Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace:
unix:letsencrypt:certbot

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
unix:letsencrypt:certbot [2023/02/02 00:59] rodolicounix:letsencrypt:certbot [2023/07/15 02:16] (current) rodolico
Line 1: Line 1:
 ====== Using certbot ====== ====== Using certbot ======
  
-**This is old information as most current installations use acme.sh.** I'm leaving it here for the time being, but simply running <code bash>acme.sh --list</code> or <code bash>acme.sh --help</code> works.+===== acme.sh =====
  
 +A lot of installations use [[https://github.com/acmesh-official/acme.sh | acme.sh]] now. The simplest way to figure out things on these installations is to run <code bash>acme.sh --list</code> or <code bash>acme.sh --help</code> works.
  
 +[[https://www.ispconfig.org/|ISPConfig]] uses this as the default. If certbot is not installed on installation or upgrade, acme.sh is automagically downloaded and installed.
  
-First, certbot can also be called letsencrypt on some machines. And, it is stored in various places, depending on how you set it up.+===== certbot =====
  
-On a Devuan serverinstalled for ISPConfigit is located in ///opt/eff.org/certbot/venv/bin/certbot//so I will use that path for all the examples below. This is **not** in the path for any user, as far as I can tellso you have to use the full path to call it.+Firstcertbot can also be called letsencrypt on some reallyreally old machinesAndit is stored in various placesdepending on how you set it up.
  
 +On a Devuan servers, the certificates are stored in /etc/letsencrypt.
 A lot of this is taken from [[https://certbot.eff.org/docs/using.html]], which is confusing and hard to use, but does give an exhaustive list of the commands at the bottom. A lot of this is taken from [[https://certbot.eff.org/docs/using.html]], which is confusing and hard to use, but does give an exhaustive list of the commands at the bottom.
  
-===== See what certificates are on system =====+==== See what certificates are on system ====
  
-<code bash>/opt/eff.org/certbot/venv/bin/certbot certificates</code>+<code bash>certbot certificates</code>
  
 Sample output would be as follows. Note that you may have multiple entries, and not all entries will have multiple domains in them. Sample output would be as follows. Note that you may have multiple entries, and not all entries will have multiple domains in them.
Line 30: Line 33:
 </code> </code>
  
 +==== Delete an existing domain ====
 +
 +<code bash>certbot delete --cert-name mail.example.com</code> will delete the entire certificate (including all aliases)
 +
 +==== Add a new domain/alias ====
 +
 +Ok, this one is tricky as you need a way to authenticate that you own the domain. The simplest way to do this is if you have a web server running. I have a couple of mail servers that I wanted certs for, so I installed apache2, then set it up for the server name plus a couple of aliases.
 +
 +<code bash>certbot certonly --authenticator webroot -w /var/www/html --cert-name myserver.example.com -d smtp.example.com,mail.example.com,myserver.example.com</code>
 +
 +This creates a certificate named myserver.example.com, with the names smtp, mail and myserver (yes, you have to add that if you want it on the cert). That cert will be located in /etc/letsencrypt/live/myserver.example.com/, a the certificate is valid for all three names.
 +
 +==== Editing an alias from a cert ====
 +
 +The above syntax allows you to add/delete aliases from an existing certificate. Simply rerun with the way you want the certificate to look. So, for example, if I wanted to remove the mail alias and add a dovecot alias, I'd do the following.
 +<code bash>
 +<code bash>certbot certonly --authenticator webroot -w /var/www/html --cert-name myserver.example.com -d smtp.example.com,dovecot.example.com,myserver.example.com</code>
 +
 +certbot will ask you if you really want to do this, and then it will do it.
 +
 +
 +===== Setting up smtp and imap =====
 +
 +My favorite server is postfix for smtp and dovecot for imap/imaps, so this will cover that. Once you have your certificates downloaded, do the following:
 +
 +==== postfix ====
 +postfix has a great cli tool named postconf which allows you to modify the configuration from the cli, so I'll use that here. This assumes you have the certs installed.
 +
 +Basically, we'll create a symbolic link from the postfix directory (/etc/postfix on Devuan) and point to the live certs in the letsencrypt live directory.
 +
 +Why not simply point to letsencrypt directly? Because, we'll use the same link with dovecot later, so we'll just point both of them to the same symbolic link.
 +
 +<code bash>
 +# link the cert
 +ln -s /etc/letsencrypt/live/myserver.example.com/fullchain.pem /etc/postfix/smtpd.cert
 +# and the private key
 +ln -s /etc/letsencrypt/live/myserver.example.com/privkey.pem /etc/postfix/smtpd.key
 +# add them to postfix
 +postconf -e smtpd_tls_cert_file=/etc/postfix/smtpd.cert
 +postconf -e smtpd_tls_key_file=/etc/postfix/smtpd.key
 +# restart postfix
 +service postfix reload
 +</code>
 +
 +==== dovecot ====
 +
 +I'm sure there is an easier way to do this, but I just edit /etc/dovecot/dovecot.conf. I understand that Debian goes crazy with the conf.d, but I use a lot of ISPConfig stuff (which doesn't use that), and honestly I think it makes life more difficult.
 +
 +Basically, just add the following two lines in the base config. This uses the same certs as postfix
 +
 +<code>
 +ssl_cert = </etc/postfix/smtpd.cert
 +ssl_key = </etc/postfix/smtpd.key
 +</code>
 +
 +Now, restart dovecot
 +
 +<code bash>
 +service dovecot restart
 +# watch for any errors, ^c to break out of tail -f
 +tail -f /var/log/mail.log
 +</code>
unix/letsencrypt/certbot.1675321195.txt.gz · Last modified: 2023/02/02 00:59 by rodolico