2555
Comment: Add some notes about using cerbot in Stretch
|
2554
|
Deletions are marked like this. | Additions are marked like this. |
Line 28: | Line 28: |
== Stretch Howto == | == Stretch Howto == |
Translation(s): English - Français - Русский
Let’s Encrypt
Let’s Encrypt is an automated certificate authority providing free of charge, domain-validated TLS certificates that are obtained using the ACME protocol.
Let’s Encrypt clients
letsencrypt.sh - Renamed to dehydrated
Jessie Howto
Enable backports: https://backports.debian.org/Instructions/
Install certbot: https://certbot.eff.org/#debianjessie-apache
- apt-get install python-certbot-apache -t jessie-backports
- certbot --apache
- Optionally: follow certbot instructions and enable quiet cron job or follow up
Optionally enable Perfect Forward Secrecy: https://www.sslplus.de/wiki/Wie_konfiguriert_man_Apache_2.x_f%C3%BCr_Perfect_Forward_Secrecy
- edit "/etc/apache2/mods-available/ssl.conf" and uncomment "SSLHonorCipherOrder on"
Stretch Howto
You can install certbot from the main repository. You can also install some useful plugins to make the getting certificates for nginx or apache easier.
python-certbot-apache - Apache plugin for Certbot
python-certbot-nginx - Nginx plugin for Certbot
The default version of certbot that is available in the repository will result in the following error message if you try to run certbot --apache:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
As discussed in the LetsEncrypt Forums this is due to a security issue that existed in the old client.
In order to make a certificate for apache you can use the following command:
sudo certbot --authenticator standalone --installer apache \ -d <domain> --pre-hook "service apache2 stop" --post-hook "service apache2 start"
In order to make a certificate for nginx you can use the following command:
sudo certbot --authenticator standalone --installer nginx \ -d <domain> --pre-hook "service nginx stop" --post-hook "service nginx start"