unix:letsencrypt:certbot
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
unix:letsencrypt:certbot [2023/02/02 00:59] – rodolico | unix:letsencrypt:certbot [2023/07/15 02:16] (current) – rodolico | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Using certbot ====== | ====== Using certbot ====== | ||
- | **This is old information as most current installations use acme.sh.** I'm leaving it here for the time being, but simply running <code bash> | + | ===== acme.sh |
+ | A lot of installations use [[https:// | ||
+ | [[https:// | ||
- | First, | + | ===== certbot |
- | On a Devuan server, installed for ISPConfig, it is located in ///opt/eff.org/ | + | First, certbot can also be called letsencrypt on some really, really old machines. And, it is stored |
+ | On a Devuan servers, the certificates are stored in / | ||
A lot of this is taken from [[https:// | A lot of this is taken from [[https:// | ||
- | ===== See what certificates are on system | + | ==== See what certificates are on system ==== |
- | <code bash>/ | + | <code bash> |
Sample output would be as follows. Note that you may have multiple entries, and not all entries will have multiple domains in them. | Sample output would be as follows. Note that you may have multiple entries, and not all entries will have multiple domains in them. | ||
Line 30: | Line 33: | ||
</ | </ | ||
+ | ==== Delete an existing domain ==== | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | ==== Add a new domain/ | ||
+ | |||
+ | Ok, this one is tricky as you need a way to authenticate that you own the domain. The simplest way to do this is if you have a web server running. I have a couple of mail servers that I wanted certs for, so I installed apache2, then set it up for the server name plus a couple of aliases. | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | This creates a certificate named myserver.example.com, | ||
+ | |||
+ | ==== Editing an alias from a cert ==== | ||
+ | |||
+ | The above syntax allows you to add/delete aliases from an existing certificate. Simply rerun with the way you want the certificate to look. So, for example, if I wanted to remove the mail alias and add a dovecot alias, I'd do the following. | ||
+ | <code bash> | ||
+ | <code bash> | ||
+ | |||
+ | certbot will ask you if you really want to do this, and then it will do it. | ||
+ | |||
+ | |||
+ | ===== Setting up smtp and imap ===== | ||
+ | |||
+ | My favorite server is postfix for smtp and dovecot for imap/imaps, so this will cover that. Once you have your certificates downloaded, do the following: | ||
+ | |||
+ | ==== postfix ==== | ||
+ | postfix has a great cli tool named postconf which allows you to modify the configuration from the cli, so I'll use that here. This assumes you have the certs installed. | ||
+ | |||
+ | Basically, we'll create a symbolic link from the postfix directory (/ | ||
+ | |||
+ | Why not simply point to letsencrypt directly? Because, we'll use the same link with dovecot later, so we'll just point both of them to the same symbolic link. | ||
+ | |||
+ | <code bash> | ||
+ | # link the cert | ||
+ | ln -s / | ||
+ | # and the private key | ||
+ | ln -s / | ||
+ | # add them to postfix | ||
+ | postconf -e smtpd_tls_cert_file=/ | ||
+ | postconf -e smtpd_tls_key_file=/ | ||
+ | # restart postfix | ||
+ | service postfix reload | ||
+ | </ | ||
+ | |||
+ | ==== dovecot ==== | ||
+ | |||
+ | I'm sure there is an easier way to do this, but I just edit / | ||
+ | |||
+ | Basically, just add the following two lines in the base config. This uses the same certs as postfix | ||
+ | |||
+ | < | ||
+ | ssl_cert = </ | ||
+ | ssl_key = </ | ||
+ | </ | ||
+ | |||
+ | Now, restart dovecot | ||
+ | |||
+ | <code bash> | ||
+ | service dovecot restart | ||
+ | # watch for any errors, ^c to break out of tail -f | ||
+ | tail -f / | ||
+ | </ |
unix/letsencrypt/certbot.1675321195.txt.gz · Last modified: 2023/02/02 00:59 by rodolico