Difference between revisions of "Certbot"
Jump to navigation
Jump to search
↑ https://certbot.eff.org/docs/intro.html
↑ https://certbot.eff.org/docs/using.html#changing-a-certificate-s-domains
(67 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | <code>certbot</code><ref>https://certbot.eff.org/docs/intro.html</ref> is a fully-featured, extensible client for the Let’s Encrypt CA (or any other CA that speaks the [[ACME]] protocol defined in 2015-2016) that can automate the tasks of obtaining certificates and configuring webservers to use them. This client runs on Unix-based operating systems. | + | <code>certbot</code><ref>https://certbot.eff.org/docs/intro.html</ref> is a fully-featured, extensible client for the [[Let’s Encrypt]] [[CA]] (or any other CA that speaks the [[ACME]] protocol defined in 2015-2016) that can automate the tasks of obtaining certificates and configuring webservers to use them. This client runs on Unix-based operating systems. |
+ | == Installation == | ||
+ | * Ubuntu: <code>[[apt install]] certbot</code> | ||
+ | * [[macOS]]: <code>[[brew install]] certbot</code> | ||
− | [[Ubuntu]] | + | You can additionally install [[Plugins (certbot)|certbot plugins]]: |
− | * Binaries: <code>certbot</code> and <code>letscrypt</code> | + | * <code>python3-certbot-apache</code> |
− | * Renewals configuration: <code>/etc/cron.d/certbot</code> | + | * <code>python3-certbot-dns-cloudflare</code> |
+ | * <code>[[python3-certbot-dns-digitalocean]]</code> | ||
+ | * <code>[[python3-certbot-dns-dnsimple]]</code> | ||
+ | * <code>python3-certbot-dns-google</code> | ||
+ | * <code>python3-certbot-dns-rfc2136</code> | ||
+ | * <code>python3-certbot-dns-route53</code> | ||
+ | * <code>[[python3-certbot-nginx]]</code> | ||
+ | |||
+ | == [[Ubuntu]] files == | ||
+ | * Binaries: <code>certbot</code> and <code>[[letscrypt]]</code> | ||
+ | * Configuration files: | ||
+ | ::<code>[[/etc/letsencrypt/]]</code> | ||
+ | ::<code>[[/etc/letsencrypt/renewal/]]</code> | ||
+ | * Renewals configuration: <code>/etc/cron.d/certbot]]</code> | ||
+ | * Logs: <code>[[/var/log/letsencrypt/letsencrypt.log]]</code> | ||
== Examples == | == Examples == | ||
− | |||
− | |||
− | <code>[[ | + | * <code>[[certbot (command)|certbot]] -d YOUR_DOMAIN_NAME.com --manual --[[preferred-challenges]] [[dns]] [[certonly]]</code> |
− | :[[ | + | |
− | : | + | |
+ | Create a wildcard certificate: | ||
+ | [[certbot (command)|certbot]] -d *.YOUR_DOMAIN_NAME.com --manual --preferred-challenges dns certonly | ||
+ | |||
+ | |||
+ | |||
+ | === Request a certificate === | ||
+ | * List certificates: <code>[[certbot certificates]]</code> | ||
+ | * <code>[[certbot renew]]</code> | ||
+ | * <code>[[certbot renew --force-renewal]]</code> | ||
+ | * <code>[[certbot delete]] --cert-name YOUR_CERT_NAME</code> | ||
+ | * Changing a Certificdate's Domain<ref>https://certbot.eff.org/docs/using.html#changing-a-certificate-s-domains</ref>: <code>certbot certonly --cert-name example.com -d example.org,www.example.org</code> | ||
+ | * Automated renewals: <code>[[systemctl list-timers]]</code> | ||
+ | * Stop your webserver: | ||
+ | : <code>[[systemctl]] stop nginx</code> | ||
+ | * <code>[[certbot certonly]] --standalone --preferred-challenges http -d YOUR_DOMAIN_NAME.com</code> | ||
+ | |||
+ | Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an [[authenticator plugin]] that can do challenges over DNS. | ||
+ | * <code>certbot certonly --standalone --agree-tos --preferred-challenges [[dns]] -d *.YOUR_DOMAIN_NAME.com</code> (You will be asked for information) | ||
+ | None of the preferred challenges are supported by the selected plugin | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | < | + | <code>[[nginx.conf]]</code> |
− | + | :<code>[[ssl_certificate]] /etc/letsencrypt/live/www.example.com/fullchain.pem;</code> | |
− | + | :<code>ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;</code> | |
− | - - - | + | :<code>openssl x509 -text -noout -in cert.pem</code> |
− | |||
− | |||
− | </ | ||
− | |||
− | |||
− | |||
− | |||
− | + | <code>certbot certonly --standalone</code> | |
− | + | ||
− | + | ||
+ | [[certbot --nginx]] | ||
+ | Saving debug log to /var/log/letsencrypt/letsencrypt.log | ||
+ | The requested nginx plugin does not appear to be installed | ||
− | |||
− | |||
== Activities == | == Activities == | ||
* Read <code>certbot</code> [[certbot changelog]]: https://github.com/certbot/certbot/blob/master/certbot/CHANGELOG.md | * Read <code>certbot</code> [[certbot changelog]]: https://github.com/certbot/certbot/blob/master/certbot/CHANGELOG.md | ||
+ | * <code>[[certbot renew]]</code> | ||
+ | * [[Certbot renew configuration examples]] | ||
+ | * [[acme.sh]] | ||
== See also == | == See also == | ||
− | * {{ | + | * {{certbot cmd}} |
− | * {{ | + | * {{certbot}} |
+ | * {{CA}} | ||
[[Category:IT Security]] | [[Category:IT Security]] |
Latest revision as of 09:34, 2 June 2022
certbot
[1] is a fully-featured, extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol defined in 2015-2016) that can automate the tasks of obtaining certificates and configuring webservers to use them. This client runs on Unix-based operating systems.
Installation[edit]
- Ubuntu:
apt install certbot
- macOS:
brew install certbot
You can additionally install certbot plugins:
python3-certbot-apache
python3-certbot-dns-cloudflare
python3-certbot-dns-digitalocean
python3-certbot-dns-dnsimple
python3-certbot-dns-google
python3-certbot-dns-rfc2136
python3-certbot-dns-route53
python3-certbot-nginx
Ubuntu files[edit]
- Binaries:
certbot
andletscrypt
- Configuration files:
- Renewals configuration:
/etc/cron.d/certbot]]
- Logs:
/var/log/letsencrypt/letsencrypt.log
Examples[edit]
certbot -d YOUR_DOMAIN_NAME.com --manual --preferred-challenges dns certonly
Create a wildcard certificate:
certbot -d *.YOUR_DOMAIN_NAME.com --manual --preferred-challenges dns certonly
Request a certificate[edit]
- List certificates:
certbot certificates
certbot renew
certbot renew --force-renewal
certbot delete --cert-name YOUR_CERT_NAME
- Changing a Certificdate's Domain[2]:
certbot certonly --cert-name example.com -d example.org,www.example.org
- Automated renewals:
systemctl list-timers
- Stop your webserver:
systemctl stop nginx
certbot certonly --standalone --preferred-challenges http -d YOUR_DOMAIN_NAME.com
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
certbot certonly --standalone --agree-tos --preferred-challenges dns -d *.YOUR_DOMAIN_NAME.com
(You will be asked for information)
None of the preferred challenges are supported by the selected plugin
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
openssl x509 -text -noout -in cert.pem
certbot certonly --standalone
certbot --nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log The requested nginx plugin does not appear to be installed
Activities[edit]
- Read
certbot
certbot changelog: https://github.com/certbot/certbot/blob/master/certbot/CHANGELOG.md certbot renew
- Certbot renew configuration examples
- acme.sh
See also[edit]
certbot [ certificates | renew | certonly ], certbot --help
- Certbot, Let's Encrypt:
certbot (command)
, plugins, OCSP,certbot certificates
,certbot renew
(examples),/var/log/letsencrypt/letsencrypt.log
, Certificate Checker, Certbot changelog,certbot --help
,/etc/letsencrypt/
- CA, Root Certificates, FreeIPA, PKI, OpenCA, Wildcard certificate,
certtool
,certbot
(Let's Encrypt),certinfo
(Cloudflare), ACME, Boulder,cfssl
(Cloudflare), Public key certificate, public key, TLS and X.509, OCSP, Subject Alternative Name (SAN),openssl ca
, Self signed certificate, CSR,keytool
, ACM, KMS,aws acm
, IdenTrust, multirootca, cert-manager, ca_cert_identifier
Advertising: