Certbot: Difference between revisions
imported>Onny mNo edit summary |
imported>Onny No edit summary |
||
| Line 29: | Line 29: | ||
Currently there are several ''certbot'' plugins [https://search.nixos.org/packages?channel=22.05&from=0&size=50&sort=relevance&type=packages&query=certbot-dns already packaged]. While the plugin usage should be similar for most of them, you should look up upstream documentation on how to use thim. In this example we're going to configure and use [https://github.com/oGGy990/certbot-dns-inwx the plugin] for the hosting provider [https://www.inwx.com/en INWX]. | Currently there are several ''certbot'' plugins [https://search.nixos.org/packages?channel=22.05&from=0&size=50&sort=relevance&type=packages&query=certbot-dns already packaged]. While the plugin usage should be similar for most of them, you should look up upstream documentation on how to use thim. In this example we're going to configure and use [https://github.com/oGGy990/certbot-dns-inwx the plugin] for the hosting provider [https://www.inwx.com/en INWX]. | ||
{{Note|Following example describes the usage of an experimental plugin which is still being reviewed as an open PR and might not be ready for production.}} | |||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | |||
environment.systemPackages = with pkgs; [ | |||
( certbot.withPlugins (ps: with ps; [ python310Packages.certbot-dns-inwx ]) ) | |||
]; | |||
</nowiki>}} | |||
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
# certbot certonly -a dns-inwx -d example.org | # certbot certonly -a dns-inwx -d example.org | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 15:19, 10 September 2022
Certbot is Electronic Frontier Foundation's ACME client, which is written in Python and provides conveniences like automatic web server configuration and a built-in webserver for the HTTP challenge. Certbot is recommended by Let's Encrypt.
Installation
Install certbot in your current environment
# nix-env -iA nixos.certbot
Usage
Generated certificates and keys by using the commands below will be stored as /etc/letsencrypt/live/example.org/fullchain.pem and /etc/letsencrypt/live/example.org/privkey.pem.
To make the keys readable by a third party user or application, you could set custom ACL permissions. In this example we grant the user maddy read permissions for the certificate folder:
# sudo setfacl -R -m u:maddy:rX /etc/letsencrypt/{live,archive}
Manual DNS challenge
The following command will generate a SSL certificate key pair for the domain example.org using the DNS authentication mechanism. After running this command, you'll get asked by the script to paste a specific key into your DNS records for example.org.
# certbot certonly --manual --preferred-challenges dns -d example.org --register-unsafely-without-email --agree-tos
DNS challenge using a plugin
Currently there are several certbot plugins already packaged. While the plugin usage should be similar for most of them, you should look up upstream documentation on how to use thim. In this example we're going to configure and use the plugin for the hosting provider INWX.
/etc/nixos/configuration.nix
environment.systemPackages = with pkgs; [
( certbot.withPlugins (ps: with ps; [ python310Packages.certbot-dns-inwx ]) )
];
# certbot certonly -a dns-inwx -d example.org