Certbot: Difference between revisions

From Newroco Tech Docs
Jump to navigationJump to search
 
Line 70: Line 70:
In case you need to use the DNS challenge for the domain verification, e.g. when server/certbot is behind a CDN, this is how you can do it
In case you need to use the DNS challenge for the domain verification, e.g. when server/certbot is behind a CDN, this is how you can do it


<pre>certbot certonly --manual --preferred-challenges dns -d www.domain.com,domain.com</pre>
<pre>certbot certonly --manual --preferred-challenges dns -d '*.domain.com'</pre>


The command will first output details about a DNS record that needs to be added to the domain for the verification to succeed and after you add the record, you can press ENTER for the certbot verification to run.
The command will first output details about a DNS record that needs to be added to the domain for the verification to succeed and after you add the record, you can press ENTER for the certbot verification to run.

Latest revision as of 06:48, 13 June 2023

Install certbot through snap

The certbot-auto script is no longer supported and the way to install the latest version on Ubuntu is through snap (the version from apt-get is to old): https://certbot.eff.org/instructions?ws=apache&os=ubuntufocal

Note: no need to create a cron for automatic renews as one is created at instalation. It is found either at /etc/cron.d/certbot or with this command systemctl list-timers

The commands should be the same as the ones below, just use certbot instead of certbot-auto

Certbot-auto

Certbot sets up a free Lets Encrypt certificate for your website. The following instructions are for Certbot which is the tool supplied by the EFF (the creators of Lets Encrypt) to help with setup. These notes are for a simple single site with defaults.

Ensure your server has a DNS record exists for the domain name(s) you will be using.

NB LetsEncrypt do not support wildcard certificates, but given it's no additional cost (and easy) to generate certs for different domains, or a cert will multiple domain names attached, wildcards are not a big issue.

Retrieve the certbot-auto script, make it executable, copy it somewhere in the default path and execute it:

apt-get -y install python-pip
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
cp certbot-auto /usr/bin/
#Create an certificate for all domains
certbot-auto --apache

#Create an certificate for a specific domain
certbot-auto --apache --cert-name example.com -d 1.example.com,2.example.com

#Create only the certificate for a specific domain, without vhost
certbot-auto certonly --apache -d 1.example.com

Follow the prompts displayed, making sure you enter the domain name(s) correctly. Given the current environment when asked about whether you want to have HTTP available it's recommended to take the "secure" option (HTTPS only).

If the certificate generates successfully, next configure auto-renew. Test this first by running

certbot-auto renew --dry-run

and if successful add auto-renew to cron.daily

sudo vim /etc/cron.daily/autorenew

#!/bin/sh
##script to run Lets Encrypt certificate renewal check/update tool
certbot-auto renew --quiet --no-self-upgrade

and make it executable

sudo chmod +x /etc/cron.daily/autorenew

You should occasionally run certbot-auto manually to let it upgrade, but the auto command will keep certificates updated in between.

Editing a certificate

If is necessarily to add an alias to an existing domain run the fallowing command

certbot-auto --apache --cert-name <domain.name> -d domain1,domain2

On the vhost add the redirect for https for each alias:

RewriteCond %{SERVER_NAME} =domain1 [OR]
RewriteCond %{SERVER_NAME} =domain2

Revoking a certificate

certbot-auto revoke --cert-path /etc/letsencrypt/live/<cert-name>/cert.pem

or

certbot-auto revoke --cert-name <certname>

DNS challenge

In case you need to use the DNS challenge for the domain verification, e.g. when server/certbot is behind a CDN, this is how you can do it

certbot certonly --manual --preferred-challenges dns -d '*.domain.com'

The command will first output details about a DNS record that needs to be added to the domain for the verification to succeed and after you add the record, you can press ENTER for the certbot verification to run.

Ubuntu upgrade between major versions

Note: This issue seems to be fixed, but still worth taking a backup just to be extra safe.

Note: When doing a major version upgrade, e.g. 16.04 to 18.04, directory /etc/letsencrypt gets deleted and certbot will be broken. So before starting the upgrade make a copy of /etc/letsencrypt in another directory.

cp -R /etc/letsencrypt ~/

After the upgrade, copy letsencrypt folder back to /etc/letsencrypt and reinstall certbot

cp -R ~/letsencrypt /etc/
mv /opt/eff.org/certbot /opt/eff.org/certbot-old
certbot-auto certificates

Last command will trigger the certbot to be reinstalled and will list the available certificates, allowing you to check the all previous certificates are being recognized. You should also check that renewal works with the dry-run command provided above.

Troubleshooting

Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:

Rename /opt/eff.org/certbot and run a certbot-auto command to install it again

mv /opt/eff.org/certbot /opt/eff.org/certbot-old
certbot-auto certificates

Ubuntu 16.04

Certbot is packaged for 16.04, so apt-get the following package:

 $ sudo apt-get install python-letsencrypt-apache  

It also has an Apache plugin that automates obtaining and installing certificates:

letsencrypt --apache 

You can also add domains manually, useful for adding aliases to a single certificate e.g. example.com & www.example.com

letsencrypt --apache --domains example.com,www.example.com

<code

Let's Encrypt certificates last for 90 days, so it's highly advisable to renew them automatically! You can test automatic renewal for your certificates by running this command:

letsencrypt renew --dry-run --agree-tos

WARNING

There's a bug in the version of Certbot on Ubuntu Xenial which may show a warning saying 'Registering without email!' even if you have previously given an email to Certbot. Don't worry if this happens, it will not effect your renewal. If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following:

letsencrypt renew 

Errors might appear

If

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in <module>
    main()
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
    symlink=options.symlink)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
    download=download,
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
    call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
    % (cmd_desc, proc.returncode))
OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 1

use

export LC_ALL=C