71 lines
2.8 KiB
Plaintext
71 lines
2.8 KiB
Plaintext
PLUGIN SUPPORT
|
|
letsencrypt support five plugins to obtain/install certificates and many more to come in the future.
|
|
However, we will only cover standalone plugin because apache plugin only works on Debian-based OS for now
|
|
and nginx is still considered very experimental.
|
|
|
|
OBTAINING CERTIFICATE USING STANDALONE PLUGIN
|
|
Since Slackware is not yet supported, instead of running "letsencrypt-auto certonly"
|
|
as instructed, you can run "letsencrypt certonly" to install certificates manually using standalone plugin.
|
|
|
|
Here's what i use to create a certificate using port 443 for domain validation
|
|
certbot certonly --webroot-path=<DOCUMENT-ROOT> --standalone-supported-challenges tls-sni-01 -d <DOMAIN-NAME> \
|
|
--email <ADMIN-EMAIL> --renew-by-default --agree-tos --text --standalone
|
|
|
|
If you want to use port 80 for domain validation, replace
|
|
--standalone-supported-challenges tls-sni-01
|
|
with
|
|
--standalone-supported-challenges http-01
|
|
|
|
NOTE:
|
|
You need to make sure that the port (80 or 443) is NOT USED before running above command (ie. you may need to
|
|
temporarily stop your exising webserver)
|
|
All domain-spesific configuration files are stored in /etc/letsencrypt/live/<DOMAIN-NAME>
|
|
|
|
Once certificate is created, you need to enable and configure httpd-ssl.conf
|
|
|
|
RENEWAL PROCESS
|
|
Best way is to use a simple bash script that perform following actions:
|
|
- turn off httpd service
|
|
- give some delay (2s is enough)
|
|
- run the above command to renew automatically
|
|
- start httpd service
|
|
|
|
RATE LIMIT
|
|
Rate limit on registrations per IP is now 500 per 3 hours.
|
|
Rate limit on certificates per Domain is now 20 per 7 days.
|
|
|
|
CONFIGURATION FILES
|
|
|
|
It is possible to specify configuration file with letsencrypt --config cli.ini (or shorter -c cli.ini).
|
|
An example configuration file is shown below:
|
|
|
|
# This is an example of the kind of things you can do in a configuration file.
|
|
# All flags used by the client can be configured here. Run Let's Encrypt with
|
|
# "--help" to learn more about the available options.
|
|
|
|
# Use a 4096 bit RSA key instead of 2048
|
|
rsa-key-size = 4096
|
|
|
|
# Uncomment and update to register with the specified e-mail address
|
|
# email = foo@example.com
|
|
|
|
# Uncomment and update to generate certificates for the specified
|
|
# domains.
|
|
# domains = example.com, www.example.com
|
|
|
|
# Uncomment to use a text interface instead of ncurses
|
|
# text = True
|
|
|
|
# Uncomment to use the standalone authenticator on port 443
|
|
# authenticator = standalone
|
|
# standalone-supported-challenges = tls-sni-01
|
|
|
|
# Uncomment to use the webroot authenticator. Replace webroot-path with the
|
|
# path to the public_html / webroot folder being served by your web server.
|
|
# authenticator = webroot
|
|
# webroot-path = /usr/share/nginx/html
|
|
|
|
By default, the following locations are searched:
|
|
/etc/letsencrypt/cli.ini
|
|
$XDG_CONFIG_HOME/letsencrypt/cli.ini (or ~/.config/letsencrypt/cli.ini if $XDG_CONFIG_HOME is not set).
|