Difference between revisions of "Let's Encrypt"
From MgmtWiki
(→Solutions) |
(→Solutions) |
||
| Line 10: | Line 10: | ||
Certbot store working files in /etc/letsencrypt/live | Certbot store working files in /etc/letsencrypt/live | ||
===Renewing Certificate looks like this=== | ===Renewing Certificate looks like this=== | ||
| − | + | warning - cert must be renewed before expiry or the process of changing the TXT record start all over. | |
====After challenge is posted to net solutions.org==== | ====After challenge is posted to net solutions.org==== | ||
certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org' | certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org' | ||
Revision as of 12:16, 7 September 2021
Contents
Full Title
Using Let's Encrypt to maintain TSL certificates on a web site.
Context
- The best way to get free certificates.
- But these certificates are only good for 3 months
- scripts are available for apache, etc. but now for ASP.NET as of 2020-02-15
Solutions
Certbot store working files in /etc/letsencrypt/live
Renewing Certificate looks like this
warning - cert must be renewed before expiry or the process of changing the TXT record start all over.
After challenge is posted to net solutions.org
certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: dns-01 challenge for trustregistry.org http-01 challenge for trustregistry.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.
Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.trustregistry.org with the following value: xNAB8ckvmjBV9uq_QhPfa8Xin40SCpoTQH8qphjyvpk
Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Create a file containing just this data:
VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
paJRQpKlTkenmAWkqEQ3lYNw8O7_ZnwV3VC5Qg37tco.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
And make it available on your web server at this URL: http://trustregistry.org/.well-known/acme-challenge/VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw
(This must be set up in addition to the previous challenges; do not remove, replace, or undo the previous challenge tasks yet.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
http://trustregistry.org/.well-known/acme-challenge/hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA
Now copy that value into file named TextDocument.txt
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue Waiting for verification... Cleaning up challenges
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/trustregistry.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/trustregistry.org/privkey.pem Your cert will expire on 2021-06-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
Prepare pfx file
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trorg.pfx
