I'm in the process of configuring ha-proxy so that it can handle https and http, with a tomcat server as the backend. My current need is:
how do I get the certificates for the first time from LetsEncrypt? Is my understanding correct that I need a certificate and a private key for
mydomain.org mail.mydomain.org imap.mydomain.org smtp.mydomain.org www.mydomain.org
?
Is certbot the tool enabling me to get these certificates? What would be the command when I only need the certificates. Putting them into the right directories etc. I would do manually later
as well as establishing the cron job for updating. For use with haproxy I need to put the files (cert and .key) first into on single PEM file. I'm using a recipe I found at
I got a bit further. Seems that I solved getting the certificate using
certbot certonly --apache -d mail.mydomain.org
I was advised to use --apache instead of --standalone (the latter didn't seem to work)
root@mydomain:~# certbot certonly --standalone -d mail.mydomain.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.mydomain.org
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.
But using --apache instead worked. Don't know whether this had to do with the failing of:
root@mydomain:~# snap install --classic certbot
error: snap "certbot" is not available on stable but is available to install on
the following channels:
edge snap install --edge certbot
Please be mindful pre-release channels may include features not
completely tested or implemented. Get more information with 'snap info
certbot'.
root@mydomain:~#
I see.
Well then those instructions are as old as that version is - LOL
It's good to know that it can work but I would try removing it and updating to a snap version following instructions found at: https://certbot.eff.org/
It for whatever reason the snap version can't install - open another topic specific to that and reinstall the current version.
None the the certs will be harmed by these steps.
Additionally, if you do need a cert for those other names, start by configuring HTTP vhosts for them (or using one "catchall" vhost) and then issuing them certs.
OR one single cert with all the names on it (simpler):
Ah, thanks. I already requested certs for smtp, mail, www using distinct commands.
What should I do with these certs now? Can I toss these valuable certs unconcernedly?
You can use them "individually" or get a replacement with all the names on it.
Either way is fine.
I just find it "simpler" to combine like names onto a single cert.
Thanks. I'll stay now it the individual files. The automatic update (cron) after a couple of months isn't established yet, is it?
Just a note: postfix smtp/tls now works again (first time using letsencrypt) befor that I had to purchase certificates every couple of years. Thanks a lot for providing Let'sEncrypt.
(as root) doesn't give any results that refer to certbot (only my own scripts I created for other purposes). OTOH, on a different system where I established Let'sEncrypt a couple of months ago and where the automatic update works, I don't see any crontab entries either.
# systemctl list-timers | grep certbot
Mon 2021-11-15 20:38:47 CET 3h 57min left Mon 2021-11-15 05:44:23 CET 10h ago certbot.timer certbot.service
#
certbot.timer:
[Unit]
Description=Run certbot twice daily
[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true
[Install]
WantedBy=timers.target
certbot.service:
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true
Hope I hit the right ones. But twice a day? Isn't that whole lot of too much?
Or ist the update interval buried elsewhere?
crontab -l
should show the action ("certbot renew") and the frequency (twice a day).
You can review the certs (as certbot does) with: certbot certificates
Once the expiry is below the threshold (default 30 days left), certbot will attempt to renew that cert based on the settings stored in the corresponding /etc/letsencrypt/renewal/CERT-NAME.conf file.
Sorry, my question was put inprecise since crontab isn't involved. It's timers that do the task. crontab -l doesn't yield anything as I already stated somewhere above.