cheatsheets/certbot.org

Let's Encrypt & Certbot

All websites should be encrypted using https! Many are not. If you are not encrypting our websites, then users data can be leaked to anyone. If you would like your website to appear high on Google's search results, and you care about user privacy online, then you should try "Let's Encrypt". Let's Encrypt is a free certificate authority, and everybody should use it!

In order to start using let's encrypt, you need to prove to the "Let's Encrypt" people that you actually own your website. "Certbot" is a program that will help you do this. Certbot can generate a certificate for you, and create a secret file on your webserver. Certbot then will navigate to that file to check that you actually own the website. Then your certificate will work.

You will also have to automatically renew your certificates. Certbot can periodically renew your certificates for you.

As of [2018-04-09 Mon], the nginx plugin to certbot does not support confirming that I control a domain. For example, when I try to do that I get this error:

sudo certbot --nginx -d gnucode.me -d www.gnucode.me

sudo: unable to resolve host RichardRahl Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

So I have to use the webroot command. This command can be an authenticator and an installer?

certbot [subcommand] [options]

Vocab

• authenticators

Authenticators verify that you can change content on your website. The subcommand certonly is an authenticator.

Authenticators install the certificate, confirms that you own your domain, but does not edit your nginx or apache's files. Certbot can issue a single certificate to use for all of your domains, but you need to specify all of the domains.

It installs the certificate in the etc/letsencrypt directory. You could use a symlink to point to the certificate.

• installers
Installers are plugins that use the install command to modify your nginx config file to serve the certificate.

Installing certbot on an nginx server when the nginx plugin doesn't work:

This authenticates two domains: gnusites.com and gnucode.me

sudo certbot certonly --webroot -w var/www/html/gnusites.com/public_html -d www.gnusites.com -d gnusites.com -w var/www/html/gnucode.me/public_html -d www.gnucode.me -d gnucode.me

The output of the command tells me:

sudo: unable to resolve host richardrahl Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: http-01 challenge for www.gnusites.com http-01 challenge for gnusites.com http-01 challenge for www.gnucode.me http-01 challenge for gnucode.me Using the webroot path /var/www/html/gnucode.me/public_html for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
• Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.gnusites.com/fullchain.pem. Your cert will expire on 2018-07-08. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
• If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

It should have created a temporary file at ${webroot-path}/.well-known/acme-challenge

Nginx tells me that gnusites.com/.well-known/acme-challenge does not exist.

Wordpress tells me that gnucode.me/.well-known/acme-challenge cannot be found.

The command tells me that it challenged www.gnusites.com, gnusite.com, gnucode.me, and www.gnucode.me.

Trying out the certificate

I'm getting weird errors. Gnusites is encrypted, but https://gnucode.me is serving gnusites...?

gnusites.com works just fine.

Here is the code that I pulled from this online tutorial: https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/

grep "RSA"  -A 10   /etc/nginx/sites-enabled/gnusites.com

# RSA certificate ssl_certificate /etc/letsencrypt/live/www.gnusites.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/www.gnusites.com/privkey.pem; # managed by Certbot

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

# Redirect non-https traffic to https if ($scheme != "https") { return 301 https://$host$request_uri; } # managed by Certbot

setting up certbot for laundrysucks io

joshua@richardrahl:/var/www/html/laundrysucks.io/public_html$ sudo certbot certonly --webroot -w var/www/html/laundrysucks.io/public_html -d laundrysucks.io sudo: unable to resolve host richardrahl [sudo] password for joshua: Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: http-01 challenge for laundrysucks.io Using the webroot path /var/www/html/laundrysucks.io/public_html for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem

IMPORTANT NOTES:
• Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/laundrysucks.io/fullchain.pem. Your cert will expire on 2018-08-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
• If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

setting up certbot for gnu-hurd.com

joshua@richardrahl:/var/www/html/gnu-hurd.com/.well-known$ sudo certbot certonly --webroot -w var/www/html/gnu-hurd.com/public_html -d gnu-hurd.com -d www.gnu-hurd.com sudo: unable to resolve host richardrahl Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: http-01 challenge for gnu-hurd.com http-01 challenge for www.gnu-hurd.com Using the webroot path /var/www/html/gnu-hurd.com/public_html for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem

IMPORTANT NOTES:
• Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/gnu-hurd.com/fullchain.pem. Your cert will expire on 2018-08-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
• If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

online manual https://certbot.eff.org/docs/using.html

ls

dead.letter  grep

cat grep

rm grep

ls

webroot

dead.letter

revoking a certificate

This gets a certificate for a website the specific spot you have certbot certonly --webroot -w /var/www/html/matomo/public_html -d www.gnucode.me -d gnucode.me

adding a domain to a certificate.

certbot revoke --cert-path /path/to/certificate

This command expands a certificate to include a new domain name. existing.com and www.existing.com were domains that the certificate already had. But I added the two domains: blog.existing.com and www.blog.existing.com. =certbot --cert-name existing.com -d existing.com,www.existing.com,blog.existing.com,www.blog.existing.com=