summaryrefslogtreecommitdiffstats
path: root/system/letsencrypt/README.Slackware
blob: aba34175809af4ad007d4ee555c03ae47ef88e2c (plain) 
PLUGIN SUPPORT
letsencrypt support five plugins to obtain/install certificates and many more to come in the future.
However, we will only cover standalone plugin because apache plugin only works on Debian-based OS for now
and nginx is still considered very experimental.

OBTAINING CERTIFICATE USING STANDALONE PLUGIN
Since Slackware is not yet supported, instead of running "letsencrypt-auto certonly"
as instructed, you can run "letsencrypt certonly" to install certificates manually using standalone plugin.

Here's what i use to create a certificate using port 443 for domain validation
letsencrypt certonly --webroot-path=<DOCUMENT-ROOT> --standalone-supported-challenges tls-sni-01 -d <DOMAIN-NAME> \
--email <ADMIN-EMAIL> --renew-by-default --agree-tos --text --standalone

If you want to use port 80 for domain validation, replace
--standalone-supported-challenges tls-sni-01
with
--standalone-supported-challenges http-01

NOTE:
You need to make sure that the port (80 or 443) is NOT USED before running above command (ie. you may need to
temporarily stop your exising webserver)
All domain-spesific configuration files are stored in /etc/letsencrypt/live/<DOMAIN-NAME>

Once certificate is created, you need to enable and configure httpd-ssl.conf

RENEWAL PROCESS
Best way is to use a simple bash script that perform following actions:
- turn off httpd service
- give some delay (2s is enough)
- run the above command to renew automatically
- start httpd service

RATE LIMIT
Rate limit on registrations per IP is now 10 per 3 hours.
Rate limit on certificates per Domain is now 5 per 7 days.

CONFIGURATION FILES

It is possible to specify configuration file with letsencrypt --config cli.ini (or shorter -c cli.ini).
An example configuration file is shown below:

# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Always use the staging/testing server
server = https://acme-staging.api.letsencrypt.org/directory

# Uncomment and update to register with the specified e-mail address
# email = foo@example.com

# Uncomment and update to generate certificates for the specified
# domains.
# domains = example.com, www.example.com

# Uncomment to use a text interface instead of ncurses
# text = True

# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01

# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
# webroot-path = /usr/share/nginx/html

By default, the following locations are searched:
/etc/letsencrypt/cli.ini
$XDG_CONFIG_HOME/letsencrypt/cli.ini (or ~/.config/letsencrypt/cli.ini if $XDG_CONFIG_HOME is not set).
generated by cgit v1.2.3 (git 2.32.0) at 2024-05-27 19:10:52 +0200