Certbot - dogtagpki/pki GitHub Wiki
This document describes how to use certbot
.
To install certbot
on Fedora:
$ dnf install certbot
certbot
does not work with untrusted self-signed CA certificate. As a workaround, use plain HTTP, e.g.:
$ certbot certonly --standalone \ --server http://pki.demo.dogtagpki.org/acme/directory \ ...
Alternatively, install the self-signed CA certificate, e.g.:
$ cp ca_signing.crt /etc/pki/ca-trust/source/anchors $ update-ca-trust
To request a certificate with automatic http-01
validation:
$ certbot certonly --standalone \ --server https://pki.demo.dogtagpki.org/acme/directory \ -d server.example.com \ --register-unsafely-without-email \ --agree-tos
To request a certificate with manual http-01
validation:
$ certbot certonly --manual \ --server https://pki.demo.dogtagpki.org/acme/directory \ -d server.example.com \ --register-unsafely-without-email \ --agree-tos
To request a certificate with manual dns-01
validation:
$ certbot certonly --manual \ --server https://pki.demo.dogtagpki.org/acme/directory \ -d server.example.com \ --preferred-challenges dns \ --register-unsafely-without-email \ --agree-tos
To request a multi-domain certificate:
$ certbot certonly --manual \ --server https://pki.demo.dogtagpki.org/acme/directory \ -d example.com \ -d www.example.com \ -d server.example.com \ --register-unsafely-without-email \ --agree-tos
To request a wildcard certificate:
$ certbot certonly --manual \ --server https://pki.demo.dogtagpki.org/acme/directory \ -d *.example.com \ --register-unsafely-without-email \ --agree-tos
The results will be stored in:
-
certificate:
/etc/letsencrypt/live/example.com/fullchain.pem
-
private key:
/etc/letsencrypt/live/example.com/privkey.pem
To renew a certificate with manual dns-01
validation:
$ certbot certonly --manual -d example.com --preferred-challenges dns
$ certbot delete --cert-name $HOSTNAME