Differences

This shows you the differences between two versions of the page.

--- unix:letsencrypt:certbot [2020/09/19 01:54] – created rodolico
+++ unix:letsencrypt:certbot [2023/07/15 02:16] (current) – rodolico
@@ Line 1: / Line 1: @@
 ====== Using certbot ======
-First, certbot can also be called letsencrypt on some machines. And, it is stored in various places, depending on how you set it up.
+===== acme.sh =====
-On a Devuan server, installed for ISPConfig, it is located in ///opt/eff.org/certbot/venv/bin/certbot//, so I will use that path for all the examples below. This is **not** in the path for any user, as far as I can tell, so you have to use the full path to call it.
+A lot of installations use [[https://github.com/acmesh-official/acme.sh | acme.sh]] now. The simplest way to figure out things on these installations is to run <code bash>acme.sh --list</code> or <code bash>acme.sh --help</code> works.
+[[https://www.ispconfig.org/|ISPConfig]] uses this as the default. If certbot is not installed on installation or upgrade, acme.sh is automagically downloaded and installed.
+===== certbot =====
+First, certbot can also be called letsencrypt on some really, really old machines. And, it is stored in various places, depending on how you set it up.
+On a Devuan servers, the certificates are stored in /etc/letsencrypt.
 A lot of this is taken from [[https://certbot.eff.org/docs/using.html]], which is confusing and hard to use, but does give an exhaustive list of the commands at the bottom.
-===== See what certificates are on system =====
+==== See what certificates are on system ====
+<code bash>certbot certificates</code>
+Sample output would be as follows. Note that you may have multiple entries, and not all entries will have multiple domains in them.
+<code bash>
+Saving debug log to /var/log/letsencrypt/letsencrypt.log
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Found the following certs:
+  Certificate Name: mail.example.com
+    Domains: mail.example.com imap.example.com smtp.example.com
+    Expiry Date: 2020-10-26 12:09:56+00:00 (VALID: 37 days)
+    Certificate Path: /etc/letsencrypt/live/mail.example.com/fullchain.pem
+    Private Key Path: /etc/letsencrypt/live/mail.example.com/privkey.pem
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+</code>
+==== Delete an existing domain ====
+<code bash>certbot delete --cert-name mail.example.com</code> will delete the entire certificate (including all aliases)
+==== Add a new domain/alias ====
+Ok, this one is tricky as you need a way to authenticate that you own the domain. The simplest way to do this is if you have a web server running. I have a couple of mail servers that I wanted certs for, so I installed apache2, then set it up for the server name plus a couple of aliases.
+<code bash>certbot certonly --authenticator webroot -w /var/www/html --cert-name myserver.example.com -d smtp.example.com,mail.example.com,myserver.example.com</code>
+This creates a certificate named myserver.example.com, with the names smtp, mail and myserver (yes, you have to add that if you want it on the cert). That cert will be located in /etc/letsencrypt/live/myserver.example.com/, a the certificate is valid for all three names.
+==== Editing an alias from a cert ====
+The above syntax allows you to add/delete aliases from an existing certificate. Simply rerun with the way you want the certificate to look. So, for example, if I wanted to remove the mail alias and add a dovecot alias, I'd do the following.
+<code bash>
+<code bash>certbot certonly --authenticator webroot -w /var/www/html --cert-name myserver.example.com -d smtp.example.com,dovecot.example.com,myserver.example.com</code>
+certbot will ask you if you really want to do this, and then it will do it.
+===== Setting up smtp and imap =====
+My favorite server is postfix for smtp and dovecot for imap/imaps, so this will cover that. Once you have your certificates downloaded, do the following:
+==== postfix ====
+postfix has a great cli tool named postconf which allows you to modify the configuration from the cli, so I'll use that here. This assumes you have the certs installed.
+Basically, we'll create a symbolic link from the postfix directory (/etc/postfix on Devuan) and point to the live certs in the letsencrypt live directory.
+Why not simply point to letsencrypt directly? Because, we'll use the same link with dovecot later, so we'll just point both of them to the same symbolic link.
+<code bash>
+# link the cert
+ln -s /etc/letsencrypt/live/myserver.example.com/fullchain.pem /etc/postfix/smtpd.cert
+# and the private key
+ln -s /etc/letsencrypt/live/myserver.example.com/privkey.pem /etc/postfix/smtpd.key
+# add them to postfix
+postconf -e smtpd_tls_cert_file=/etc/postfix/smtpd.cert
+postconf -e smtpd_tls_key_file=/etc/postfix/smtpd.key
+# restart postfix
+service postfix reload
+</code>
+==== dovecot ====
+I'm sure there is an easier way to do this, but I just edit /etc/dovecot/dovecot.conf. I understand that Debian goes crazy with the conf.d, but I use a lot of ISPConfig stuff (which doesn't use that), and honestly I think it makes life more difficult.
+Basically, just add the following two lines in the base config. This uses the same certs as postfix
+<code>
+ssl_cert = </etc/postfix/smtpd.cert
+ssl_key = </etc/postfix/smtpd.key
+</code>
-<code bash>/opt/eff.org/certbot/venv/bin/certbot certificates</code>
+Now, restart dovecot
+<code bash>
+service dovecot restart
+# watch for any errors, ^c to break out of tail -f
+tail -f /var/log/mail.log
+</code>