[TriLUG] test
Lance A. Brown via TriLUG
trilug at trilug.org
Tue Jun 7 10:15:29 EDT 2016
Alan Porter via TriLUG wrote on 6/6/2016 8:11 PM:
> On a side note, recently, I have been looking at "Let's Encrypt" and it
> looks very promising. It's a free service, spearheaded by Mozilla and
> Cisco (my current employer, incidentally). My personal domains are
> using LetsEncrypt certs. For simple web sites, it's super easy to set
> up. I hit a small snag on the IPv6-only domain
> https://ipv6.alanporter.com/, but other than that, it went well. I have
> not renewed yet... the certs last 90 days and can be renewed after 60.
> So I am anxious to see if that's as simple as they claim (cron job,
> anyone?). Let's Encrypt was featured on the cover of this month's Linux
> Journal (e-)magazine (although their article dove into using docker to
> insulate themselves from any side effects of the scripts, so I thought
> it was not as approachable as an article on "free, easy SSL certs"
> should have been).
I've been using Let's Encrypt certificates on my servers for a few
months now: my personal email server (postfix/dovecot), and a linode
with several websites. The only real problem was CentOS6. When I set
things up, LE didn't support python 2.6 so I had to get python 2.7
working properly. I believe LE runs on python 2.6 now.
I use this /etc/cron.d entry to renew my certs:
# Run renew-letsencrypt on the 1st of every odd month
30 0 1 */2 * root /usr/local/libexec/renew-letsencrypt
and /usr/local/libexec/renew-letsencrypt:
#!/bin/sh
# renew certificate
scl enable python27 -- bash /usr/local/letsencrypt/letsencrypt-auto \
certonly --debug \
--config /etc/letsencrypt/circle.dyn.bearcircle.net.ini
# restart services to pick up new cert
service postfix restart
service dovecot restart
I'm on CentOS6 so I scl python27 to run the letsencrypt-auto script
and circle.dyn.bearcircle.net.ini:
# the default is 2048 (more is better)
rsa-key-size = 4096
# plugin
authenticator = webroot
# webroot
webroot-path = /var/www/html
# domains
domains = den2.bearcircle.net
# flags
# renew is good for automation
renew-by-default
I run apache on that server so it's easy to use the webroot LE
authenticator.
Hope this helps.
--[Lance]
More information about the TriLUG
mailing list