Skip to content

Instantly share code, notes, and snippets.

@jrichardsz

jrichardsz/let's encrypt certbot snippets - interactive.md

Last active April 16, 2024 05:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jrichardsz/e726544981f1bf69b26841995ccad03a to your computer and use it in GitHub Desktop.
Save jrichardsz/e726544981f1bf69b26841995ccad03a to your computer and use it in GitHub Desktop.
Download ZIP
let's encrypt certbot snippets
Raw
let's encrypt certbot snippets - interactive.md

install

sudo apt update
sudo apt install snapd
sudo snap install --classic certbot

docker run -it -v certs:/etc/letsencrypt --entrypoint /bin/sh certbot/certbot:latest

new certificate

  • create a server and point your dns to the public ip
  • enter to the server and execute
certbot certonly --standalone
  • accept the aggrement & billing
  • enter your domain or subdomain
  • wait some seconds and the success log should be like:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): jane.doe.com
Requesting a certificate for jane.doe.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/jane.doe.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/jane.doe.com/privkey.pem
This certificate expires on 2024-01-17.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  • your certs will be located in
/etc/letsencrypt/live/jane.doe.com
/etc/letsencrypt/live/jane.doe.com/cert.pem
/etc/letsencrypt/live/jane.doe.com/privkey.pem
/etc/letsencrypt/live/jane.doe.com/chain.pem
/etc/letsencrypt/live/jane.doe.com/README
/etc/letsencrypt/live/jane.doe.com/fullchain.pem

By default all the servers has the 80 port ready to use, so if you want to dowload the certificates

  • compress the entire /etc/letsencrypt/
  • move the resulted file into some folder like /tmp/foo
  • go to /tmp/foo and execute
python -m http.server 80
  • enter to the public ip or domain using your favourite browser and download it

validate

certbot certificates

renew

certbot certonly -d abc.com --manual
  • enter your mail
  • accept : Please read the Terms of Service
  • accept or not : Would you be willing
Create a file containing just this data:

b880c9e3-21eb-4c49-930e-e5908b66cb46

And make it available on your web server at this URL:

http://jane.doe.com/.well-known/acme-challenge/7f491e38-6b7c-40bd-8ad4-bc091833058e

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Then go to the root of server which is already configured to server your domain or subdomain

mkdir -p .well-known/acme-challenge
echo "b880c9e3-21eb-4c49-930e-e5908b66cb46" > .well-known/acme-challenge/7f491e38-6b7c-40bd-8ad4-bc091833058e

Or start a ligth server with python

python3 -m http.server 80

Finally press enter and wait some seconds. The response should look like this:

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/jane.doe.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/jane.doe.com/privkey.pem
This certificate expires on 2030-05-21.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

References

Miscelaneous

sudo su
mkdir web
cd web
echo "hello world" > index.html
mkdir -p .well-known/acme-challenge
echo "b5c9811c-a190-4104-aa47-ff42eed53299" > .well-known/acme-challenge/723a0a6a-8595-48b9-b74f-67b0af17adf2
python3 -m http.server 80
Raw
let's encrypt certbot snippets - non interactive-v1.md
  • create a virtual machine in some cloud (aws, gcp. etc) and enable the http traffic(80 port)
  • buy a domain in namecheap or godaddy. Sample: jane.com
  • get the public ip and register it in your dns provider (namecheap, godaddy, etc)
    • for namecheap : A + Dynamic DNS Record
  • enter as sudo
apt update
apt install snapd
snap install --classic certbot

certbot certonly --standalone --non-interactive \
--preferred-challenges=http \
--email jane@gmail.com \
--agree-tos \
-d "sandbox.jane.com"

Result:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for sandbox.jane.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/sandbox.jane.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/sandbox.jane.com/privkey.pem
This certificate expires on 2024-07-13.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  • save these files or everything (values are no real samples)

image

Raw
let's encrypt certbot snippets - non interactive-v2.md

create_certificate.sh

#!/bin/bash
set -e

for ARGUMENT in "$@"
do
   KEY=$(echo $ARGUMENT | cut -f1 -d=)

   KEY_LENGTH=${#KEY}
   VALUE="${ARGUMENT:$KEY_LENGTH+1}"

   export "$KEY"="$VALUE"
done


apt update
apt install snapd
snap install --classic certbot

certbot certonly --standalone --non-interactive \
--preferred-challenges=http \
--email $mail \
--agree-tos \
-d $domain

Usage

bash create_certificate.sh mail=architect.jar@gmail.com domain=train-socket-418d2dfcf80b.o4acorp.com
bash download_files.sh domain=blindspot.jane.com

download_files.sh

#!/bin/bash
set -e

for ARGUMENT in "$@"
do
   KEY=$(echo $ARGUMENT | cut -f1 -d=)

   KEY_LENGTH=${#KEY}
   VALUE="${ARGUMENT:$KEY_LENGTH+1}"

   export "$KEY"="$VALUE"
done

folder=$(uuidgen)$(uuidgen)$(uuidgen)
id=$(uuidgen)$(uuidgen)$(uuidgen)
mkdir -p /tmp/$folder/$id
tar -czvf /tmp/$folder/$id/files.tar.gz /etc/letsencrypt
echo -e "\n\n\nDownload files from http://$domain/$id/files.tar.gz\n\n\n"
cd  /tmp/$folder
python3 -m http.server 80

usage

bash download_files.sh domain=blindspot.jane.com

If no errors, execute download_files.sh, check the log to get the full url and download the entire letsencrypt folder

Download files from http://blindspot.jane.com/de3e32c7-c7d7-49f9-8760-cecbbe77aa46/files.tar.gz

Exit the program

renew

In a new server, install certbot

apt update
apt install snapd
snap install --classic certbot

upload the file files.tar.gz and unpack it with

tar -xf files.tar.gz --strip-components 1  -C /etc/letsencrypt

check if certs were well located.

certbot certificates

Also remember the expiration days

image

The renew them all

certbot renew

or just one

certbot certonly --force-renew -d example.com

Then run again certbot certificates and vlaidate if expiration days changed

You can run download_files.sh to download again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment