unix:letsencrypt:certbot
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
unix:letsencrypt:certbot [2020/09/19 01:54] – created rodolico | unix:letsencrypt:certbot [2023/07/15 02:16] (current) – rodolico | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Using certbot ====== | ====== Using certbot ====== | ||
- | First, certbot can also be called letsencrypt on some machines. And, it is stored in various places, depending on how you set it up. | + | ===== acme.sh ===== |
- | On a Devuan server, installed for ISPConfig, it is located in ///opt/eff.org/certbot/venv/ | + | A lot of installations use [[https://github.com/acmesh-official/acme.sh | acme.sh]] now. The simplest way to figure out things on these installations |
+ | [[https:// | ||
+ | |||
+ | ===== certbot ===== | ||
+ | |||
+ | First, certbot can also be called letsencrypt on some really, really old machines. And, it is stored in various places, depending on how you set it up. | ||
+ | |||
+ | On a Devuan servers, the certificates are stored in / | ||
A lot of this is taken from [[https:// | A lot of this is taken from [[https:// | ||
- | ===== See what certificates are on system ===== | + | ==== See what certificates are on system ==== |
+ | |||
+ | <code bash> | ||
+ | |||
+ | Sample output would be as follows. Note that you may have multiple entries, and not all entries will have multiple domains in them. | ||
+ | |||
+ | <code bash> | ||
+ | Saving debug log to / | ||
+ | |||
+ | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | Found the following certs: | ||
+ | Certificate Name: mail.example.com | ||
+ | Domains: mail.example.com imap.example.com smtp.example.com | ||
+ | Expiry Date: 2020-10-26 12: | ||
+ | Certificate Path: / | ||
+ | Private Key Path: / | ||
+ | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | </ | ||
+ | |||
+ | ==== Delete an existing domain ==== | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | ==== Add a new domain/ | ||
+ | |||
+ | Ok, this one is tricky as you need a way to authenticate that you own the domain. The simplest way to do this is if you have a web server running. I have a couple of mail servers that I wanted certs for, so I installed apache2, then set it up for the server name plus a couple of aliases. | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | This creates a certificate named myserver.example.com, | ||
+ | |||
+ | ==== Editing an alias from a cert ==== | ||
+ | |||
+ | The above syntax allows you to add/delete aliases from an existing certificate. Simply rerun with the way you want the certificate to look. So, for example, if I wanted to remove the mail alias and add a dovecot alias, I'd do the following. | ||
+ | <code bash> | ||
+ | <code bash> | ||
+ | |||
+ | certbot will ask you if you really want to do this, and then it will do it. | ||
+ | |||
+ | |||
+ | ===== Setting up smtp and imap ===== | ||
+ | |||
+ | My favorite server is postfix for smtp and dovecot for imap/imaps, so this will cover that. Once you have your certificates downloaded, do the following: | ||
+ | |||
+ | ==== postfix ==== | ||
+ | postfix has a great cli tool named postconf which allows you to modify the configuration from the cli, so I'll use that here. This assumes you have the certs installed. | ||
+ | |||
+ | Basically, we'll create a symbolic link from the postfix directory (/ | ||
+ | |||
+ | Why not simply point to letsencrypt directly? Because, we'll use the same link with dovecot later, so we'll just point both of them to the same symbolic link. | ||
+ | |||
+ | <code bash> | ||
+ | # link the cert | ||
+ | ln -s / | ||
+ | # and the private key | ||
+ | ln -s / | ||
+ | # add them to postfix | ||
+ | postconf -e smtpd_tls_cert_file=/ | ||
+ | postconf -e smtpd_tls_key_file=/ | ||
+ | # restart postfix | ||
+ | service postfix reload | ||
+ | </ | ||
+ | |||
+ | ==== dovecot ==== | ||
+ | |||
+ | I'm sure there is an easier way to do this, but I just edit / | ||
+ | |||
+ | Basically, just add the following two lines in the base config. This uses the same certs as postfix | ||
+ | |||
+ | < | ||
+ | ssl_cert = </ | ||
+ | ssl_key | ||
+ | </ | ||
- | <code bash>/ | + | Now, restart dovecot |
+ | <code bash> | ||
+ | service dovecot restart | ||
+ | # watch for any errors, ^c to break out of tail -f | ||
+ | tail -f / | ||
+ | </ |
unix/letsencrypt/certbot.1600498466.txt.gz · Last modified: 2020/09/19 01:54 by rodolico