[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 10/11/2018 09:59, Tom via list wrote: > A friend has asked me to try and set up letsencrypt on his names.co.uk > service and they are no helpful at all. > > Anyone done this at all and got any tips? Yeah it's really straight forward - presuming you just want a single host covered _and_ you want autorenewal to work without manual intervention use the automatic webroot version of letsencrypt. There is a DNS plugin that's cleaner to do the validation but without a plugin for the specific provider - which namecheap doesn't have - you'll end up having to do it manually every three months when renewal rolls around. There are some painful looking workarounds using ACME but namecheap again have some pitfalls apparently: https://community.letsencrypt.org/t/help-with-dns-challenge-and-namecheap/59776/5 So just use certbot in 'normal' webroot mode - it will write a token on the host to http://domain/.well-known/acme-challenge/<file> which the letsencrypt servers will connect to, detect and confirm you control the website and then issue the cert which certbot can optionally write into your webserver config. However, there are of course some problems with this. It uses http for this (NOT https) so if you're already running a live site there and it's on port 80 you'll have to play some shenanigans - or just take the site down for 60 seconds unless you like mucking about with things. I get around this by not serving any web traffic on port 80 (duh, it's 2018) except to redirect it to 443 immediately. I use a docker container with an nginx reverse proxy and all the certbot tools to do the heavy lifting and drop in an iptables rule on the host to sniff for incoming port 80 traffic specifically from letsencrypt and then redirect it to an arbitrary port where the docker container is listening. If you bind your volumes correctly the docker container can write directly to the certificate store on the host for you and it can all be tied up in cron for autorenewal without ever messing with or disrupting the main http daemon. Super TL:DR version - if the site you're doing this for can be easily disrupted for ~60 seconds or so once every 3 months and doesn't have any fancy HSTS or pinning or anything that'll need temporarily disabling ssh in and run: sudo certbot --apache -d mydomain.com That's it. There's a ton of documentation out there. If you're new to this then I'd check it on a VM or two at your place first and get yourself some test certificates before doing it on a live box somewhere. They're free after all! Cheers -- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq