tlwiki/content/reference/letsencrypt.md

94 lines
3.4 KiB
Markdown

# LetsEncrypt
## Certbot Usage
Create a cert using the interactive menu:
```prettyprint
- certbot certonly
```
## Automating Renewal
LetsEncrypt Certs are good for a max of 90 days, so automating renewal is a must.
Do a dry-run renewal with certbot:
```prettyprint
- certbot renew --dry-run
```
This will test, and possibly renew all certs that certbot knows about
Now you can use `certbot renew --quiet` for scripting this renewal. I do mine with a simple systemd script:
```prettyprint
- /etc/systemd/system/certbot.service
[Unit]
Description=Let's Encrypt renewal
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --agree-tos
ExecStartPost=/bin/systemctl reload httpd.service
```
## Apache Configuration
There's a couple of considerations when using ssl certs with Apache. The first is to enable the appropriate modules in httpd.conf:
```prettyprint
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
```
Also, make sure to configure apache to listen on port 443:
```prettyprint
Listen 443
```
That will get the basic framework ready for your virtualhost definition. Here is a very simple virtualhost configuration:
```prettyprint linenums
<VirtualHost wiki.thurstylark.com:80>
ServerName wiki.thurstylark.com
DocumentRoot "/srv/wiki/"
<Directory "/srv/wiki/">
AllowOverride None
Options None
Require all granted
</Directory>
- Redirect all except the '.wellk-known' path to https.
- This allows automated renewal of ssl certs by certbot
RedirectMatch permanent ^/(?!\.well-known)(.*) https://wiki.thurstylark.com/$1
</VirtualHost>
<VirtualHost wiki.thurstylark.com:443>
ServerName wiki.thurstylark.com
ServerAdmin thurstylark@gmail.com
DocumentRoot "/srv/wiki/"
<Directory "/srv/wiki/">
AllowOverride None
Options None
Require all granted
</Directory>
SSLEngine on
SSLCertificateChainFile "/etc/letsencrypt/live/wiki.thurstylark.com/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/wiki.thurstylark.com/privkey.pem"
</VirtualHost>
```
A couple things to note here: First, this defines two virtualhosts, one for port 80 and one for port 443. This is in order to redirect _all_ traffic to HTTPS except for a very small exception.
This exception is what you see on line 12 in the code above. Only `*/.well-known/*` is not redirected because this is the dir that certbot uses for domain validation. Certbot will only validate over http, and will fail if given a 301 redirect. This allows validation to complete successfuly without a configuration change, thus aiding our automation efforts. Everything else gets a 301 redirect to HTTPS. Be sure to define `DocumentRoot` with the correct location for *both* VirtualHosts, or certbot will fail to renew things correctly. (found this one out the hard way)
Lines 28-29 configure Apache to look for the necessary files in the right places. The locations listed here are actually symlinks to the real files, which are kept in an archive. These links are maintained by certbot automagically.
To obtain new certs for a subdomain, copy this config to `/etc/httpd/conf/extra/`, update the config with the appropriate subdomain name, comment out lines 5-29 to disable the redirect and ssl configuration, and add an include in the main httpd.conf. Once that is all set up, you can run certbot to obtain new certs. Once certbot is finished, you can remove the comments, restart httpd, and begin testing.