letsencrypt configuration
Odhiambo Washington
odhiambo at gmail.com
Sat Apr 1 04:51:32 UTC 2017
On 31 March 2017 at 23:50, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:
>
> On Fri, March 31, 2017 3:08 pm, Andre Goree wrote:
> > On 2017/03/31 3:40 pm, Andre Goree wrote:
> >> So how is everyone going about configuring letsencrypt on FreeBSD? It
> >> would seem that multiple ports that used to exist for this very
> >> purpose are no longer in the repos (letskencrypt, py-letsencrypt), so
> >> tutorials I'm finding (and even letskencrypt, which is still in the
> >> FreeBDS wiki) aren't much help.
> >>
> >> Thanks in advance.
> >>
> > I actually found this immediately after I posted, all can disregard this
> > post: https://brnrd.eu/security/2016-12-30/acme-client.html
> >
>
>
> There was thread not long ago where I described in detail how I installed
> it. Look for that if nothing else helps. The only thing I would add to
> that thread is: you have to reload apache (as if you are restarting it) to
> load updated certificate, which you can do in the cron job you set for
> updating certs; add --post-hook like below:
>
> /usr/local/bin/certbot renew --quiet --post-hook
> "/usr/local/sbin/apachectl graceful"
>
> Thanks.
> Valeri
>
Probably the easiest method I ever found was using le-utils by Vladimir
Botka.
Quoting Vladimir Botka:
<quote>
Port security/py-certbot (letsencrypt.org client) works fine for me.
FYI, Automatic Certificate Management Environment (ACME) is IETF
project https://github.com/ietf-wg-acme/acme/
FWIW, you might want to try my scripts and automate the renewal via
cron https://github.com/vbotka/le-utils. Available also as an Ansible
role https://galaxy.ansible.com/vbotka/leutils/.
There are also other letsencrypt clients
https://github.com/certbot/certbot/wiki/Links#other-lets-enc
rypt--acme-clients
++
find below the example how I run it from cron [1]. You can
install and configure it manually, or you can use Ansible
role https://galaxy.ansible.com/vbotka/leutils/.
For more info just download the scripts from github
https://github.com/vbotka/le-utils and type "lectl" [2] (similar for
leinfo).
Sorry, the documentation is best effort. For more details you might
want to go through the source.
HTH. Cheers,
-vlado
[1]
# crontab -l
MAILTO="root"
#Ansible: dry-run renewal of certificates
20 2 * * * /root/bin/lectl -s -n -c -a
#Ansible: check expiry of certificates
15 2 * * * /root/bin/leinfo -e --Days=30 -a
#Ansible: renewal of certificates
20 3 * * * /root/bin/lectl -D=30 -c -a
[2]
# lectl
lectl [-V|--version] [-h|--help] [-s|--silent] [-d|--debug]
[-l|--list] [-r|--raw]
[-p|--permissions]
[-e|--expire] [-D=NoOfDays|--Days=NoOfDays]
[-c|--renew] [-n|--dryrun] [-a|--all|<CN>]
-- Letsencrypt certificates management
where:
-V --version ....... print version end exit
-h --help .......... show this help and exit
-l --list .......... list domains and exit
-r --raw ........... print raw output of openssl x509 command
-p --permissions ... set permissions (Note 5)
-e --expire ........ show number of days till certificate expires
-D --Days=NoOfDays . with -e list certificates that will expire in
period of NoOfDays -s --silent ........ print errors only; with -e only
report number of days to expire -d --debug ......... print debug output
-c --renew ......... renew cerficates (Note 2,3)
-n --dryrun ........ with -c dry run only
-a --all ........... check all domains
<CN> ............... check domain (Note 1)
Examples:
Print information about all certificates.
# lectl -a
Print raw output of openssl x509 command for example.com
# lectl -r example.com
List all certificates that will expire in less then 30 days.
# lectl -e --Days=30 -a
Dry run renewal of all certificates (run daily in cron for feedback).
# lectl -n -c -a
Renew all certificates if any of them expires in less then 30 days
(renewal of single certificate is not available). (Note 4)
# lectl -D=30 -c -a
Set permissions of private keys to
# lectl -p
Notes:
1) Renewal of single ceritificate
# /usr/local/bin/letsencrypt(certbot) renew --dry-run -d example.com
Currently, the renew verb is only capable of renewing all installed
certificates that are due to be renewed; individual domains cannot be
specified with this action. If you would like to renew specific
certificates, use the certonly command. The renew verb may provide
other options for selecting certificates to renew in the future.
2) Rate Limits for Let’s Encrypt
https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt
* limited to 20 certificates per domain per week
* limited to 5 certificates per FQDN set per week
* the number of registrations you can make in a given time period;
currently 500 per 3 hours
3) Lifetime of the certificate (Pros and cons of 90-day
certificate lifetimes)
https://community.letsencrypt.org/t/pros-and-cons-of-90-day-
certificate-lifetimes
The Technical Advisory Board chose
* 90-day certificate lifetime to start with
* with an expectation that people will want to auto-renew at the
60-day mark.
4) Certobot will not renew a certificate more then 30 days before
expiration. Message: Cert not yet due for renewal.
5) Set permissions of all private keys to 0600 and set
permissions of: accounts keys live in /usr/local/etc/letsencrypt to
0700 .
</quote>
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
More information about the freebsd-questions
mailing list