Installation configuration certbot letsencrypt - kwantu/platformconfiguration GitHub Wiki

back to installation

Installation of certbot.

The ansible scripts for nginx should have installed certbot.

See the Certbot documentation here

Run Certbot for the first time

First make sure that the nginx server is working correctly on all the urls that will be used for that server.

sudo certbot --nginx

# This is the result
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): [email protected]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: lmsntip.co.za
2: www.lmsntip.co.za
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for lmsntip.co.za
http-01 challenge for www.lmsntip.co.za
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/kwantu_80.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/kwantu_80.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/kwantu_80.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/kwantu_80.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://lmsntip.co.za and
https://www.lmsntip.co.za

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=lmsntip.co.za
https://www.ssllabs.com/ssltest/analyze.html?d=www.lmsntip.co.za
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/lmsntip.co.za/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/lmsntip.co.za/privkey.pem
   Your cert will expire on 2020-09-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

check for renewal

crontab -e
----
# Insert this 
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew  > /dev/null

Steps to implement the certificate.

  1. Create the directory in nginx that will host the ssl details
sudo mkdir /etc/nginx/ssl/
sudo chmod 2750 /etc/nginx/ssl/

Certbot - adding additional domains to an existing certbot certificate

certbot --expand -d existing.com -d example.com -d newdomain.com

Certbot installation from couchdb support

I have these notes on configuring SSL using certbot:

#Configuring the Firewall
sudo ufw allow 5984
sudo ufw allow 6984


## Configure SSL - Lets Encrypt
sudo apt-get update && sudo apt-get upgrade
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache 

sudo mkdir /opt/couchdb/letsencrypt
sudo certbot certonly --webroot -w /var/www/YOUR.com --config-dir /opt/couchdb/letsencrypt --logs-dir /var/log/couchdb -d YOUR.com

sudo certbot certonly --webroot -w /var/www/html --config-dir /opt/couchdb/letsencrypt --logs-dir /var/log/couchdb -d YOUR.com

sudo chmod 600 /opt/couchdb/letsencrypt/live/YOUR.com/cert.pem
sudo chmod 600 /opt/couchdb/letsencrypt/live/YOUR.com/privkey.pem
sudo chmod 600 /opt/couchdb/letsencrypt/live/YOUR.com/fullchain.pem

# set the permissions on the files to the following:

sudo chmod 600 /opt/couchdb/letsencrypt/live/YOUR.com/cert.pem
sudo chmod 600 /opt/couchdb/letsencrypt/live/YOUR.com/privkey.pem
sudo chmod 600 /opt/couchdb/letsencrypt/live/YOUR.com/fullchain.pem

sudo chown -R couchdb /opt/couchdb/letsencrypt/
sudo nano /opt/couchdb/etc/local.ini

# You will need to modify the following entries:

port = 6984
cert_file = /opt/couchdb/letsencrypt/live/YOUR.com/cert.pem
key_file = /opt/couchdb/letsencrypt/live/YOUR.com/privkey.pem
cacert_file = /opt/couchdb/letsencrypt/live/YOUR.com/fullchain.pem <http://your.com/fullchain.pem>

test it at: https://YOUR.com:6984/_utils/

Run certbot if there are virtual hosts and reverse proxies.

Note that if there are virtual hosts and reverse proxies, then the normal certbot process will not work, and the webroot method should be followed. https://community.letsencrypt.org/t/how-to-nginx-configuration-to-enable-acme-challenge-support-on-all-http-virtual-hosts/5622 For that method, the nginx configuration must be sligthly different:

location ^~ /.well-known/acme-challenge/ {

    # Set correct content type. According to this:
    # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
    # Current specification requires "text/plain" or no content header at all.
    # It seems that "text/plain" is a safe option.
    default_type "text/plain";

    # This directory must be the same as in /etc/letsencrypt/cli.ini
    # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
    # there to "webroot".
    # Do NOT use alias, use root! Target directory is located here:
    # /var/www/common/letsencrypt/.well-known/acme-challenge/
    root         /var/www/letsencrypt;
}

Run the certbot utility, but remove the --test-cert once all is working.

certbot run -a webroot -i nginx -w /var/www/letsencrypt -d epwprs.dpw.gov.za --test-cert