * 6 certbot renew && /etc/init.d/apache2 restart</code>
 +
 +==== Links ====
 +  * [[https://certbot.eff.org/instructions?ws=apache&os=debianbuster|certbot instructions: Apache on Debian 10]]
 +  * [[https://eff-certbot.readthedocs.io/en/stable/uninstall.html|Uninstalling certbot-auto]]
 +  * [[https://github.com/certbot/certbot/issues/8555|How do I disable auto-renew without removing config files?]]
 +  * [[https://docs.digitalocean.com/products/networking/load-balancers/#lets-encrypt-ssl-certificates|Load Balancers]]

Know How

© 2007-2024 Bernard Condrau - Powered by DokuWiki