Difference between revisions of "Certbot"

From ArchWiki
Jump to navigation Jump to search
m (Added systemctl commands to start timer for users unfamiliar with timers.)
Line 55: Line 55:
 
[Install]
 
[Install]
 
WantedBy=timers.target}}
 
WantedBy=timers.target}}
 +
 +
And start both timer and service with:
 +
 +
systemctl daemon-reload
 +
systemctl enable letsencrypt.timer
 +
systemctl start letsencrypt.timer
 +
systemctl start letsencrypt.service
 +
 +
If the new certificate is not visible you might have to also restart nginx.service.

Revision as of 13:21, 24 January 2016

Let’s Encrypt is a free, automated, and open certificate authority. It provides tools to request valid ssl certificates straight from the command line.

Installation

Install the letsencrypt package.

Automated configuration and installation of the issued certificates in web servers is provided by plugins:

Configuration

Please consult the Let’s Encrypt client documentation on how to create and install certificates. This wiki will be expanded as soon as certificate installation methods have been crystallized out.

Manual

Note: With this method, you must temporarily stop your web server. You can also run the verification through your already running web server with the #Webroot method.

If there is no plugin for your web server, use the following command:

# letsencrypt certonly --manual

This will automatically verify your domain and create a private key and certificate pair. These are placed in /etc/letsencrypt/live/your.domain/.

You can then manually configure your web server to use the key and certificate in that directory.

Webroot

You can use the webroot method to get/renew certificates with a running webserver (e.g. Apache/nginx).

/etc/systemd/system/letsencrypt.service
[Unit]
Description=Letsencrypt manual renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/letsencrypt certonly --agree-tos --renew-by-default --email email@example.com --webroot -w /path/to/html/ -d your.domain

Make sure the server configuration for the certificates points to /etc/letsencrypt/live/your.domain/.

Before adding a timer, check that the service is working correctly and not trying to prompt anything.

Then, you can add a timer to renew the certificates monthly.

/etc/systemd/system/letsencrypt.timer
[Unit]
Description=Monthly renewal on letsencrypt's certificates

[Timer]
OnCalendar=monthly
Persistent=true

[Install]
WantedBy=timers.target

And start both timer and service with:

systemctl daemon-reload
systemctl enable letsencrypt.timer
systemctl start letsencrypt.timer
systemctl start letsencrypt.service 

If the new certificate is not visible you might have to also restart nginx.service.