crypto:letsencrypt
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revisionLast revisionBoth sides next revision | ||
crypto:letsencrypt [2018-12-22 17:46] – created gabriel | crypto:letsencrypt [2019-05-21 22:00] – note re: badphotography.ca gabriel | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Let's Encrypt Usage Notes ====== | ====== Let's Encrypt Usage Notes ====== | ||
+ | We're currently using Let's Encrypt to generate and manage TLS certificates for quay.net and several other domains. | ||
+ | |||
+ | Now that Let's Encrypt supports wildcard certs, our cert has been modified accordingly. | ||
+ | |||
+ | Thus, we'll use the manual process for generating and managing our certificates. | ||
+ | |||
+ | ===== certbot manual DNS validation ===== | ||
+ | |||
+ | First we'll install the distribution package for certbot + dependencies: | ||
<code sh> | <code sh> | ||
- | certbot | + | apt install |
+ | </code> | ||
- | sudo ./ | + | Now let's request a new certificate, |
- | sudo ./certbot-auto certonly | + | |
+ | <code sh> | ||
+ | sudo certbot --manual | ||
</ | </ | ||
+ | |||
+ | Enter our domains at the prompt. | ||
+ | |||
+ | <code sh> | ||
+ | quay.net *.quay.net gabriel.to *.gabriel.to gabrielobrien.ca *.gabrielobrien.ca k538.ca *.k538.ca unx.is *.unx.is badphoto.ca *.badphoto.ca badphotography.ca *.badphotography.ca | ||
+ | </ | ||
+ | |||
+ | If all goes well, you will now be prompted to update a DNS TXT record for each domain as well as a file on the local webserver to allow the ACME service to validate that you actually control the domain(s) in question. | ||
+ | |||
+ | On our server we use an nginx configuration file that can be enabled or disabled to turn on shared challenge files during certificate renewal. | ||
+ | |||
+ | < | ||
+ | # USAGE: enable this configuration for Route 53 validation for Let's Encrypt | ||
+ | location / | ||
+ | alias / | ||
+ | | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | > **Note:** locally we have to manage some custom config for [[https:// | ||
+ | |||
+ | The instructions are provided at each step and are fairly simple. | ||
+ | |||
+ | <code sh> | ||
+ | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | Please deploy a DNS TXT record under the name | ||
+ | _acme-challenge.quay.net with the following value: | ||
+ | |||
+ | <a random string of characters> | ||
+ | |||
+ | Before continuing, verify the record is deployed. | ||
+ | (This must be set up in addition to the previous challenges; do not remove, | ||
+ | replace, or undo the previous challenge tasks yet. Note that you might be | ||
+ | asked to create multiple distinct TXT records with the same name. This is | ||
+ | permitted by DNS standards.) | ||
+ | |||
+ | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | Press Enter to Continue | ||
+ | </ | ||
+ | |||
+ | After you have made the DNS changes for each domain, you will be prompted to create the challenge responses on your webserver, again instructions are provided. | ||
+ | |||
+ | <code sh> | ||
+ | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | Create a file containing just this data: | ||
+ | |||
+ | <another random string of characters> | ||
+ | |||
+ | And make it available on your web server at this URL: | ||
+ | |||
+ | http:// | ||
+ | |||
+ | (This must be set up in addition to the previous challenges; do not remove, | ||
+ | replace, or undo the previous challenge tasks yet.) | ||
+ | |||
+ | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | Press Enter to Continue | ||
+ | </ | ||
+ | |||
+ | If all goes well, then your cert will be updated and you just need to restart your webserver(s). | ||
+ | |||
+ | It's a good idea to clean up these records now to avoid a potential backdoor that might allow somebody to take over your certificate and/or webserver. |
crypto/letsencrypt.txt · Last modified: 2019-10-16 13:03 by gabriel