Jump to content

Certbot: Difference between revisions

Certbot (view source)

Revision as of 17:42, 19 April 2024

684 bytes added ,  19 April
m
Category:Server Category:Applications
VisualWikitext
imported>Onny
mNo edit summary
 
(17 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[https://github.com/certbot/certbot Certbot] is [https://www.eff.org/ Electronic Frontier Foundation]'s [[ACME]] client, which is written in Python and provides conveniences like automatic web server configuration and a built-in webserver for the HTTP challenge. Certbot is recommended by [https://letsencrypt.org/ Let's Encrypt].
[https://github.com/certbot/certbot Certbot] is [https://www.eff.org/ Electronic Frontier Foundation]'s [[ACME]] client, which is written in Python and provides conveniences like automatic web server configuration and a built-in webserver for the HTTP challenge. Certbot is recommended by [https://letsencrypt.org/ Let's Encrypt].
{{Note|It is recommended to use the the ACME service module, available through <code>security.acme</code>, instead of ''certbot''. Please consult the [[ACME | ACME page]] on how to use it.}}


== Installation ==
== Installation ==


Install ''certbot'' in your current environment
{{Note|Following example describes the usage of an experimental module which is still being reviewed as an open PR and might not be ready for production.}}
<syntaxhighlight lang="console">
Install ''certbot'' application and enable ''systemd-timer'' for automated renewal of certificates
# nix-env -iA nixos.certbot
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
</syntaxhighlight>
services.certbot = {
 
  enable = true;
  agreeTerms = true;
};
</nowiki>}}
== Usage ==
== Usage ==


Generated certificates and keys by using the commands below will be stored as <code>/etc/letsencrypt/live/example.org/fullchain.pem</code> and <code>/etc/letsencrypt/live/example.org/privkey.pem</code>.
It is possible to use several different methods to generate and configure certificates. Verification is done manually, via web servers or DNS records. Not all methods are covered here, for more information please consult the [https://eff-certbot.readthedocs.io/en/stable/ upstream documentation].
 
To make the keys readable by a third party user or application, you could set custom ACL permissions. In this example we grant the user <code>maddy</code> read permissions for the certificate folder:
Generated certificates and keys by using the commands below will be stored as <code>/etc/letsencrypt/live/example.org/fullchain.pem</code> and <code>/etc/letsencrypt/live/example.org/privkey.pem</code>, readable by the <code>acme</code> group.
 
<syntaxhighlight lang="console">
# sudo setfacl -R -m u:maddy:rX /etc/letsencrypt/{live,archive}
</syntaxhighlight>


=== Manual DNS challenge ===
=== Manual DNS challenge ===
Line 30: Line 31:
Currently there are several ''certbot'' plugins [https://search.nixos.org/packages?channel=22.05&from=0&size=50&sort=relevance&type=packages&query=certbot-dns already packaged]. While the plugin usage should be similar for most of them, you should look up upstream documentation on how to use thim. In this example we're going to configure and use [https://github.com/oGGy990/certbot-dns-inwx the plugin] for the hosting provider [https://www.inwx.com/en INWX].
Currently there are several ''certbot'' plugins [https://search.nixos.org/packages?channel=22.05&from=0&size=50&sort=relevance&type=packages&query=certbot-dns already packaged]. While the plugin usage should be similar for most of them, you should look up upstream documentation on how to use thim. In this example we're going to configure and use [https://github.com/oGGy990/certbot-dns-inwx the plugin] for the hosting provider [https://www.inwx.com/en INWX].


{{Note|Following example describes the usage of an experimental plugin which is still being reviewed as an open PR and might not be ready for production.}}
{{warning|1=Do not use a plaintext password in production, this is for demonstration only}}
{{warning|1=Do not use a plaintext password in production, this is for demonstration only}}


Line 45: Line 45:
};
};


environment.systemPackages = with pkgs; [
services.certbot = {
   ( certbot.withPlugins (ps: with ps; [ certbot-dns-inwx ]) )
  enable = true;
];
  agreeTerms = true;
   package = pkgs.certbot.withPlugins (ps: with ps; [ certbot-dns-inwx ]);
}
</nowiki>}}
</nowiki>}}


Manually generate certificates for <code>example.org</code> using the ''inwx''-plugin
Shared secret must be set in the configuration but you only have to configure the value if you're using 2FA on INWX.
 
Manually configure and generate certificates for <code>example.org</code> using the ''inwx''-plugin
 
<syntaxhighlight lang="console">
<syntaxhighlight lang="console">
# certbot certonly -a dns-inwx -d example.org --register-unsafely-without-email --agree-tos
# certbot certonly -a dns-inwx -d example.org --register-unsafely-without-email --agree-tos
</syntaxhighlight>
</syntaxhighlight>
Now that a specific domain is configured to get renewed using the plugin, the ''systemd-timer'' of the ''certbot'' module will automatically renew it after expiration.
[[Category:Server]]
[[Category:Applications]]
Klinger
trusted
602

edits

Retrieved from "https://wiki.nixos.org/wiki/Special:MobileDiff/10077...12240"