====== Let's encrypt ======

===== ACME-Client =====
==== Installieren ====

<code>
git clone https://github.com/letsencrypt/letsencrypt
</code>
==== Update ====

<code>git pull origin</code>

==== Zertifikate abholen (nur speichern) ====

Webserver vorher ggf. wg. Verifikation auf Port 80 stoppen und danach wieder starten.

<code>
cd letsencrypt
./letsencrypt-auto certonly --rsa-key-size 4096 -d ho2e.de -d www.ho2e.de
</code>

==== Zertifikate abholen und automatisch apache-conf erzeugen ====
<code>
cd letsencrypt
./letsencrypt-auto --rsa-key-size 4096 -d fahrrad-wiki.org -d www.fahrrad-wiki.org
</code>

==== Zertifikate im manual mode abholen ====

<code>
./letsencrypt-auto certonly -a manual --rsa-key-size 4096 -d www.ho2e.de -d ho2e.de
</code>

Dabei im Webroot anlegen (Beispiel);
<code>
mkdir -p .well-known/acme-challenge
cd .well-known/acme-challenge/
echo -n "Inhalt" > Datei
</code>

==== Konfigurationsdatei benutzen ====

<code>./letsencrypt-auto --config /etc/letsencrypt/cli.ini</code>

cli.ini
<code bash>
# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Uncomment and update to register with the specified e-mail address
email = me@localhost

# Uncomment and update to generate certificates for the specified
# domains.
domains = local.localdomain

# Uncomment to use a text interface instead of ncurses
# text = True

# Uncomment to use the standalone authenticator on port 443
authenticator = standalone
standalone-supported-challenges = tls-sni-01

# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
# webroot-path = /usr/share/nginx/html

</code>

==== Automatisch erneuern (kein Prompt) ====
<code>--renew-by-default</code>
<code>./letsencrypt-auto  certonly --renew-by-default --config /etc/letsencrypt/cli.ini</code>

===== Zertifikate einbinden (manuell) =====
==== nginx ====

> ssl_certificate /etc/letsencrypt/live/ho2e.de/fullchain.pem;
> ssl_certificate_key /etc/letsencrypt/live/ho2e.de/privkey.pem;

==== apache ====

> SSLEngine on
> SSLCertificateFile /etc/letsencrypt/live/ho2e.de/cert.pem
> SSLCertificateChainFile /etc/letsencrypt/live/ho2e.de/chain.pem
> SSLCertificateKeyFile /etc/letsencrypt/live/ho2e.de/privkey.pem

Ab Apache 2.4.8:

> SSLEngine on
> SSLCertificateFile /etc/letsencrypt/live/ho2e.de/fullchain.pem
> SSLCertificateKeyFile /etc/letsencrypt/live/ho2e.de/privkey.pem

===== Siehe auch =====
  * [[SSL]]
  * [[OpenSSL]]

===== Weblinks =====

  * https://letsencrypt.org/
  * https://community.letsencrypt.org/
  * [[https://letsencrypt.readthedocs.org/en/latest/index.html|Let’s Encrypt client documentation!]]
  * [[https://ho2e.de/wallabag/index.php?view=view&id=180|Anleitung für Let's Encrypt: Kostenlose TLS Zertifikate für alle]]
  * [[https://ho2e.de/wallabag/index.php?view=view&id=179|Let’s Encrypt Zertifikate im Manual Mode abholen]]