Certbot obtain / renew manual (letsencrypt - wildcard)

-

If you’d like to obtain a certificate running certbot on a machine other than your target webserver or perform the steps for domain validation yourself, you can use the manual plugin. While hidden from the UI, you can use the plugin to obtain a certificate by specifying certonly and --manual on the command line. This requires you to copy and paste commands into another terminal session, which may be on a different computer.

To manually renew a certificate using --manual without hooks, repeat the same certbot --manual command you used to create the certificate originally. As this will require you to copy and paste new HTTP files or DNS TXT records, the command cannot be automated with a cron job.

The manual plugin can use either the http or the dns challenge. You can use the --preferred-challenges option to choose the challenge of your preference.

I prefer to use dns, so it would look like:

One certificate:

certbot -d www.vindazo.ru --key-path ./cert.key --csr ./cert.csr --manual --preferred-challenges dns certonly
WILDCARD certificates, we use `*`:  

certbot -d *.jobsite.hr --key-path ./cert.key --csr ./cert.csr --manual --preferred-challenges dns certonly

The * wildcard character is treated as a stand-in for any hostname. This example DNS record would match one.example.com, and two.example.com. It would not match the bare example.com nor would it match one.two.example.com because the * wildcard will only expand to one hostname, not to multiple levels of names.

Additionally a wildcard DNS record can only have one wildcard character, so *.*.example.com is not allowed.

The http challenge will ask you to place a file with a specific name and specific content in the /.well-known/acme-challenge/ directory directly in the top-level directory (“web root”) containing the files served by your webserver. In essence it’s the same as the webroot plugin, but not automated.

When using the dns challenge, certbot will ask you to place a TXT DNS record with specific contents under the domain name consisting of the hostname for which you want a certificate issued, prepended by _acme-challenge.

For example, for the domain example.com, a zone file entry would look like:

_acme-challenge.vindazo.ru. 300 IN TXT "gfj9Xq...Rg85nM"

To check dns record, we can use dig:

dig _acme-challenge.www.vindazo.ru txt +short

The certbot produced 3 files 0000_cert.pem0000_chain.pem0001_chain.pem.

Let’s explain those files:
  • The "0000_cert.pem" file is the actual certificate (called public key).
  • The "0000_chain.pem" file is the CA certificate also called “Intermediate Certificate / CA bundle”.
  • The "0001_chain.pem" file is a concatenation of the two above files.

Source:
    https://eff-certbot.readthedocs.io/en/stable/using.html#manual
    https://eff-certbot.readthedocs.io/en/stable/using.html#where-are-my-certificates

Comments

Post a Comment

Popular posts from this blog

Installing the Certbot Let’s Encrypt Client for NGINX on Amazon Linux 2

-
Image
Installing the Certbot Let’s Encrypt Client The certbot package is not available through the package manager by default. You will need to enable the  EPEL  repository to install Certbot. sudo yum install epel-release sudo yum install certbot-nginx Set Up NGINX certbot  can automatically configure  NGINX  for SSL/TLS. It looks for and modifies the server block in your  NGINX  configuration that contains a server_name directive with the domain name you’re requesting a certificate for. In our example, the domain is  www.mydomain.com . Assuming you’re starting with a fresh NGINX install, use a text editor to create a file in the  /etc/nginx/conf.d  directory named  domain_name.conf  (so in our example, www.mydomain.com.conf). Specify your domain name (and variants, if any) with the  server_name  directive: server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; server_name myd...
Read more

psql: error: connection to server at "localhost" (127.0.0.1), port 5433 failed: ERROR: failed to authenticate with backend using SCRAM DETAIL: valid password not found

-
Image
ERROR psql: error: connection to server at "localhost" (127.0.0.1), port 5433 failed: ERROR: failed to authenticate with backend using SCRAM DETAIL: valid password not found Since Pgpool-II is a PostgreSQL proxy that works between clients and PostgreSQL servers, the authentication comprises two steps: Authentication between client and Pgpool-II Authentication between Pgpool-II and PostgreSQL servers Starting with Pgpool-II 4.0, Pgpool-II supports scram-sha-256 authentication. scram-sha-256 authentication method is strongly recommended because it is the most secure password-based authentication method. Solution 1 If PostgreSQL servers require  MD5  or  SCRAM  authentication for some user’s authentication but the password for that user is not present in  pool_passwd , then enabling  allow_clear_text_frontend_auth  will allow the  Pgpool-II  to use clear-text-password authentication with user to get the password in plain text form from the user ...
Read more

Deploy Nuxt.js app using Apache 2

-
  Deploy your dynamic Nuxt.js app Nuxt.js is an amazing server side rendering application framework for Vue.js. In this article we will see how to deploy Nuxt.js application to AWS instance in universal app mode. Where in Nuxt.js you can choose between Universal, Static Generated or Single Page application. Before we start deploying our dynamic app, if you want just to deploy a static website, you can run this command: npm run generate and it will generate the files and put them in  dist  folder which you can upload to any server you want. But this will not work for universal apps. 1. Build your app To build a ssr app you need to run the following command: npm run build The generated files will not be in the  dist  folder as for the static app, but you can find all generated files in  .nuxt  folder which will be the entry point. 2. Upload to the server There are two ways to do this upload your whole application with the source code or just upload the n...
Read more