58 lines
1.6 KiB
Markdown
58 lines
1.6 KiB
Markdown
# Let’s Encrypt certificates without exposing port 80 and 443, trough DNS record
|
||
|
||
|
||
## Instructions on SSH end
|
||
|
||
Replace yourdomain.org with your actual domain.
|
||
|
||
- sudo -s
|
||
- apt install -y certbot
|
||
- certbot --manual --preferred-challenges dns certonly --elliptic-curve secp384r1 -d yourdomain.org
|
||
|
||
|
||
|
||
Follow the console instruction and give GoDaddy or whatever you use your TXT record with the provided data.
|
||
|
||
|
||
Hit enter.
|
||
|
||
|
||
## Certificates are stored here
|
||
- Certificate is saved at: /etc/letsencrypt/live/yourdomain.org/fullchain.pem
|
||
- Key is saved at: /etc/letsencrypt/live/yourdomain.org/privkey.pem
|
||
|
||
|
||
## Cert paths
|
||
- CERT: /etc/letsencrypt/live/yourdomain.org//cert.pem
|
||
- CHAIN: /etc/letsencrypt/live/yourdomain.org//chain.pem
|
||
- FULLCHAIN: /etc/letsencrypt/live/yourdomain.org//fullchain.pem
|
||
- PRIVKey: /etc/letsencrypt/live/yourdomain.org//privkey.pem
|
||
|
||
|
||
## Add cron job for renewable process and restart Nginx
|
||
- crontab -e
|
||
- #@weekly /usr/bin/certbot renew > /dev/null 2>&1
|
||
- @weekly /usr/bin/certbot renew --renew-hook 'systemctl restart nginx.service' > /dev/null 2>&1
|
||
|
||
|
||
## Adjust Renewable procedure - only one single time needed
|
||
- nano /etc/letsencrypt/renewal/yourdomain.org.conf
|
||
- authenticator = standalone
|
||
|
||
|
||
## Start timers and verify the status to ensure its running
|
||
- systemctl enable certbot.timer
|
||
- systemctl restart certbot.timer
|
||
- systemctl status certbot.timer
|
||
|
||
|
||
## Logs
|
||
- /var/log/letsencrypt/letsencrypt.log
|
||
|
||
|
||
## Delete old certificates if not needed anymore
|
||
- certbot delete
|
||
|
||
|
||
## Close ufw ports
|
||
You can remove Port 80, 443 is usually needed anyway for e.g. Nextcloud or whatever you use. |