Certbot

From NixOS Wiki
Revision as of 13:43, 29 August 2022 by imported>Onny (Info about setting up read permissions)

Certbot is Electronic Frontier Foundation's ACME client, which is written in Python and provides conveniences like automatic web server configuration and a built-in webserver for the HTTP challenge. Certbot is recommended by Let's Encrypt.

Installation

Install certbot in your current environment 

# nix-env -iA nixos.certbot

Usage

DNS challenge

The following command will generate a SSL certificate key pair for the domain example.org using the DNS authentication mechanism. After running this command, you'll get asked by the script to paste a specific key into your DNS records for example.org. 

# certbot certonly --manual --preferred-challenges dns -d example.org --register-unsafely-without-email --agree-tos

If everthing went well you'll have the certificate and key file stored as /etc/letsencrypt/live/example.org/fullchain.pem and /etc/letsencrypt/live/example.org/privkey.pem

To make the keys readable by a third party user or application, you could set custom ACL permissions. In this example we grant the user maddy read permissions for the certificate folder: 

# sudo setfacl -R -m u:maddy:rX /etc/letsencrypt/{live,archive}
Retrieved from "https://wiki.nixos.org/w/index.php?title=Certbot&oldid=10067"