create certificate
1
|
certbot certonly --email contact@br0tkasten.de --webroot -w /var/www/certbot/htdocs -d log.br0tkasten.de
|
Apache config
Default VirtualHost for HTTP (Port 80) mapping /.well-known/acme-challenge of any domain hosted on my webserver
to the same location in filesystem (/var/www/certbot/htdocs/.well-known/acme-challenge/)
This makes renew and create certificates very easy.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
<VirtualHost 185.170.112.162:80 [2a03:4000:15:68::1]:80>
CustomLog /var/log/httpd/access.log combined
ErrorLog /var/log/httpd/error.log
Alias /.well-known/acme-challenge/ /var/www/certbot/htdocs/.well-known/acme-challenge/
<Location "/.well-known/acme-challenge">
Require all granted
Options None
AllowOverride None
ForceType text/plain
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
</Location>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
RewriteCond %{HTTPS} off
RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [last,redirect=301]
</VirtualHost>
|
renew certificates
systemd service
1
2
3
4
5
6
7
8
|
cat > /etc/systemd/system/certbot.service << EOF
[Unit]
Description=Let's Encrypt renewal
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --agree-tos
EOF
|
systemd timer
1
2
3
4
5
6
7
8
9
10
|
[Unit]
Description=Twice daily renewal of Let's Encrypt's certificates
[Timer]
OnCalendar=0/12:00:00
RandomizedDelaySec=1h
Persistent=true
[Install]
WantedBy=timers.target
|
enable certbot timer
1
2
|
systemctl start certbot.timer
systemctl enable certbot.timer
|
renewal hooks
restart httpd after renewal
1
2
3
4
5
|
cat > /etc/letsencrypt/renewal-hooks/httpd.sh << EOF
#!/bin/sh
systemctl restart httpd
EOF
|
restart mail container
1
2
3
4
5
|
cat > /etc/letsencrypt/renewal-hooks/mail.sh << EOF
#!/bin/sh
lxc-stop -r -n 'mail'
EOF
|