Difference between revisions of "Let's Encrypt"
From MgmtWiki
(→Full Title) |
(→Solutions) |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
==Context== | ==Context== | ||
| − | The best way to get free certificates. | + | * The best way to get free certificates. |
| + | * But these certificates are only good for 3 months | ||
| + | * scripts are available for apache, etc. but now for ASP.NET as of 2020-02-15 | ||
==Solutions== | ==Solutions== | ||
| − | + | Certbot store working files in /etc/letsencrypt/live | |
| + | ===Renewing Certificate looks like this=== | ||
| + | ====After challenge is posted to net solutions.org==== | ||
| + | certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org' | ||
| + | Saving debug log to /var/log/letsencrypt/letsencrypt.log | ||
| + | Plugins selected: Authenticator manual, Installer None | ||
| + | Cert is due for renewal, auto-renewing... | ||
| + | Renewing an existing certificate | ||
| + | Performing the following challenges: | ||
| + | dns-01 challenge for trustregistry.org | ||
| + | http-01 challenge for trustregistry.org | ||
| + | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
| + | NOTE: The IP of this machine will be publicly logged as having requested this | ||
| + | certificate. If you're running certbot in manual mode on a machine that is not | ||
| + | your server, please ensure you're okay with that. | ||
| + | |||
| + | Are you OK with your IP being logged? | ||
| + | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
| + | (Y)es/(N)o: yes | ||
| + | |||
| + | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
| + | Please deploy a DNS TXT record under the name | ||
| + | _acme-challenge.trustregistry.org with the following value: | ||
| + | xNAB8ckvmjBV9uq_QhPfa8Xin40SCpoTQH8qphjyvpk | ||
| + | |||
| + | Before continuing, verify the record is deployed. | ||
| + | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
| + | Press Enter to Continue | ||
| + | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
| + | Create a file containing just this data: | ||
| + | |||
| + | VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs | ||
| + | |||
| + | paJRQpKlTkenmAWkqEQ3lYNw8O7_ZnwV3VC5Qg37tco.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs | ||
| + | |||
| + | hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs | ||
| + | |||
| + | And make it available on your web server at this URL: | ||
| + | http://trustregistry.org/.well-known/acme-challenge/VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw | ||
| + | |||
| + | (This must be set up in addition to the previous challenges; do not remove, | ||
| + | replace, or undo the previous challenge tasks yet.) | ||
| + | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
| + | Press Enter to Continue | ||
| + | |||
| + | http://trustregistry.org/.well-known/acme-challenge/hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA | ||
| + | |||
| + | ====Now copy that value into file named TextDocument.txt==== | ||
| + | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
| + | Press Enter to Continue | ||
| + | Waiting for verification... | ||
| + | Cleaning up challenges | ||
| + | |||
| + | IMPORTANT NOTES: | ||
| + | - Congratulations! Your certificate and chain have been saved at: | ||
| + | /etc/letsencrypt/live/trustregistry.org/fullchain.pem | ||
| + | Your key file has been saved at: | ||
| + | /etc/letsencrypt/live/trustregistry.org/privkey.pem | ||
| + | Your cert will expire on 2021-06-10. To obtain a new or tweaked | ||
| + | version of this certificate in the future, simply run certbot | ||
| + | again. To non-interactively renew *all* of your certificates, run | ||
| + | "certbot renew" | ||
| + | |||
| + | ===Prepare pfx file=== | ||
| + | |||
| + | openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trorg.pfx | ||
==References== | ==References== | ||
[[Category: Best Practice]] | [[Category: Best Practice]] | ||
Revision as of 11:21, 9 June 2021
Contents
Full Title
Using Let's Encrypt to maintain TSL certificates on a web site.
Context
- The best way to get free certificates.
- But these certificates are only good for 3 months
- scripts are available for apache, etc. but now for ASP.NET as of 2020-02-15
Solutions
Certbot store working files in /etc/letsencrypt/live
Renewing Certificate looks like this
After challenge is posted to net solutions.org
certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: dns-01 challenge for trustregistry.org http-01 challenge for trustregistry.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.
Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.trustregistry.org with the following value: xNAB8ckvmjBV9uq_QhPfa8Xin40SCpoTQH8qphjyvpk
Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Create a file containing just this data:
VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
paJRQpKlTkenmAWkqEQ3lYNw8O7_ZnwV3VC5Qg37tco.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
And make it available on your web server at this URL: http://trustregistry.org/.well-known/acme-challenge/VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw
(This must be set up in addition to the previous challenges; do not remove, replace, or undo the previous challenge tasks yet.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
http://trustregistry.org/.well-known/acme-challenge/hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA
Now copy that value into file named TextDocument.txt
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue Waiting for verification... Cleaning up challenges
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/trustregistry.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/trustregistry.org/privkey.pem Your cert will expire on 2021-06-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
Prepare pfx file
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trorg.pfx
