Differences

This shows you the differences between two versions of the page.

--- internet:security:ssl_cert_letsencrypt [2019/03/13 11:24]
gcooper
+++ internet:security:ssl_cert_letsencrypt [2020/08/09 12:21] (current)
gcooper
@@ Line 1: / Line 1: @@
 ====== Let's Encrypt Free SSL Certificates ======
+See also **[[internet:security:ssl_cert_letsencrypt_zimbra|Using LetsEncrypt SSL Certificates with Zimbra]]**
 **Home Page**: https://letsencrypt.org/certificates/
@@ Line 6: / Line 8: @@
 **Webmin**: https://doxfer.webmin.com/Webmin/Let's_Encrypt
+===== DNS =====
+CAA records authorize SSL certificate issuance by certain certificate authorities.
+For Virtualmin managed domains, manually enter something like:
+<file>
+hostname.domain.tld.	IN	CAA	0 issue "letsencrypt.org"
+</file>
 ===== SSL Certificate Testing =====
@@ Line 65: / Line 77: @@
 ===== Ubuntu 16.04 =====
+==== Apache ====
+:!: This will install Apache if not already installed.
 https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04
@@ Line 81: / Line 97: @@
 certbot renew --dry-run
 </file>
-==== Troubleshooting ====
-**Remove scheduled task and registry key** (HKEY_LOCAL_MACHINE\Software\letsencrypt-win-simple), then perform an ''iisreset'' as an administrator.
-Increase verbosity: <file>--verbose</file>
 ===== Virtualmin =====
@@ Line 108: / Line 118: @@
 ===== Webmin =====
-https://techjourney.net/how-to-use-lets-encrypt-ssl-certificate-automatically-in-virtualmin-webmin/
+<note important>Webmin works well with Apache and HTTP validation.  However, you can also use DNS validation if you don't have Apache installed and you don't want to open ports 80 and 443 in the firewall.  However, DNS validation is not documented well here, particularly renewals.</note>
+==== DNS ====
+https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation
+https://certbot.eff.org/docs/using.html#manual
+:!: Add this for testing: <file>--staging</file>
+<file>
+apt install certbot
+certbot -d hostname.yourdomain.tld --manual --preferred-challenges dns certonly
+certbot renew --dry-run
+certbot certificates
+</file>
+==== HTTP ====
 **Documentation**: https://doxfer.webmin.com/Webmin/Let's_Encrypt
@@ Line 123: / Line 153: @@
 {{ :internet:security:letsencrypt_webmin_ssl_settings.png?750 |Resultant Webmin SSL Settings}}
+===== Log Rotation =====
+:!: Certbot has its own log rotation.
+**/etc/logrotate.d/letsencrypt**
+<file>
+/var/log/letsencrypt/letsencrypt.log {
+  daily
+  rotate 0
+  firstaction
+    /usr/bin/find /var/log/letsencrypt/ -name "letsencrypt.log.*" -mtime +100 -delete
+  endscript
+  nocreate
+  missingok
+  notifempty
+}
+</file>
+Test:
+<file>
+ll /var/log/letsencrypt/   #before
+logrotate -f /etc/logrotate.d/letsencrypt
+ll /var/log/letsencrypt/   #after
+</file>
+===== Troubleshooting =====
+**Remove scheduled task and registry key** (HKEY_LOCAL_MACHINE\Software\letsencrypt-win-simple), then perform an ''iisreset'' as an administrator.
+Increase verbosity: <file>--verbose</file>

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools