slackbuilds_ponce/system/letsencrypt/README.Slackware
Willy Sudiarto Raharjo f814a77d8a
system/letsencrypt: Update README.
Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
2019-01-18 21:09:58 +07:00

59 lines
2.5 KiB
Text

PLUGINS SUPPORT
letsencrypt support multiple plugins to obtain/install certificates and many more to come in the future.
Using apache plugin is the recommended way as it doesn't require the webserver to be taken offline
causing downtime during validation.
All domain-spesific configuration files are stored in /etc/letsencrypt/renewal/<DOMAIN-NAME>
Once certificate is created, you need to enable SSL module in httpd.conf and configure httpd-ssl.conf
Since 0.14.1, letsencrypt is able to generate/renew all certificates for all of your configured vhost domains.
Just run letsencrypt or certbot and you will see all domains are available.
VALIDATION METHODS
Letsencrypt have several validation method, but the preferred solution for now is HTTP-01 and DNS-01.
TLS-SNI-01 will be deprecated per February 13, 2019
(https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209)
RENEWAL PROCESS
Best way to automate the certificate renewal is by using cron service.
Create a bash script in /etc/cron.monthly that does the following actions:
letsencrypt renew (it will automatically renew when the expired date is less than few weeks).
RATE LIMIT
Rate limit on registrations per IP is now 500 per 3 hours.
Rate limit on certificates per Domain is now 50 per 7 days.
See complete documentation here: https://letsencrypt.org/docs/rate-limits/
CONFIGURATION FILES
It is possible to specify configuration file with letsencrypt --config cli.ini (or shorter -c cli.ini).
An example configuration file is shown below:
# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Uncomment and update to register with the specified e-mail address
# email = foo@example.com
# Uncomment and update to generate certificates for the specified
# domains.
# domains = example.com, www.example.com
# Uncomment to use a text interface instead of ncurses
# text = True
# Uncomment to use the apache authenticator
# authenticator = apache
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
# webroot-path = /usr/share/nginx/html
By default, the following locations are searched:
/etc/letsencrypt/cli.ini
$XDG_CONFIG_HOME/letsencrypt/cli.ini (or ~/.config/letsencrypt/cli.ini if $XDG_CONFIG_HOME is not set).