Wildcard Certificates with acme.sh: Difference between revisions
|  (→Gandi) | LeWikiAdmin (talk | contribs)  | ||
| Line 28: | Line 28: | ||
| To non-interactively renew *all* of your certificates: | To non-interactively renew *all* of your certificates: | ||
|   /usr/local/bin/certbot renew |   /usr/local/bin/certbot renew | ||
| === douglas === | |||
| === agnes === | |||
| '''TODO: hooks!''' | |||
| <pre> | |||
| service nginx restart | |||
| prosodyctl reload | |||
| </pre> | |||
| [[Category:Certificates]] | [[Category:Certificates]] | ||
Revision as of 14:58, 3 October 2019
Base installation
apt install python-pip pip install wheel pip install certbot
DNS plugins
Gandi
NOTE: At time of writing, only an API key from the domain owner will work. So another account, even if listed technical contact, will not able to use the live DNS API, just the live DNS web interface. Since the writing of this HOWTO, there is now this as well https://github.com/obynio/certbot-plugin-gandi TODO
- Get API key from Gandi (somewhere in account settings)
- install certbot-plugin-gandi
pip install 'git+https://gitlab.com/cspublic/certbot-plugin-gandi.git' mkdir /etc/certbot-plugin-gandi
- create /etc/certbot-plugin-gandi/gandi.ini with the following:
certbot_plugin_gandi:dns_api_key=APIKEY
- a bit of paranoia
chmod 600 /etc/certbot-plugin-gandi/gandi.ini
- request certificate for both mydomain.blabla and *.mydomain.blabla
NOTE: At time of writing, the default sever end point used by cerbot (0.22) is not compatible with ACME v2, as a workaround --server must be passed manually. Next version of certbot should point to the right server
/usr/local/bin/certbot certonly -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials /etc/certbot-plugin-gandi/gandi.ini -d mydomain.blabla -d *.mydomain.blabla --server https://acme-v02.api.letsencrypt.org/directory
- If all goes well certs will be there:
NOTE: At time of writing, certbot-plugin-gandi seems to behave a bit funnily when asked to request a challenge for a wildcard cert (it works flawslessly for regular domains). It might be needed to run the command several times to get the infamous CONGRATULATION message from certbot.
/etc/letsencrypt/live/mydomain.blabla/fullchain.pem /etc/letsencrypt/live/mydomain.blabla/privkey.pem
Renewal
To non-interactively renew *all* of your certificates:
/usr/local/bin/certbot renew
douglas
agnes
TODO: hooks!
service nginx restart prosodyctl reload