Difference between revisions of "Certbot"

From Dogtag
Jump to: navigation, search
m
m
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
= Overview =
 +
 +
This document describes how to use certbot.
 +
 +
Notes:
 +
* certbot does not work with self-signed certificate. In that case use plain HTTP instead.
 +
 
= Installation =
 
= Installation =
  
Line 5: Line 12:
 
</pre>
 
</pre>
  
= Requesting a Certificate =
+
= Certificate Enrollment =
 +
 
 +
== Certificate enrollment with HTTP-01 ==
  
To request a certificate with http-01 challenge:
+
To request a certificate with automatic http-01 validation:
  
 
<pre>
 
<pre>
$ certbot certonly --standalone -d example.com -d www.example.com --register-unsafely-without-email
+
$ certbot certonly --standalone \
 +
    --server https://pki.demo.dogtagpki.org/acme/directory \
 +
    -d server.example.com \
 +
    --register-unsafely-without-email \
 +
    --agree-tos
 
</pre>
 
</pre>
  
To request a certificate with http-01 challenge from a different machine:
+
To request a certificate with manual http-01 validation:
  
 
<pre>
 
<pre>
$ certbot certonly --manual -d example.com -d www.example.com --register-unsafely-without-email
+
$ certbot certonly --manual \
 +
    --server https://pki.demo.dogtagpki.org/acme/directory \
 +
    -d server.example.com \
 +
    --register-unsafely-without-email \
 +
    --agree-tos
 
</pre>
 
</pre>
  
To request a certificate with dns-01 challenge:
+
== Certificate enrollment with DNS-01 ==
 +
 
 +
To request a certificate with manual dns-01 validation:
  
 
<pre>
 
<pre>
$ certbot certonly --manual -d example.com -d www.example.com --register-unsafely-without-email --preferred-challenges dns
+
$ certbot certonly --manual \
 +
    --server https://pki.demo.dogtagpki.org/acme/directory  \
 +
    -d server.example.com \
 +
    --preferred-challenges dns \
 +
    --register-unsafely-without-email \
 +
    --agree-tos
 
</pre>
 
</pre>
  
Line 28: Line 52:
  
 
<pre>
 
<pre>
$ certbot certonly -d example.com -d www.example.com
+
$ certbot certonly --manual \
 +
    --server https://pki.demo.dogtagpki.org/acme/directory \
 +
    -d example.com \
 +
    -d www.example.com \
 +
    -d server.example.com \
 +
    --register-unsafely-without-email \
 +
    --agree-tos
 
</pre>
 
</pre>
  
To request a certificate from a different server:
+
To request a wildcard certificate:
  
 
<pre>
 
<pre>
$ certbot certonly -d example.com --server http://localhost:8080/acme/rest/directory
+
$ certbot certonly --manual \
 +
    --server https://pki.demo.dogtagpki.org/acme/directory \
 +
    -d *.example.com \
 +
    --register-unsafely-without-email \
 +
    --agree-tos
 
</pre>
 
</pre>
 +
 +
== Certificate Storage ==
  
 
The results will be stored in:
 
The results will be stored in:
Line 41: Line 77:
 
* certificate: /etc/letsencrypt/live/example.com/fullchain.pem
 
* certificate: /etc/letsencrypt/live/example.com/fullchain.pem
 
* private key: /etc/letsencrypt/live/example.com/privkey.pem
 
* private key: /etc/letsencrypt/live/example.com/privkey.pem
 +
 +
= Renewing a Certificate =
 +
 +
To renew a certificate with manual dns-01 validation:
 +
 +
<pre>
 +
$ certbot certonly --manual -d example.com --preferred-challenges dns
 +
</pre>
  
 
= Removing a Certificate =
 
= Removing a Certificate =
Line 48: Line 92:
 
= See Also =
 
= See Also =
  
 +
* [https://github.com/dogtagpki/pki/blob/master/docs/user/acme/Using_PKI_ACME_Responder_with_Certbot.md Using PKI ACME Responder with Certbot]
 
* [https://certbot.eff.org/ Certbot]
 
* [https://certbot.eff.org/ Certbot]
 
* [https://certbot.eff.org/docs/ Certbot Docs]
 
* [https://certbot.eff.org/docs/ Certbot Docs]
 
* [[ACME Client]]
 
* [[ACME Client]]
 
* [https://github.com/ppKrauss/certbot-faq/blob/master/README.md certbot Fast-Guide]
 
* [https://github.com/ppKrauss/certbot-faq/blob/master/README.md certbot Fast-Guide]
 +
* [[Nginx]]

Latest revision as of 03:12, 6 August 2020

Overview

This document describes how to use certbot.

Notes:

  • certbot does not work with self-signed certificate. In that case use plain HTTP instead.

Installation

$ dnf install certbot

Certificate Enrollment

Certificate enrollment with HTTP-01

To request a certificate with automatic http-01 validation:

$ certbot certonly --standalone \
    --server https://pki.demo.dogtagpki.org/acme/directory \
    -d server.example.com \
    --register-unsafely-without-email \
    --agree-tos

To request a certificate with manual http-01 validation:

$ certbot certonly --manual \
    --server https://pki.demo.dogtagpki.org/acme/directory \
    -d server.example.com \
    --register-unsafely-without-email \
    --agree-tos

Certificate enrollment with DNS-01

To request a certificate with manual dns-01 validation:

$ certbot certonly --manual \
    --server https://pki.demo.dogtagpki.org/acme/directory  \
    -d server.example.com \
    --preferred-challenges dns \
    --register-unsafely-without-email \
    --agree-tos

To request a multi-domain certificate:

$ certbot certonly --manual \
    --server https://pki.demo.dogtagpki.org/acme/directory \
    -d example.com \
    -d www.example.com \
    -d server.example.com \
    --register-unsafely-without-email \
    --agree-tos

To request a wildcard certificate:

$ certbot certonly --manual \
    --server https://pki.demo.dogtagpki.org/acme/directory \
    -d *.example.com \
    --register-unsafely-without-email \
    --agree-tos

Certificate Storage

The results will be stored in:

  • certificate: /etc/letsencrypt/live/example.com/fullchain.pem
  • private key: /etc/letsencrypt/live/example.com/privkey.pem

Renewing a Certificate

To renew a certificate with manual dns-01 validation:

$ certbot certonly --manual -d example.com --preferred-challenges dns

Removing a Certificate

$ certbot delete --cert-name $HOSTNAME

See Also