-
-
Notifications
You must be signed in to change notification settings - Fork 354
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Issue #6: Add more documentation around automatically generating certs.
- Loading branch information
1 parent
01d801c
commit f00a0ba
Showing
1 changed file
with
17 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -50,13 +50,27 @@ None. | |
| roles: | ||
| - geerlingguy.certbot | ||
|
|
||
| After installation, you can create certificates using the `certbot` (or `certbot-auto`) script, which by default is installed inside the configured `certbot_dir` (when using Git). Here are some example commands to configure certificates with Certbot: | ||
| ### Creating certificates with certbot | ||
|
|
||
| After installation, you can create certificates using the `certbot` (or `certbot-auto`) script (use `letsencrypt` on Ubuntu 16.04, or use `/opt/certbot/certbot-auto` if installing from source/Git. Here are some example commands to configure certificates with Certbot: | ||
|
|
||
| # Automatically add certs for all Apache virtualhosts (use with caution!). | ||
| /opt/certbot/certbot-auto --apache | ||
| certbot --apache | ||
|
|
||
| # Generate certs, but don't modify Apache configuration (safer). | ||
| /opt/certbot/certbot-auto --apache certonly | ||
| certbot --apache certonly | ||
|
|
||
| If you want to fully automate the process of adding a new certificate, you can do so using the command line options to register, accept the terms of service, and then generate a cert using the standalone server: | ||
|
|
||
| 1. Make sure any services listening on port 80 (Apache, Nginx, Varnish, etc.) are stopped. | ||
| 2. Register with something like `certbot register --agree-tos --email [[email protected]]` | ||
| - Note: You won't need to do this step in the future, when generating additional certs on the same server. | ||
| 3. Generate a cert for a domain whose DNS points to this server: `certbot certonly --noninteractive --standalone -d example.com -d www.example.com` | ||
| 4. Re-start whatever was listening on port 80 before. | ||
| 5. Update your webserver's virtualhost TLS configuration to point at the new certificate (`fullchain.pem`) and private key (`privkey.pem`) Certbot just generated for the domain you passed in the `certbot` command. | ||
| 6. Restart your webserver so it uses the new HTTPS virtualhost configuration. | ||
|
|
||
| ### Certbot certificate auto-renewal | ||
|
|
||
| By default, this role adds a cron job that will renew all installed certificates once per day at the hour and minute of your choosing. | ||
|
|
||
|
|
||