Difference between revisions of "Certbot"
m (Added systemctl commands to start timer for users unfamiliar with timers.)
|Line 55:||Line 55:|
Revision as of 13:21, 24 January 2016
Let’s Encrypt is a free, automated, and open certificate authority. It provides tools to request valid ssl certificates straight from the command line.
Install the package.
Automated configuration and installation of the issued certificates in web servers is provided by plugins:
- The experimental plugin for Nginx is provided with the package.
- Although a package Apache HTTP Server is currently only supported on Debian and derivatives. exists, automated installation using the
Please consult the Let’s Encrypt client documentation on how to create and install certificates. This wiki will be expanded as soon as certificate installation methods have been crystallized out.
If there is no plugin for your web server, use the following command:
# letsencrypt certonly --manual
This will automatically verify your domain and create a private key and certificate pair. These are placed in
You can then manually configure your web server to use the key and certificate in that directory.
You can use the webroot method to get/renew certificates with a running webserver (e.g. Apache/nginx).
[Unit] Description=Letsencrypt manual renewal [Service] Type=oneshot ExecStart=/usr/bin/letsencrypt certonly --agree-tos --renew-by-default --email email@example.com --webroot -w /path/to/html/ -d your.domain
Make sure the server configuration for the certificates points to
Before adding a timer, check that the service is working correctly and not trying to prompt anything.
Then, you can add a timer to renew the certificates monthly.
[Unit] Description=Monthly renewal on letsencrypt's certificates [Timer] OnCalendar=monthly Persistent=true [Install] WantedBy=timers.target
And start both timer and service with:
systemctl daemon-reload systemctl enable letsencrypt.timer systemctl start letsencrypt.timer systemctl start letsencrypt.service
If the new certificate is not visible you might have to also restart nginx.service.