Certbot: Difference between revisions
m
Category:Server Category:Applications
imported>Onny mNo edit summary |
|||
(11 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
[https://github.com/certbot/certbot Certbot] is [https://www.eff.org/ Electronic Frontier Foundation]'s [[ACME]] client, which is written in Python and provides conveniences like automatic web server configuration and a built-in webserver for the HTTP challenge. Certbot is recommended by [https://letsencrypt.org/ Let's Encrypt]. | [https://github.com/certbot/certbot Certbot] is [https://www.eff.org/ Electronic Frontier Foundation]'s [[ACME]] client, which is written in Python and provides conveniences like automatic web server configuration and a built-in webserver for the HTTP challenge. Certbot is recommended by [https://letsencrypt.org/ Let's Encrypt]. | ||
{{Note|It is recommended to use the the ACME service module, available through <code>security.acme</code>, instead of ''certbot''. Please consult the [[ACME | ACME page]] on how to use it.}} | |||
== Installation == | == Installation == | ||
{{Note|Following example describes the usage of an experimental | {{Note|Following example describes the usage of an experimental module which is still being reviewed as an open PR and might not be ready for production.}} | ||
Install ''certbot'' | Install ''certbot'' application and enable ''systemd-timer'' for automated renewal of certificates | ||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | {{file|/etc/nixos/configuration.nix|nix|<nowiki> | ||
services.certbot | services.certbot = { | ||
enable = true; | |||
agreeTerms = true; | |||
}; | |||
</nowiki>}} | </nowiki>}} | ||
== Usage == | == Usage == | ||
It is possible to use several different methods to generate certificates | It is possible to use several different methods to generate and configure certificates. Verification is done manually, via web servers or DNS records. Not all methods are covered here, for more information please consult the [https://eff-certbot.readthedocs.io/en/stable/ upstream documentation]. | ||
Generated certificates and keys by using the commands below will be stored as <code>/etc/letsencrypt/live/example.org/fullchain.pem</code> and <code>/etc/letsencrypt/live/example.org/privkey.pem</code> | Generated certificates and keys by using the commands below will be stored as <code>/etc/letsencrypt/live/example.org/fullchain.pem</code> and <code>/etc/letsencrypt/live/example.org/privkey.pem</code>, readable by the <code>acme</code> group. | ||
=== Manual DNS challenge === | === Manual DNS challenge === | ||
Line 48: | Line 47: | ||
services.certbot = { | services.certbot = { | ||
enable = true; | enable = true; | ||
agreeTerms = true; | |||
package = pkgs.certbot.withPlugins (ps: with ps; [ certbot-dns-inwx ]); | package = pkgs.certbot.withPlugins (ps: with ps; [ certbot-dns-inwx ]); | ||
} | } | ||
Line 54: | Line 54: | ||
Shared secret must be set in the configuration but you only have to configure the value if you're using 2FA on INWX. | Shared secret must be set in the configuration but you only have to configure the value if you're using 2FA on INWX. | ||
Manually generate certificates for <code>example.org</code> using the ''inwx''-plugin | Manually configure and generate certificates for <code>example.org</code> using the ''inwx''-plugin | ||
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
Line 60: | Line 60: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Now that a specific domain is configured to get | Now that a specific domain is configured to get renewed using the plugin, the ''systemd-timer'' of the ''certbot'' module will automatically renew it after expiration. | ||
[[Category:Server]] | |||
[[Category:Applications]] |