diff --git a/back/installation.en.md b/back/installation.en.md index 3731a2b..a075c4e 100644 --- a/back/installation.en.md +++ b/back/installation.en.md @@ -153,14 +153,22 @@ certbot register --no-eff-email certbot register --no-eff-email --test-cert ``` -Copy and adapt `certbot.ini` in `/etc/letsencrypt/cli.ini` +Copy and adapt `certbot.ini` in `/etc/letsencrypt/servnest.ini` Install the Certbot deploy hook: ```shell -cp certbot-deploy-hook.sh /root/certbot-deploy-hook.sh +cp certbot-deploy-hook.sh /root/ chmod +x /root/certbot-deploy-hook.sh ``` +Getting a Let's Encrypt certificate for a wildcard domain requires an ACME [DNS challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge). +```shell +cp certbot-dns-challenge-hook.sh /root/ +cp certbot-dns-cleanup-hook.sh /root/ +chmod +x /root/certbot-dns-challenge-hook.sh /root/certbot-dns-cleanup-hook.sh +certbot certonly --manual -d "*.ht.servnest.example" --non-interactive --manual-auth-hook /root/certbot-dns-challenge-hook.sh --manual-cleanup-hook /root/certbot-dns-cleanup-hook.sh +``` + ### nginx nginx is used for 2 purposes: @@ -188,16 +196,10 @@ This configuration listens on `[::1]:42443`, `127.0.0.1:42443`, `[::1]:42080` an Once this configuration is put in place, replace self-signed certificates by Let's Encrypt certificates: ```shell -certbot certonly -d "ht.servnest.example" -certbot certonly -d "servnest.example" +certbot certonly --config "/etc/letsencrypt/servnest.ini" -d "ht.servnest.example" +certbot certonly --config "/etc/letsencrypt/servnest.ini" -d "servnest.example" ``` -Getting a Let's Encrypt certificate for a wildcard domain requires an ACME [DNS challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge). The following command asks to setup a DNS record, this can be done by editing `/srv/servnest/reg/servnest.example` then reload configuration using `knotc zone-reload servnest.example`. -```shell -certbot certonly --manual -d "*.ht.servnest.example" -``` -This method also requires manual operations for renewal. - The nginx configuration provided above uses the self-signed key pair at the locations set in the `openssl` command above. Replace those by the ones Certbot told you and reload nginx configuration. Allow nginx to access certificates: @@ -210,7 +212,7 @@ chown root:nginx /etc/letsencrypt/archive/ /etc/letsencrypt/live/ ### Apache HTTP Server -Apache in distributions is usually named `httpd`, `apache` or `apache2`. Adapt these instructions as appropriate. +Apache in distributions is usually named `httpd`, `apache` or `apache2`. Adapt the following instructions as appropriate. Apache configuration is inside the `apache/` directory. It runs Apache inside a chroot, though it is not required by the ServNest design. Some paths may need adaptation according to the distribution used (e.g. modules or logs).