mirror of
https://github.com/Ponce/slackbuilds
synced 2024-11-22 19:44:21 +01:00
f814a77d8a
Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
59 lines
2.5 KiB
Text
59 lines
2.5 KiB
Text
PLUGINS SUPPORT
|
|
letsencrypt support multiple plugins to obtain/install certificates and many more to come in the future.
|
|
Using apache plugin is the recommended way as it doesn't require the webserver to be taken offline
|
|
causing downtime during validation.
|
|
|
|
All domain-spesific configuration files are stored in /etc/letsencrypt/renewal/<DOMAIN-NAME>
|
|
Once certificate is created, you need to enable SSL module in httpd.conf and configure httpd-ssl.conf
|
|
|
|
Since 0.14.1, letsencrypt is able to generate/renew all certificates for all of your configured vhost domains.
|
|
Just run letsencrypt or certbot and you will see all domains are available.
|
|
|
|
VALIDATION METHODS
|
|
Letsencrypt have several validation method, but the preferred solution for now is HTTP-01 and DNS-01.
|
|
TLS-SNI-01 will be deprecated per February 13, 2019
|
|
(https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209)
|
|
|
|
RENEWAL PROCESS
|
|
Best way to automate the certificate renewal is by using cron service.
|
|
Create a bash script in /etc/cron.monthly that does the following actions:
|
|
letsencrypt renew (it will automatically renew when the expired date is less than few weeks).
|
|
|
|
RATE LIMIT
|
|
Rate limit on registrations per IP is now 500 per 3 hours.
|
|
Rate limit on certificates per Domain is now 50 per 7 days.
|
|
See complete documentation here: https://letsencrypt.org/docs/rate-limits/
|
|
|
|
CONFIGURATION FILES
|
|
|
|
It is possible to specify configuration file with letsencrypt --config cli.ini (or shorter -c cli.ini).
|
|
An example configuration file is shown below:
|
|
|
|
# This is an example of the kind of things you can do in a configuration file.
|
|
# All flags used by the client can be configured here. Run Let's Encrypt with
|
|
# "--help" to learn more about the available options.
|
|
|
|
# Use a 4096 bit RSA key instead of 2048
|
|
rsa-key-size = 4096
|
|
|
|
# Uncomment and update to register with the specified e-mail address
|
|
# email = foo@example.com
|
|
|
|
# Uncomment and update to generate certificates for the specified
|
|
# domains.
|
|
# domains = example.com, www.example.com
|
|
|
|
# Uncomment to use a text interface instead of ncurses
|
|
# text = True
|
|
|
|
# Uncomment to use the apache authenticator
|
|
# authenticator = apache
|
|
|
|
# Uncomment to use the webroot authenticator. Replace webroot-path with the
|
|
# path to the public_html / webroot folder being served by your web server.
|
|
# authenticator = webroot
|
|
# webroot-path = /usr/share/nginx/html
|
|
|
|
By default, the following locations are searched:
|
|
/etc/letsencrypt/cli.ini
|
|
$XDG_CONFIG_HOME/letsencrypt/cli.ini (or ~/.config/letsencrypt/cli.ini if $XDG_CONFIG_HOME is not set).
|