letsencrypt / certbot

Installation
https://certbot.eff.org/

#sudo apt-get install -y software-properties-common
#sudo add-apt-repository -y ppa:certbot/certbot
sudo apt-get update
sudo apt-get install -y certbot

# Install certbot package with Ansible:
https://github.com/panticz/ansible/tree/master/roles/certbot

Create certificate and configure nginx

certbot --nginx -d www.example.com

create wildcard certificate

certbot certonly \
  --manual \
  --manual-public-ip-logging-ok \
  --preferred-challenges dns-01 \
  --register-unsafely-without-email \
  --agree-tos \
  --server https://acme-v02.api.letsencrypt.org/directory \
  -d \*.example.com

Pack certificate

sudo tar --exclude=README -C /etc/letsencrypt/live -czhf /tmp/letsencrypt.tar.gz .

Convert to p12

for DIR in $(find * -maxdepth 0 -type d); do
    openssl pkcs12 -export -passout "pass:" -out "${DIR}/${DIR}.p12" -inkey "${DIR}/privkey1.pem" -in "${DIR}/cert1.pem" -certfile "${DIR}/chain1.pem"
done

Force renew certificate

sudo certbot renew --force-renewal

Docker
https://hub.docker.com/r/certbot/certbot/

# request wildcard certificate and store under /tmp

sudo docker run --rm -i -t -v /tmp:/etc/letsencrypt certbot/certbot certonly \
    --manual --manual-public-ip-logging-ok --register-unsafely-without-email \
    --agree-tos --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory \
    -d \*.example.com
sudo ls -l /tmp/archive/example.com/

User guide
https://certbot.eff.org/docs/using.html

Flush cache

sudo systemd-resolve --flush-caches

check TXT DNS entry

dig _acme-challenge.www.example.com TXT

#
# install
#
# Ubuntu Xenial package

apt-get install lets-encrypt
 
apt-get install -y git
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
/opt/letsencrypt-auto --help all

#
# create letsencrypt certificate
#

HOSTS="
www1.example.com
www2.example.com
www3.example.com
mail.example.com
"
 
TXT=yuvAtjoicipsOvkashonFurkithsOtPeopNoHewtud4.chacnabvotfueHadgikthisDydsecCeowIkChirnuby
for HOST in ${HOSTS}; do
    ssh ${HOST} "mkdir -p /var/www/.well-known/acme-challenge && echo ${TXT} > /var/www/.well-known/acme-challenge/${TXT%.*}"
done
 
#wget -q ${URL} -O -
 
scp -3 root@letsencrypt.example.com:/etc/letsencrypt/live/www.example.com/* root@www.example.com:/etc/letsencrypt/live/www.example.com/
ssh www.example.com chmod 400 /etc/letsencrypt/live/www.example.com/privkey.pem
ssh www.example.com service apache2 restart
 
# create configuration file
apt-get install cron --no-install-recommends
 
cat <<EOF>> /etc/letsencrypt/cli.ini
domains = www.example.com,example.com
rsa-key-size = 4096
email = mal@example.com
text = true
authenticator = webroot
webroot-path = /var/www/html
EOF
 
# create cron
cat <<EOF> /etc/cron.d/letsencrypt
52 6    1 * *    root    /opt/letsencrypt-auto --renew certonly && /usr/sbin/service apache2 reload >> /var/log/letsencrypt-renew.log
EOF
 
service cron restart

auto generate

letsencrypt certonly \
--standalone \
--manual-public-ip-logging-ok \
--agree-tos \
--rsa-key-size 4096 \
--email webmaster@$(hostname -f) \
--domains $(hostname -f) --domains www.$(hostname -f)

cd /root/letsencrypt
./letsencrypt-auto --renew certonly
 
# create (manual)
./letsencrypt-auto certonly --manual --manual-public-ip-logging-ok --agree-tos --rsa-key-size 4096 --email mail@example.com --rsa-key-size 4096 --domains www.example.com,example.com
# ./letsencrypt-auto certonly --standalone -d www.example.com
 
# configure apache
/opt/letsencrypt/letsencrypt-auto install --cert-path /etc/letsencrypt/live/www.example.com/cert.pem --key-path /etc/letsencrypt/live/www.example.com/privkey.pem --fullchain-path /etc/letsencrypt/live/www.example.com/fullchain.pem
 
mkdir -p /var/www/.well-known/acme-challenge
echo 'bar' > /var/www/.well-known/acme-challenge/foo
rm -r /var/www/.well-known
 
# certificate directory
ls -l /etc/letsencrypt/live/*/
 
# emable ssl
a2enmod ssl
a2ensite default-ssl
sed -i '12s|AllowOverride None|AllowOverride all|g' /etc/apache2/sites-enabled/default-ssl
service apache2 reload
 
# test
# --non-interactive 
 
# auto renew
30 2 * * 1 /usr/local/sbin/le-renew example.com >> /var/log/le-renew.log
 
# Apache confi
cat /etc/apache2/sites-enabled/000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin mail@example.com
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
 
# apache < 2.4.8
SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem
 
# apache >= 2.4.8
 
# Nginx
/etc/nginx/sites-enabled/default
	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;
	ssl_certificate /etc/ssl/certs/fullchain.pem;
	ssl_certificate_key /etc/ssl/private/privkey.pem;
 
 
# HAProxy
cat cert.pem fullchain.pem privkey.pem > all.pem
bind <SERVER_IP>:443 ssl crt /etc/letsencrypt/live/www.example.com/all.pem

Auto Apache intallation
apt-get install -y apache2
./letsencrypt-auto --apache

# apache config example
/etc/letsencrypt/options-ssl-apache.conf

# CLI examples
./letsencrypt-auto --email foo@www.example.com --text --authenticator manual --work-dir /tmp/work/ --config-dir /tmp/config/ --logs-dir /tmp/logs/ auth --cert-path /tmp/certs/ --chain-path /tmp/chains/ --csr /tmp/example.csr

# Which browsers and operating systems support Let’s Encrypt
https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394?u=weppos

#
# dns-01
#
# https://github.com/jbjonesjr/letsencrypt-manual-hook
apt-get install -y git ruby
git clone https://github.com/lukas2511/dehydrated.git
git clone https://github.com/jbjonesjr/letsencrypt-manual-hook.git dehydrated/hooks/manual
./dehydrated/dehydrated -c -t dns-01 -d www.example.com -k ./dehydrated/hooks/manual/manual_hook.rb

Generate pkcs12
openssl pkcs12 -export -out keystore.p12 -passout 'pass:changeme' -inkey privkey.pem -in cert.pem -certfile chain.pem

Limits
https://letsencrypt.org/docs/rate-limits/

Hetzner
https://community.hetzner.com/tutorials/letsencrypt-dns
https://github.com/dschoeffm/hetzner-dns-certbot

curl https://raw.githubusercontent.com/dschoeffm/hetzner-dns-certbot/master/certbot-hetzner-auth.sh > /usr/local/bin/certbot-hetzner-auth.sh
chmod +x /usr/local/bin/certbot-hetzner-auth.sh
 
curl https://raw.githubusercontent.com/dschoeffm/hetzner-dns-certbot/master/certbot-hetzner-cleanup.sh > /usr/local/bin/certbot-hetzner-cleanup.sh
chmod +x /usr/local/bin/certbot-hetzner-cleanup.sh
 
echo xxxxxxxxxxxxxxxxxxxxx > /etc/hetzner-dns-token
 
 certbot certonly \
    -n \
    --manual \
    --manual-public-ip-logging-ok \
    --agree-tos \
    -m info@example.com \
    --preferred-challenges=dns \
    --manual-auth-hook /usr/local/bin/certbot-hetzner-auth.sh \
    --manual-cleanup-hook /usr/local/bin/certbot-hetzner-cleanup.sh \
    -d ${DOMAIN}

links
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04
http://letsencrypt.readthedocs.org/en/latest/using.html#configuration-file
https://thomas-leister.de/internet/anleitung-fuer-lets-encrypt-kostenlose-tls-zertifikate-fuer-alle/
https://letsencrypt.readthedocs.org/en/latest/intro.html
http://www.admin-magazin.de/Online-Artikel/Zertifikate-von-Let-s-Encrypt-in-Apache-Nginx-und-HAProxy-verwenden
https://letsencrypt.org/docs/rate-limits/ - limits