letsencrypt

#
# install
#
# Ubuntu Xenial package
apt-get install lets-encrypt

apt-get install -y git
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
/opt/letsencrypt-auto --help all

#
# create letsencrypt certificate
#
HOSTS="
www1.example.com
www2.example.com
www3.example.com
mail.example.com
"

TXT=yuvAtjoicipsOvkashonFurkithsOtPeopNoHewtud4.chacnabvotfueHadgikthisDydsecCeowIkChirnuby
for HOST in ${HOSTS}; do
ssh ${HOST} "mkdir -p /var/www/.well-known/acme-challenge && echo ${TXT} > /var/www/.well-known/acme-challenge/${TXT%.*}"
done

#wget -q ${URL} -O -

scp -3 root@letsencrypt.example.com:/etc/letsencrypt/live/www.example.com/* root@www.example.com:/etc/letsencrypt/live/www.example.com/
ssh www.example.com chmod 400 /etc/letsencrypt/live/www.example.com/privkey.pem
ssh www.example.com service apache2 restart

# create configuration file
apt-get install cron --no-install-recommends

cat <> /etc/letsencrypt/cli.ini
domains = www.example.com,example.com
rsa-key-size = 4096
email = mal@example.com
text = true
authenticator = webroot
webroot-path = /var/www/html
EOF

# create cron
cat < /etc/cron.d/letsencrypt
52 6 1 * * root /opt/letsencrypt-auto --renew certonly && /usr/sbin/service apache2 reload >> /var/log/letsencrypt-renew.log
EOF

service cron restart

auto generate
letsencrypt certonly \
--standalone \
--manual-public-ip-logging-ok \
--agree-tos \
--rsa-key-size 4096 \
--email webmaster@$(hostname -f) \
--domains $(hostname -f) --domains www.$(hostname -f)

cd /root/letsencrypt
./letsencrypt-auto --renew certonly

# create (manual)
./letsencrypt-auto certonly --manual --manual-public-ip-logging-ok --agree-tos --rsa-key-size 4096 --email mail@example.com --rsa-key-size 4096 --domains www.example.com,example.com
# ./letsencrypt-auto certonly --standalone -d www.example.com

# configure apache
/opt/letsencrypt/letsencrypt-auto install --cert-path /etc/letsencrypt/live/www.example.com/cert.pem --key-path /etc/letsencrypt/live/www.example.com/privkey.pem --fullchain-path /etc/letsencrypt/live/www.example.com/fullchain.pem

mkdir -p /var/www/.well-known/acme-challenge
echo 'bar' > /var/www/.well-known/acme-challenge/foo
rm -r /var/www/.well-known

# certificate directory
ls -l /etc/letsencrypt/live/*/

# emable ssl
a2enmod ssl
a2ensite default-ssl
sed -i '12s|AllowOverride None|AllowOverride all|g' /etc/apache2/sites-enabled/default-ssl
service apache2 reload

# test
# --non-interactive

# auto renew
30 2 * * 1 /usr/local/sbin/le-renew example.com >> /var/log/le-renew.log

# Apache confi
cat /etc/apache2/sites-enabled/000-default-le-ssl.conf

ServerAdmin mail@example.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

# apache

= 2.4.8
 
 
# Nginx
/etc/nginx/sites-enabled/default
	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;
	ssl_certificate /etc/ssl/certs/fullchain.pem;
	ssl_certificate_key /etc/ssl/private/privkey.pem;
 
 
# HAProxy
cat cert.pem fullchain.pem privkey.pem > all.pem
bind <SERVER_IP>:443 ssl crt /etc/letsencrypt/live/www.example.com/all.pem
 
 
<strong>Auto Apache intallation</strong>
apt-get install -y apache2
./letsencrypt-auto --apache
 
# apache config example
/etc/letsencrypt/options-ssl-apache.conf
 
# CLI examples
./letsencrypt-auto --email foo@www.example.com --text --authenticator manual --work-dir /tmp/work/ --config-dir /tmp/config/ --logs-dir /tmp/logs/ auth --cert-path /tmp/certs/ --chain-path /tmp/chains/ --csr /tmp/example.csr
 
# Which browsers and operating systems support Let’s Encrypt
https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394?u=weppos
 
#
# dns-01
#
# https://github.com/jbjonesjr/letsencrypt-manual-hook
apt-get install -y git ruby
git clone https://github.com/lukas2511/dehydrated.git
git clone https://github.com/jbjonesjr/letsencrypt-manual-hook.git dehydrated/hooks/manual
./dehydrated/dehydrated -c -t dns-01 -d www.example.com -k ./dehydrated/hooks/manual/manual_hook.rb
 
# check TXT DNS entry
dig _acme-challenge.www.example.com TXT
 
<strong>Generate pkcs12</strong>
openssl pkcs12 -export -out keystore.p12 -passout 'pass:changeme' -inkey privkey.pem -in cert.pem -certfile chain.pem
 
<strong>links</strong>
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04
http://letsencrypt.readthedocs.org/en/latest/using.html#configuration-file
https://thomas-leister.de/internet/anleitung-fuer-lets-encrypt-kostenlose-tls-zertifikate-fuer-alle/
https://letsencrypt.readthedocs.org/en/latest/intro.html
http://www.admin-magazin.de/Online-Artikel/Zertifikate-von-Let-s-Encrypt-in-Apache-Nginx-und-HAProxy-verwenden