Date: Sat, 1 Apr 2017 07:50:50 +0300 From: Odhiambo Washington <odhiambo@gmail.com> To: User Questions <freebsd-questions@freebsd.org> Subject: Re: letsencrypt configuration Message-ID: <CAAdA2WPgfxSk718ANc500dSbsyFvz6G9JnWsf2K=QmuVFF7Zug@mail.gmail.com> In-Reply-To: <30904.128.135.52.6.1490993453.squirrel@cosmo.uchicago.edu> References: <77a1e8683e3a15cd08986d66807959b2@drenet.net> <30dbdfbaabd9637b9ea95c855497240e@drenet.net> <30904.128.135.52.6.1490993453.squirrel@cosmo.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 31 March 2017 at 23:50, Valeri Galtsev <galtsev@kicp.uchicago.edu> wrote= : > > On Fri, March 31, 2017 3:08 pm, Andre Goree wrote: > > On 2017/03/31 3:40 pm, Andre Goree wrote: > >> So how is everyone going about configuring letsencrypt on FreeBSD? It > >> would seem that multiple ports that used to exist for this very > >> purpose are no longer in the repos (letskencrypt, py-letsencrypt), so > >> tutorials I'm finding (and even letskencrypt, which is still in the > >> FreeBDS wiki) aren't much help. > >> > >> Thanks in advance. > >> > > I actually found this immediately after I posted, all can disregard thi= s > > post: https://brnrd.eu/security/2016-12-30/acme-client.html > > > > > There was thread not long ago where I described in detail how I installed > it. Look for that if nothing else helps. The only thing I would add to > that thread is: you have to reload apache (as if you are restarting it) t= o > load updated certificate, which you can do in the cron job you set for > updating certs; add --post-hook like below: > > /usr/local/bin/certbot renew --quiet --post-hook > "/usr/local/sbin/apachectl graceful" > > Thanks. > Valeri > Probably the easiest method I ever found was using le-utils by Vladimir Botka. Quoting Vladimir Botka: <quote> Port security/py-certbot (letsencrypt.org client) works fine for me. FYI, Automatic Certificate Management Environment (ACME) is IETF project https://github.com/ietf-wg-acme/acme/ FWIW, you might want to try my scripts and automate the renewal via cron https://github.com/vbotka/le-utils. Available also as an Ansible role https://galaxy.ansible.com/vbotka/leutils/. There are also other letsencrypt clients https://github.com/certbot/certbot/wiki/Links#other-lets-enc rypt--acme-clients ++ find below the example how I run it from cron [1]. You can install and configure it manually, or you can use Ansible role https://galaxy.ansible.com/vbotka/leutils/. For more info just download the scripts from github https://github.com/vbotka/le-utils and type "lectl" [2] (similar for leinfo). Sorry, the documentation is best effort. For more details you might want to go through the source. HTH. Cheers, -vlado [1] # crontab -l MAILTO=3D"root" #Ansible: dry-run renewal of certificates 20 2 * * * /root/bin/lectl -s -n -c -a #Ansible: check expiry of certificates 15 2 * * * /root/bin/leinfo -e --Days=3D30 -a #Ansible: renewal of certificates 20 3 * * * /root/bin/lectl -D=3D30 -c -a [2] # lectl lectl [-V|--version] [-h|--help] [-s|--silent] [-d|--debug] [-l|--list] [-r|--raw] [-p|--permissions] [-e|--expire] [-D=3DNoOfDays|--Days=3DNoOfDays] [-c|--renew] [-n|--dryrun] [-a|--all|<CN>] -- Letsencrypt certificates management where: -V --version ....... print version end exit -h --help .......... show this help and exit -l --list .......... list domains and exit -r --raw ........... print raw output of openssl x509 command -p --permissions ... set permissions (Note 5) -e --expire ........ show number of days till certificate expires -D --Days=3DNoOfDays . with -e list certificates that will expire in period of NoOfDays -s --silent ........ print errors only; with -e only report number of days to expire -d --debug ......... print debug output -c --renew ......... renew cerficates (Note 2,3) -n --dryrun ........ with -c dry run only -a --all ........... check all domains <CN> ............... check domain (Note 1) Examples: Print information about all certificates. # lectl -a Print raw output of openssl x509 command for example.com # lectl -r example.com List all certificates that will expire in less then 30 days. # lectl -e --Days=3D30 -a Dry run renewal of all certificates (run daily in cron for feedback). # lectl -n -c -a Renew all certificates if any of them expires in less then 30 days (renewal of single certificate is not available). (Note 4) # lectl -D=3D30 -c -a Set permissions of private keys to # lectl -p Notes: 1) Renewal of single ceritificate # /usr/local/bin/letsencrypt(certbot) renew --dry-run -d example.com Currently, the renew verb is only capable of renewing all installed certificates that are due to be renewed; individual domains cannot be specified with this action. If you would like to renew specific certificates, use the certonly command. The renew verb may provide other options for selecting certificates to renew in the future. 2) Rate Limits for Let=E2=80=99s Encrypt https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt * limited to 20 certificates per domain per week * limited to 5 certificates per FQDN set per week * the number of registrations you can make in a given time period; currently 500 per 3 hours 3) Lifetime of the certificate (Pros and cons of 90-day certificate lifetimes) https://community.letsencrypt.org/t/pros-and-cons-of-90-day- certificate-lifetimes The Technical Advisory Board chose * 90-day certificate lifetime to start with * with an expectation that people will want to auto-renew at the 60-day mark. 4) Certobot will not renew a certificate more then 30 days before expiration. Message: Cert not yet due for renewal. 5) Set permissions of all private keys to 0600 and set permissions of: accounts keys live in /usr/local/etc/letsencrypt to 0700 . </quote> --=20 Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAdA2WPgfxSk718ANc500dSbsyFvz6G9JnWsf2K=QmuVFF7Zug>