Open main menu

Changes

3,103 bytes added ,  16:22, 5 June 2017
Certbot reference; extracted from TLS page
Certbot is a tool that allows you to manage the Transport Layer Security ([[TLS]]) of your Webserver.

== Let's Encrypt ==
We used to run certificates from StartSSL because they offer free one-year certificates. However, today we upgraded to using 'LetsEncrypt' and our certificates are both more secure and easier to manage. Instead of a "B" grade, we now have "A" grade security.
[[File:AGrade.png|left|500px]] [[File:BGrade.png|right|500px]]

'''Certbot''' ([https://github.com/certbot/certbot code]) is a fully-featured, extensible client for the Let's Encrypt CA (or any other CA that speaks the ACME protocol) that can automate the tasks of obtaining certificates and configuring web servers to use them. This client runs on Unix-based operating systems. It '''requires''' root access and is '''beta''' software.

Until May 2016, Certbot was named simply <code>letsencrypt</code> or <code>letsencrypt-auto</code>, depending on install method. Instructions on the Internet, and some pieces of the software, may still refer to this older name.

[https://certbot.eff.org/#pip-apache Certbot website] at EFF.org (the Electronic Frontier Foundation).

== Service ==
Using our [[Ansible]] role, we can install the certbot client. Then we can install as many certificates as needed; plus setup an automated job which will renew them every 90 days.

== Resources ==
# https://letsencrypt.org/getinvolved/ Get Involved with Lets Encrypt
## https://letsencrypt.org/getting-started/ Getting Started
## https://github.com/letsencrypt/letsencrypt Code on GitHub
## https://letsencrypt.readthedocs.org/en/latest/ Docs
# [https://httpd.apache.org/docs/2.4/ssl/ Apache docs]
# [https://help.ubuntu.com/lts/serverguide/certificates-and-security.html Ubuntu Server Guide - Certificates and Security]
# [https://github.com/jaywink/ansible-letsencrypt Ansible role for LetsEncrypt]

== FAQ ==
; How do I obtain a new certificate?:
:<ol><li>setup the SSL virtual host in Apache, and be sure to include some <code>SSLCertificateFile</code> and <code>SSLCertificateKeyFile</code> directives using the "snake-oil" certs.<br /> e.g. <br /> SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem <br /> SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key<br /><li>Then run certbot<br />/opt/certbot/certbot-auto --apache -d example.org,www.example.org,wiki.example.org --dry-run<br />/opt/certbot/certbot-auto --apache -d example.org,www.example.org,wiki.example.org</ol>

; What certs do I have?:
: sudo /opt/certbot/certbot-auto certificates

; How do I expand a cert to include some sub-domains? (wildcard certs are not supported):
: sudo /opt/certbot/certbot-auto certonly --cert-name example.org --expand -d example.org,www.example.org,wiki.example.org,example.com,www.example.com,wiki.example.com

; How do I cleanup my old/test certificates?:
: sudo /opt/certbot/certbot-auto revoke --cert-path /etc/letsencrypt/live/baz.example.org/cert.pem
: sudo /opt/certbot/certbot-auto delete --cert-name baz.example.org

[[Category:Security]]
[[Category:System Administration]]
4,558

edits