Certbot: Difference between revisions

From NixOS Wiki
imported>Onny
mNo edit summary
imported>Onny
Adding instructions on DNS challenge plugins
Line 10: Line 10:
== Usage ==
== Usage ==


=== Manual DNS challenge ===
Generated certificates and keys by using the commands below will be stored as <code>/etc/letsencrypt/live/example.org/fullchain.pem</code> and <code>/etc/letsencrypt/live/example.org/privkey.pem</code>.


The following command will generate a SSL certificate key pair for the domain <code>example.org</code> using the DNS authentication mechanism. After running this command, you'll get asked by the script to paste a specific key into your DNS records for <code>example.org</code>.
To make the keys readable by a third party user or application, you could set custom ACL permissions. In this example we grant the user <code>maddy</code> read permissions for the certificate folder:


<syntaxhighlight lang="console">
<syntaxhighlight lang="console">
# certbot certonly --manual --preferred-challenges dns -d example.org --register-unsafely-without-email --agree-tos
# sudo setfacl -R -m u:maddy:rX /etc/letsencrypt/{live,archive}
</syntaxhighlight>
</syntaxhighlight>


If everthing went well you'll have the certificate and key file stored as <code>/etc/letsencrypt/live/example.org/fullchain.pem</code> and <code>/etc/letsencrypt/live/example.org/privkey.pem</code>
=== Manual DNS challenge ===


To make the keys readable by a third party user or application, you could set custom ACL permissions. In this example we grant the user <code>maddy</code> read permissions for the certificate folder:
The following command will generate a SSL certificate key pair for the domain <code>example.org</code> using the DNS authentication mechanism. After running this command, you'll get asked by the script to paste a specific key into your DNS records for <code>example.org</code>.


<syntaxhighlight lang="console">
<syntaxhighlight lang="console">
# sudo setfacl -R -m u:maddy:rX /etc/letsencrypt/{live,archive}
# certbot certonly --manual --preferred-challenges dns -d example.org --register-unsafely-without-email --agree-tos
</syntaxhighlight>
</syntaxhighlight>
=== DNS challenge using a plugin ===

Revision as of 13:23, 10 September 2022

Certbot is Electronic Frontier Foundation's ACME client, which is written in Python and provides conveniences like automatic web server configuration and a built-in webserver for the HTTP challenge. Certbot is recommended by Let's Encrypt.

Installation

Install certbot in your current environment

# nix-env -iA nixos.certbot

Usage

Generated certificates and keys by using the commands below will be stored as /etc/letsencrypt/live/example.org/fullchain.pem and /etc/letsencrypt/live/example.org/privkey.pem.

To make the keys readable by a third party user or application, you could set custom ACL permissions. In this example we grant the user maddy read permissions for the certificate folder:

# sudo setfacl -R -m u:maddy:rX /etc/letsencrypt/{live,archive}

Manual DNS challenge

The following command will generate a SSL certificate key pair for the domain example.org using the DNS authentication mechanism. After running this command, you'll get asked by the script to paste a specific key into your DNS records for example.org.

# certbot certonly --manual --preferred-challenges dns -d example.org --register-unsafely-without-email --agree-tos

DNS challenge using a plugin