EN Certbot - titandc/titan-sc-documentation GitHub Wiki
Preface
This documentation explains how to generate a generic SSL certificate using Let's Encrypt (certbot). The certificate can thus be used by any application.
Prerequisites
The domain name for which the certificate will be created must have a DNS type A
record to the public IP address of the server.
For this example, the domain name example-certbot.org
will be used.
Installation
On most Linux distributions, installing the certbot
package is enough:
# Debian like
apt-get install certbot
# Redhat like
dnf install certbot
Creation of the certificate
The certificate is created from the certbot
command:
certbot certonly --standalone --agree-tos -d example-certbot.org --no-eff-email --email [email protected]
The output of the command should look like this:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Account registered.
Requesting a certificate for example-certbot.org
Performing the following challenges:
http-01 challenge for example-certbot.org
Waiting for verification ...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example-certbot.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example-certbot.org/privkey.pem
Your certificate will expire on 2022-02-28. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew * all * of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
The certificate has been generated successfully. The files are available in the /etc/letsencrypt/live/example-certbot.org/
directory where the certificates and the private key are located.
The private key is, as the name suggests, private. It must not be communicated to anyone or even be on any public medium (FTP, USB key, etc.).
It is now possible to use the certificate for any application.
Using the certificate
Nginx
On Nginx, the following directives must be added on the vhost corresponding to the domain name example-certbot.org
:
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/example-certbot.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example-certbot.org/privkey.pem;
Apache
On Apache, the following directives must be added to the vhost corresponding to the domain name example-certbot.org
:
SSLCertificateFile /etc/letsencrypt/live/example-certbot.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example-certbot.org/privkey.pem