From f00a0ba181c826773cbd2f3a5052deab1fa704f0 Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Wed, 26 Jul 2017 15:56:22 -0500 Subject: [PATCH] Issue #6: Add more documentation around automatically generating certs. --- README.md | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 482c55b..5c04cf7 100644 --- a/README.md +++ b/README.md @@ -50,13 +50,27 @@ None. roles: - geerlingguy.certbot -After installation, you can create certificates using the `certbot` (or `certbot-auto`) script, which by default is installed inside the configured `certbot_dir` (when using Git). Here are some example commands to configure certificates with Certbot: +### Creating certificates with certbot + +After installation, you can create certificates using the `certbot` (or `certbot-auto`) script (use `letsencrypt` on Ubuntu 16.04, or use `/opt/certbot/certbot-auto` if installing from source/Git. Here are some example commands to configure certificates with Certbot: # Automatically add certs for all Apache virtualhosts (use with caution!). - /opt/certbot/certbot-auto --apache + certbot --apache # Generate certs, but don't modify Apache configuration (safer). - /opt/certbot/certbot-auto --apache certonly + certbot --apache certonly + +If you want to fully automate the process of adding a new certificate, you can do so using the command line options to register, accept the terms of service, and then generate a cert using the standalone server: + + 1. Make sure any services listening on port 80 (Apache, Nginx, Varnish, etc.) are stopped. + 2. Register with something like `certbot register --agree-tos --email [your-email@example.com]` + - Note: You won't need to do this step in the future, when generating additional certs on the same server. + 3. Generate a cert for a domain whose DNS points to this server: `certbot certonly --noninteractive --standalone -d example.com -d www.example.com` + 4. Re-start whatever was listening on port 80 before. + 5. Update your webserver's virtualhost TLS configuration to point at the new certificate (`fullchain.pem`) and private key (`privkey.pem`) Certbot just generated for the domain you passed in the `certbot` command. + 6. Restart your webserver so it uses the new HTTPS virtualhost configuration. + +### Certbot certificate auto-renewal By default, this role adds a cron job that will renew all installed certificates once per day at the hour and minute of your choosing.