https://quicktasks.ismael.casimpan.com/tags/letsencrypt/Recent content in letsencrypt on IT QuicktasksHugo -- gohugo.ioCopyright © 2018–2022, Ismael Casimpan Jr.; All Rights ReservedWed, 26 Aug 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/delete-letsencrypt-certificate/Wed, 26 Aug 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/delete-letsencrypt-certificate/ Given the following cert: 1root@php73:~# certbot certificates 2Saving debug log to /var/log/letsencrypt/letsencrypt.log 34- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5Found the following certs: 6Certificate Name: php72.example.com 7Domains: php72.example.com php72.example.net 8Expiry Date: 2020-11-19 01:30:55+00:00 (VALID: 85 days) 9Certificate Path: /etc/letsencrypt/live/php72.https://quicktasks.ismael.casimpan.com/post/renew-from-nginx-to-apache/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/renew-from-nginx-to-apache/ It's quite expected that certificate won't renew as the automation has been broken. What you can do is install the apache version of certbot 1yum install python-certbot-apache and re-issue the certificate 1sudo certbot --apache -d www.example.orghttps://quicktasks.ismael.casimpan.com/post/hardened-ssl-cert/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/hardened-ssl-cert/ Apache 1SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 2SSLProtocol All -SSLv2 -SSLv3 3SSLHonorCipherOrder On 4Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" 5Header always set X-Frame-Options SAMEORIGIN 6Header always set X-Content-Type-Options nosniff 7# Requires Apache >= 2.4 8SSLCompression off 9SSLSessionTickets Off 10SSLUseStapling on 11SSLStaplingCache "shmcb:logs/stapling-cache(150000)" Nginx 1ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 2ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 3ssl_prefer_server_ciphers on; 4ssl_session_cache shared:SSL:10m; 5# 'always' requires nginx >= 1.7.5, see http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header 6add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; 7add_header X-Frame-Options SAMEORIGIN always; 8add_header X-Content-Type-Options nosniff always; 9ssl_session_tickets off; 10ssl_stapling on; # Requires nginx >= 1.https://quicktasks.ismael.casimpan.com/post/install-letsencrypt-ubuntu/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/install-letsencrypt-ubuntu/ 1sudo add-apt-repository ppa:certbot/certbot 2sudo apt-get update 3sudo apt-get install python-certbot-apache 4sudo certbot --apache -d one.example.com -d two.example.com If the above don't work, try this: 1sudo apt-get update 2sudo apt-get install software-properties-common 3sudo add-apt-repository universe 4sudo add-apt-repository ppa:certbot/certbot 5sudo apt-get update 6sudo apt-get install certbot python-certbot-nginx Put the following in root crontab (sudo crontab -e) 130 2 * * * /usr/bin/certbot renew >> /var/log/letsencrypt-renew.log Some details in https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04https://quicktasks.ismael.casimpan.com/post/manually-generate-letsencryp-cert/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/manually-generate-letsencryp-cert/ In cases where you don't want to disrupt current production server, this is a good approach 1mkdir /opt/letsencrypt 2cd /opt/letsencrypt 3wget https://dl.eff.org/certbot-auto 4chmod a+x certbot-auto 5sudo ./certbot-auto --apache certonly Sample run as follows: 1[root@687elmp01 letsencrypt]# sudo ./certbot-auto --apache certonly 2Saving debug log to /var/log/letsencrypt/letsencrypt.log 3Plugins selected: Authenticator apache, Installer apache 4Enter email address (used for urgent renewal and security notices) (Enter 'c' to 5cancel): me@example.com 67------------------------------------------------------------------------------- 8Please read the Terms of Service at 9https://letsencrypt.https://quicktasks.ismael.casimpan.com/post/oneline-letsencrypt-cert-creation/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/oneline-letsencrypt-cert-creation/ 1certbot --apache -d sub1.example.com -d sub2.example.com --agree-tos -m you@example.com --redirect If you're on nginx, use --nginxhttps://quicktasks.ismael.casimpan.com/post/wildcard-letsencrypt/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/wildcard-letsencrypt/ 1yum install certbot.noarch -y 234certbot -d *.example.com \ 5--manual \ 6--preferred-challenges \ 7dns certonly \ 8--server https://acme-v02.api.letsencrypt.org/directory 910... 11... 12create the TXT DNS record NOTE: In creating the cert, make sure to wait for 5minutes or better check in another terminal session if the txt record is now visible. Otherwise, cert creation will fail. Some details in https://wicowen.github.io/2018-0315-1400-Enable-Lets-encrypt-wildcard-certificate-in-CentOS-7/ In Ubuntu/Debian check https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7 130 2 * * * /usr/bin/certbot renew >> /var/log/letsencrypt-renew.