Difference between revisions of "Letsencrypt"
m (→Installation) |
(→Installation: cert -> cert.pem rather than fullchain.pem) |
||
Line 31: | Line 31: | ||
Replacing email and domains as required. Then configure SME with the certificates generated: | Replacing email and domains as required. Then configure SME with the certificates generated: | ||
− | config setprop modSSL crt /etc/letsencrypt/live/test.firstdomain.co.uk/ | + | config setprop modSSL crt /etc/letsencrypt/live/test.firstdomain.co.uk/cert.pem |
config setprop modSSL key /etc/letsencrypt/live/test.firstdomain.co.uk/privkey.pem | config setprop modSSL key /etc/letsencrypt/live/test.firstdomain.co.uk/privkey.pem | ||
config setprop modSSL CertificateChainFile /etc/letsencrypt/live/test.firstdomain.co.uk/fullchain.pem | config setprop modSSL CertificateChainFile /etc/letsencrypt/live/test.firstdomain.co.uk/fullchain.pem |
Revision as of 15:43, 8 December 2015
Introduction
Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. It's main purpose is to allow people to encrypt the internet traffic by a very simple system.
The certs delivered must be renewed every 3 months.
Installation
For the installation of Letsencrypt, the initial generation of the certificates and periodically re-new the authority certificates, at minimum Python version 2.7 is required. By default SME Server comes with a lower version, but below instruction will enable you to install version 2.7 in a 'supported' way, next to the default SME Server Python version. The newly installed Python version 2.7 will then only be used (after initial installation) for the renewal of the certificates (periodically and mandatory every 3 months).
Follow the instructions at Software_Collections and the python related wiki page specifically. You need to add the scl-repository for Python 2.7 that can be found here
Then:
yum install python27 --enablerepo=scl-python27 yum install git
To use Let's Encrypt run:
scl enable python27 bash mkdir /src cd /src git clone https://github.com/letsencrypt/letsencrypt.git cd letsencrypt service httpd-e-smith stop ./letsencrypt-auto certonly --standalone --email me@mydomain.co.uk -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk
Replacing email and domains as required. Then configure SME with the certificates generated:
config setprop modSSL crt /etc/letsencrypt/live/test.firstdomain.co.uk/cert.pem config setprop modSSL key /etc/letsencrypt/live/test.firstdomain.co.uk/privkey.pem config setprop modSSL CertificateChainFile /etc/letsencrypt/live/test.firstdomain.co.uk/fullchain.pem signal-event post-upgrade; signal-event reboot
Renew of the certs
A simple script to renew cert :
#!/bin/bash source /opt/rh/python27/enable export X_SCLS="`scl enable python27 'echo $X_SCLS'`" service httpd-e-smith stop cd /src/letsencrypt ./letsencrypt-auto certonly --standalone --email me@mydomain.co.uk -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk --renew-by-default service httpd-e-smith start
You may want to set this up as a cron job to run every two months, to make sure your certificate doesn't expire. Please see Crontab_Manager contrib for an easy way to achieve this.
Backup
Your certificate, private key, and other important information are stored in /etc/letsencrypt, which is not included in the standard SME Server backup routines. Make sure to add this directory to your backups.
Source from info
Source: http://forums.contribs.org/index.php/topic,51961.msg266680.html#msg266680