blob: 70c7782bfffda14761fbf862be49ed3ad5a5561f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
# Change DNS server to Vultr for Certbot automation and * certificate
https://www.vultr.com/docs/introduction-to-vultr-dns/
https://certbot.eff.org/instructions?ws=nginx&os=arch&tab=wildcard
https://github.com/bsorahan/certbot-dns-vultr
https://github.com/alexzorin/certbot-dns-multi
https://wiki.archlinux.org/title/certbot#Managing_Nginx_server_blocks
https://serverfault.com/questions/896711/how-to-totally-remove-a-certbot-created-ssl-certificate
certbote delete
pacman -Rns certbot-nginx # probably still needed, should install just in case
yay -S certbot-dns-vultr
enable api https://www.vultr.com/api/
https://my.vultr.com/settings/#settingsapi
it autodetects tehe subnet for the access control (in my case an ipv6)
create file with contents:
```ini
dns_vultr_token = aabbccddeeff112233445566778899
```
and permissions: `600`
update create certificate script (by adding):
```sh
CREDENTIALS_FILE=/path/to/credential/file
DOMAINS=example.com,mail.example.com,*.example.com
EMAIL=hey@example.xom
certbot certonly --domains $DOMAINS --email $EMAIL \
--authenticator dns-vultr
--dns-vultr-credentials $CREDENTIALS_FILE
--preferred-challenges dns-01
```
the certificate will be installed at:
```
/etc/letsencrypt/live/example.com/fullchain.pem
/etc/letsencrypt/live/example.com/privkey.pem
```
the renewal configuration is stored at: `/etc/letsencrypt/renewal/example.com.conf` useful when needing to change the api key
test renew:
```sh
certbot renew --dry-run
```
update the `certbot-renew.service` by adding the `nginx.service` restart hoook: ``
by doing `systemctl edit certbot-renew.service` and adding:
```ini
[Service]
ExecStart=/usr/bin/certbot -q renew --post-hook "systemctl reload nginx.service"
```
create redirect all to https config: https://phoenixnap.com/kb/redirect-http-to-https-nginx
```nginx
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
```
add the redirect config to `nginx.conf`
create the config file for 443 ssl (to include in each config file):
```nginx
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
```
add this config to all config files that require it
|
