Friday, March 10, 2017

Using LetsEncrypt for free SSL/TLS Certificates

machine:scripts $ sudo certbot certonly -d subdomain.domain.org --manual 
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for subdomain.domain.org

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

-------------------------------------------------------------------------------
Make sure your web server displays the following content at
http://subdomain.domain.org/.well-known/acme-challenge/somelargetext before continuing:

somelargetext.blahblahblah

If you don't have HTTP server configured, you can run the following
command on the target server (as root):

mkdir -p /tmp/certbot/public_html/.well-known/acme-challenge
cd /tmp/certbot/public_html
printf "%s" somelargetext.blahblahblah > .well-known/acme-challenge/somelargetext
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()" 
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/subdomain.domain.org/fullchain.pem. Your cert
   will expire on 2017-06-08. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


machine:scripts $ sudo ls -ltr /etc/letsencrypt/live/subdomain.domain.org
total 40
lrwxr-xr-x  1 root  wheel   47 Mar 10 12:19 privkey.pem -> ../../archive/subdomain.domain.org/privkey1.pem
lrwxr-xr-x  1 root  wheel   49 Mar 10 12:19 fullchain.pem -> ../../archive/subdomain.domain.org/fullchain1.pem
lrwxr-xr-x  1 root  wheel   45 Mar 10 12:19 chain.pem -> ../../archive/subdomain.domain.org/chain1.pem
lrwxr-xr-x  1 root  wheel   44 Mar 10 12:19 cert.pem -> ../../archive/subdomain.domain.org/cert1.pem
-rw-r--r--  1 root  wheel  543 Mar 10 12:19 README