|
|
@@ -186,119 +186,6 @@ You should then see and follow the prompts:
|
|
|
|
|
|
|
|
|
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-Certbot (Alternative Option)
|
|
|
-^^^^^^^^^^^^^^^^^^^^
|
|
|
-
|
|
|
-Certbot is optional and is more of a manual way of using Let's Encrypt SSL. Some still use this process but most use the recommended way with the Dehydrated script.
|
|
|
-
|
|
|
-More info on NGINX with Let's Encrypt
|
|
|
-https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx
|
|
|
-
|
|
|
-**Clone Let's Encrypt**
|
|
|
-
|
|
|
-::
|
|
|
-
|
|
|
-
|
|
|
- git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
|
|
|
-
|
|
|
-**Execute certbot-auto**
|
|
|
-
|
|
|
-::
|
|
|
-
|
|
|
- cd /opt/letsencrypt
|
|
|
- chmod a+x ./certbot-auto
|
|
|
- ./certbot-auto
|
|
|
- cd /etc/letsencrypt/
|
|
|
- mkdir -p configs
|
|
|
- cd configs
|
|
|
-
|
|
|
-**Copy code example from** `link`_ **in step #2 section and edit domains, key size, email then put into: /etc/letsencrypt/configs/domain.tld.conf** (Edit domain.tld to reflect your domain)
|
|
|
-
|
|
|
-::
|
|
|
-
|
|
|
- touch /etc/letsencrypt/configs/domain.tld.conf
|
|
|
- vim /etc/letsencrypt/configs/domain.tld.conf
|
|
|
-
|
|
|
-**Edit /etc/nginx/sites-available/fusionpbx**
|
|
|
-
|
|
|
-::
|
|
|
-
|
|
|
- vim /etc/nginx/sites-available/fusionpbx
|
|
|
- Add this after the ssl_ciphers line
|
|
|
-
|
|
|
- location /.well-known/acme-challenge {
|
|
|
- root /var/www/letsencrypt;
|
|
|
- }
|
|
|
-
|
|
|
- Reload and check Nginx
|
|
|
- nginx -t && nginx -s reload
|
|
|
- Should output:
|
|
|
- nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
|
|
|
- nginx: configuration file /etc/nginx/nginx.conf test is successful
|
|
|
-
|
|
|
-**Execute Let's Encrypt script** (Edit domain.tld to reflect your domain)
|
|
|
-You can make up to 100 subdomain requests with using -d sub.domain.tld -d sub1.domain.tld
|
|
|
-
|
|
|
-
|
|
|
-::
|
|
|
-
|
|
|
- cd /opt/letsencrypt
|
|
|
- ./letsencrypt-auto --config /etc/letsencrypt/configs/domain.tld.conf certonly
|
|
|
- Should output:
|
|
|
- - Congratulations! And a paragraph about the keys made and where the live.
|
|
|
-
|
|
|
-
|
|
|
-**Edit sites-available** (Edit domain.tld to reflect your domain)
|
|
|
-
|
|
|
-::
|
|
|
-
|
|
|
- Comment out and add
|
|
|
- vim /etc/nginx/sites-available/fusionpbx
|
|
|
- #ssl_certificate /etc/ssl/certs/nginx.crt;
|
|
|
- #ssl_certificate_key /etc/ssl/private/nginx.key;
|
|
|
- ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
|
|
|
- ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
|
|
|
-
|
|
|
-Systemctl restart nginx
|
|
|
-
|
|
|
-Now check the padlock and see if it's green!
|
|
|
-
|
|
|
-Auto Renew certificate
|
|
|
-------------------------
|
|
|
-
|
|
|
-.. note::
|
|
|
-
|
|
|
- This will work with certbot
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-Renew with Crontab
|
|
|
-^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
-
|
|
|
-Crontab can be used to renew let's encrypt.
|
|
|
-
|
|
|
-::
|
|
|
-
|
|
|
- Create crontab -e
|
|
|
-
|
|
|
- 2 3 * * * /usr/bin/certbot renew &>/var/log/fusionpbx_certbot.cronlog
|
|
|
-
|
|
|
-
|
|
|
-This executes daily at 3:02 AM (local time). Certbot will check your existing certificate. If it has less than 30 days' validity remaining, it will attempt to renew the certificate. It runs daily in case a renewal attempt fails, it will just try again the next day.
|
|
|
-
|
|
|
-
|
|
|
-**List crontabs**
|
|
|
-
|
|
|
-::
|
|
|
-
|
|
|
- crontab -l
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
Setup for multiple domains on Let's Encrypt
|
|
|
===========================================
|
|
|
|
FusionPBX