One afternoon i was bored on a bank holiday and decided to go figure out letsencrypt of which my previous attempt left much to be desired (my blog).
The domain was using self signed certs for email and i had no www, and being slightly drunk certainly made it a game of it after all this has got to work somehow.
This is from debian backports, i guess i might end compiling everything if compiled from source. Since i use debian lets try and keep it the debian way.
I had to do some www config work, listening on 80 and 443 in apache, i also did some dns redirect diversions a day earlier
Nit pick – the man page for certbot really sucks in formatting you have to be in FULL SCREEN mode or other the formatting is shit. I smell a gnome developer.
With my config i then experimented until i hit the right command to use with apache since i have a host that does more than just one website which is where crappy website hosting will assume that you only have only one.
certbot certonly –webroot -w /var/www/<host>/ -d <host>
Which picked up the config rather than assume i have only one ip address.
Anyhow i eventually got a working certificate (nice not to get a useless www. is a plus point) after some apache config work and restarts but guessing where the certs where was the next issue – a google discovered the /etc/letsencrypt/live/<host>/*.pem was the ticket. Never trusted or knew about the automatic apache config mode of which i have no idea if that is for the 2.2 or 2.4 release.
Reconfiguring apache could be big job for me if it fucks up as we host more than one website here in the zoo on one computer. I really do not trust certbot to configure things and i like to know how it works rather than some stuff i did not set up.
For dane (my blog) i had to hash the cert.pem – i only really want it for that not apache, why i cant use email to approve this shit like paid certs do is beyond me, if they want a apache config i am willing to oblige it but this is me pushing the average user envelope.
Most people probably reading this probably cannot use tls in email – say gandi clients, or have dkim signed mail unless you buy a high end xen instance and configure it yourself. tls encryption was a no in the cheapest gandi* offering when i looked.
Letsencrypt works in postfix too once you set cert,ca chain,and private key, tlsa hashing was successful too a benefit of doing the apache ssl config.
These certs only last three months and so expect a lot of crap in /var./log/lersencrypt from python dumps which is easier said to trackdown what generates them even with cron jobs turned off although the renewal directory files appears to be adjusted by what i have no idea on.
I have now got to write a index html page and a404 explaining the reason for this bizarre oddity. It’s a make work scheme although it will work the default index.html we all know and love..
Then your renewal – you have to setup a cron entry, in three months time i then have to hash cert.pem once again and change to dns records.
The cron scheduling may or may not be available with basic or average hosting.
I suppose it is better than self signed.
This i suppose it not how your average website would usually get an tls cert but the monkey house is not constrained like you lot with one ip address, a virgin domain name and a strange version of dns,email and hosting.
Works here though setting hsts (my blog) to three months is deemed ‘bad’ by some.
*gandi is a hosting firm not an indian