Inhaltsverzeichnis
Erzeugen neuer letsencrypt Stern-Zertifikats
Installation von certbot
# apt-get install python-certbot-apache
Erzeugen der Zertifikate
# /etc/letsencrypt/live# sudo certbot certonly --manual -d *.rana.at --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for rana.at
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.rana.at with the following value:
dfpLiD95pF30KpwyBt_E1nnpjQy5mjJbUZIuqW7nF1s
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/rana.at/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/rana.at/privkey.pem
Your cert will expire on 2020-05-26. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Die aktuellen Zertifikate sind im Verzeichnis /etc/letsencrypt/live/rana.at/ zu finden.
Apache-Konfiguration
/etc/apache2/sites-available/rana.at.conf:
…
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/rana.at/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/rana.at/privkey.pem
…
Update des Zertifikate
# certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d '*.example.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.org with the following value:
sadkljfs87q80493rdsn.kadlsf89aeduicasiodfuap
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.org/privkey.pem
Your cert will expire on 2020-02-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Wöhrend der Ausführung nach dem ersten Y den TXT-Record nach Aufforderung anpassen und die DNS-Zonendatei neu laden!
Alternativ kann man vermutlich folgendermaßen updaten, was ich mich am Beginn nicht getraut habe:
# letsencrypt renew
Das Ergebnis, wenn das Zertifikat noch nicht nahe dem Ablaufdatum sind:
# letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gfw.at.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/rana.at.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/rana.wien.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
/etc/letsencrypt/live/gfw.at/fullchain.pem expires on 2020-05-26 (skipped)
/etc/letsencrypt/live/rana.at/fullchain.pem expires on 2020-05-26 (skipped)
/etc/letsencrypt/live/rana.wien/fullchain.pem expires on 2020-05-26 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
letsencrypt-Zertifikate für Courier-Server verwenden
Um die Letsencrypt-Zertifikate für den Courier-Server verwenden zu können, müssen sowohl das Zertifikat als auch der Private Schlüssel in eine Datei gepackt werden:
# cat /etc/letsencrypt/live/rana.at/cert.pem /etc/letsencrypt/live/rana.at/privkey.pem > /etc/courier/letsencrypt/fullchain.pem
Die oben erzeugte Datei muss entsprechend eingebunden werden:
Courier imapd-ssl
/etc/courier/imapd-ssl
…
# In all cases, $TLS_CERTFILE needs to be linked to one of the existing
# certificate files.
TLS_CERTFILE=/etc/courier/letsencrypt/fullchain.pem
…
Courier pop3d-ssl
/etc/courier/pop3d-ssl
…
# In all cases, $TLS_CERTFILE needs to be linked to one of the existing
# certificate files.
TLS_CERTFILE=/etc/courier/letsencrypt/fullchain.pem
…
Neustart der Prozesse
# systemctl reload apache2.service
# systemctl restart courier-pop-ssl.service
# systemctl restart courier-imap-ssl.service
Sichern und kopieren der Zertifikate
# cd /etc
# tar -cvf letsencrypt.tar letsencrypt
# scp letsencrypt.tar user@server: