dancingCycle
/
setup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
setup/doc/certbot.md

73 lines
2.2 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Source
[How To Secure Apache with Let's Encrypt on Debian 11](https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-11)
[Use Certbot to Enable HTTPS with Apache on Debian](https://www.linode.com/docs/guides/enabling-https-using-certbot-with-apache-on-debian/)
[Certbot Instructions](https://certbot.eff.org/instructions?ws=apache&os=debianbuster)
# Setup Certbot
* remove certbot-auto and any Certbot OS packages
```
sudo apt remove certbot
```
* install Certbot
```
sudo apt install snapd --no-install-recommends
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
```
* prepare the Certbot command
```
sudo ln -s /snap/bin/certbot /usr/bin/certbot
```
* OPTION: set up virtual host [this](./apache-vh.md)
* check, open the virtual host file for your domain
```
sudo vi /etc/apache2/sites-available/vm2037.swingbe.mooo.com.conf
```
* verify the syntax of your configuration edits
```
sudo apache2ctl configtest
```
* verify the current firewall setting by running
```
sudo ufw status
```
* allow HTTPS traffic, allow the “WWW Full” profile and delete the redundant “WWW” profile allowance
```
sudo ufw allow 'WWW Full'
sudo ufw delete allow 'WWW'
sudo ufw status
```
* Certbot provides a variety of ways to obtain SSL certificates through plugins. The Apache plugin will take care of reconfiguring Apache and reloading the configuration whenever necessary. To use this plugin, run the following
```
sudo certbot --apache -d vm2037.swingbe.mooo.com
```
* Lets Encrypt certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package you installed takes care of this for you by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate thats within thirty days of expiration. To test the renewal process, you can do a dry run with certbot
```
sudo certbot renew --dry-run
```
* test manual renewal
```
sudo /usr/bin/certbot renew --apache --quiet
```
//TODO Enable `MAILTO`!
* extend `crontab -e` for auto renewal with this content
```
@daily /usr/bin/certbot renew --apache --quiet
```
Reference in New Issue View Git Blame Copy Permalink