Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
deb11:certbot [2021/12/24 14:21] Bernard Condraudeb11:certbot [2023/03/06 12:39] (current) – [Links] Bernard Condrau
Line 1: Line 1:
-====== Certbot ======+====== Let's Encrypt Certbot ====== 
 +The following walk through works on Debian 9, 10, and 11. 
 + 
 +===== Installation =====
   - Install snapd<code>sudo apt update   - Install snapd<code>sudo apt update
 sudo apt install snapd sudo apt install snapd
Line 7: Line 10:
 sudo rm /usr/local/bin/certbot-auto</code> sudo rm /usr/local/bin/certbot-auto</code>
   - Remove certbot renewal entry in crontab   - Remove certbot renewal entry in crontab
-  - Install certbot through snap<code>sudo snap install --classic certbot</code>+  - Install certbot through snap<code>sudo snap install --classic certbot 
 +sudo ln -s /snap/bin/certbot /usr/bin/certbot</code> 
 +  - Test automatic renewal<code>sudo certbot renew --dry-run</code> 
 +  - Check that the certbot renewal service has been set up<code>systemctl list-timers</code> 
 + 
 +===== Maintenance ===== 
 +  * If you have existing SSL VirtualHost definitions you need to copy a certificate from another site or webserver to /etc/letsencrypt/live and point the certificate in the virtual host file to that certificate before starting/restarting apache. This is necessary for certbot to run, and certbot will later replace the certificate with a valid one. 
 +  * Run certbot and register sites:<code>certbot</code> 
 +  * Check certificates:<code>certbot certificates</code> 
 +  * Add domains to certificate:<code>certbot --expand -d example.com,www.example.com,click.example.com 
 +certbot certonly --webroot --agree-tos -w /srv/www/letsencrypt/ --expand -d example.com,www.example.com,click.example.com</code> 
 +  * Revoke and optionally delete certificate:<code>certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem</code> 
 +  * Delete certificate:<code>certbot delete --cert-name www.example.com</code> 
 +  * Delete listed domains:<code>certbot delete</code> 
 +  * Remove and/or add domains from existing certificate:<code>certbot certonly --force-renew --cert-name mycertificate.com -d remove.mycertificate.com -d add.mycertificate.com</code> 
 +  * Remove domain from certificate: 
 +    - Delete certificate where domain is listed in 
 +    - Change all apache conf files for the remaining domains in the deleted certificate to another certificate which is active 
 +    - Recreate the certificate for the remaining domains<code>certbot -d example.com -d example.net</code>  
 +  * All sites must be accessible through port 80 when renewing certificates. 
 + 
 +===== Disable ===== 
 +  * Comment the 2 //OnCalendar// lines in file ''/etc/systemd/system/snap.certbot.renew.timer'' which removes the times set when certbot is called<code>$ sudo vim /etc/systemd/system/snap.certbot.renew.timer 
 +[Timer] 
 +Unit=snap.certbot.renew.service 
 +# OnCalendar=*-*-* 08:46 
 +# OnCalendar=*-*-* 15:37</code> 
 + 
 +===== OUTDATED: Crontab ===== 
 +  * Root<code>$ sudo crontab -e 
 +35 3 * * 6 certbot renew && /etc/init.d/apache2 restart</code> 
 + 
 +==== Links ==== 
 +  * [[https://certbot.eff.org/instructions?ws=apache&os=debianbuster|certbot instructions: Apache on Debian 10]] 
 +  * [[https://eff-certbot.readthedocs.io/en/stable/uninstall.html|Uninstalling certbot-auto]] 
 +  * [[https://github.com/certbot/certbot/issues/8555|How do I disable auto-renew without removing config files?]] 
 +  * [[https://docs.digitalocean.com/products/networking/load-balancers/#lets-encrypt-ssl-certificates|Load Balancers]]

Know How

© 2007-2024 Bernard Condrau - Powered by DokuWiki