Certbot - dogtagpki/pki GitHub Wiki
This document describes how to use certbot.
To install certbot on Fedora:
$ dnf install certbot
certbot does not work with untrusted self-signed CA certificate. As a workaround, use plain HTTP, e.g.:
$ certbot certonly --standalone \
--server http://pki.demo.dogtagpki.org/acme/directory \
...
Alternatively, install the self-signed CA certificate, e.g.:
$ cp ca_signing.crt /etc/pki/ca-trust/source/anchors $ update-ca-trust
To request a certificate with automatic http-01 validation:
$ certbot certonly --standalone \
--server https://pki.demo.dogtagpki.org/acme/directory \
-d server.example.com \
--register-unsafely-without-email \
--agree-tos
To request a certificate with manual http-01 validation:
$ certbot certonly --manual \
--server https://pki.demo.dogtagpki.org/acme/directory \
-d server.example.com \
--register-unsafely-without-email \
--agree-tos
To request a certificate with manual dns-01 validation:
$ certbot certonly --manual \
--server https://pki.demo.dogtagpki.org/acme/directory \
-d server.example.com \
--preferred-challenges dns \
--register-unsafely-without-email \
--agree-tos
To request a multi-domain certificate:
$ certbot certonly --manual \
--server https://pki.demo.dogtagpki.org/acme/directory \
-d example.com \
-d www.example.com \
-d server.example.com \
--register-unsafely-without-email \
--agree-tos
To request a wildcard certificate:
$ certbot certonly --manual \
--server https://pki.demo.dogtagpki.org/acme/directory \
-d *.example.com \
--register-unsafely-without-email \
--agree-tos
The results will be stored in:
-
certificate:
/etc/letsencrypt/live/example.com/fullchain.pem -
private key:
/etc/letsencrypt/live/example.com/privkey.pem
To renew a certificate with manual dns-01 validation:
$ certbot certonly --manual -d example.com --preferred-challenges dns
$ certbot delete --cert-name $HOSTNAME