Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
developer:letsencrypt [2016/02/26 04:17]
Giacomo Sanchietti [Obtaining a valid certificate]
developer:letsencrypt [2016/04/19 17:46]
Filippo Carletti [Obtaining a valid certificate]
Line 3: Line 3:
 **This documents is ONLY for NethServer 6** **This documents is ONLY for NethServer 6**
  
-From https://​letsencrypt.readthedocs.org1:+From https://​letsencrypt.readthedocs.org:
  
 >The Let’s Encrypt Client is a fully-featured,​ extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol) that can automate >the tasks of obtaining certificates and configuring webservers to use them. >The Let’s Encrypt Client is a fully-featured,​ extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol) that can automate >the tasks of obtaining certificates and configuring webservers to use them.
Line 18: Line 18:
 1. The server must be reachable from outside at port 80. 1. The server must be reachable from outside at port 80.
  
-   Make sure your port 80 is open to the public Internet, you can check with sites like http://​www.canyouseeme.org/​4)+   Make sure your port 80 is open to the public Internet, you can check with sites like http://​www.canyouseeme.org/​)
  
 2. The fully qualified name (FQDN) of the server must be a public domain name associated to its own public IP. 2. The fully qualified name (FQDN) of the server must be a public domain name associated to its own public IP.
  
-   Make sure you have a public DNS name pointing to your server, you can check with sites like http://​viewdns.info/​5)+   Make sure you have a public DNS name pointing to your server, you can check with sites like http://​viewdns.info/​)
  
 ====== How it works ====== ====== How it works ======
  
 +Actual implementation will release a single certificate for server FQDN (Fully Qualified Domain Name).
  
-When Let's Encrypt ​is enabled, ​the system ​will create ​and automatically renew:+When you want to access your server, you MUST always use the FQDN, but sometimes the server has multiple aliases. 
 +Let's Encrypt ​can add extra valid names to the FQDN certificate,​ so you will be able to access the server with other names. 
 + 
 + 
 +**Example** 
 + 
 +The server FQDN is: ''​server.nethserver.org''​ with public IP ''​1.2.3.4''​. 
 +But you want to access the server also using this names (aliases):''​ mail.nethserver.org'' ​and ''​www.nethserver.org''​. 
 + 
 +To make it work, the server must: 
 + 
 +* have the port 80 open to the public internet: if you access http://​1.2.3.4 from a remote site you must see NethServer landing page 
 +* have a DNS public record for ''​server.nethserver.org'',​ ''​mail.nethserver.org''​ and ''​www.nethserver.org''​. All DNS records must point to the same server (it may have multiple public IP addresses, though)
  
-one certificate for server FQDN 
-all enabled server alias will be added as SAN (https://​en.wikipedia.org/​wiki/​SubjectAltName) to the FQDN certificate 
-The certificate will be automatically renewed. 
 ====== Installation ====== ====== Installation ======
  
Line 64: Line 74:
 <​file>​ <​file>​
 db hosts setprop alias.mydomain.com LetsEncrypt enabled db hosts setprop alias.mydomain.com LetsEncrypt enabled
 +</​file>​
 +
 +
 +===== Options =====
 +
 +You can customize the following options by using config command:
 +
 +* ''​LetsEncryptMail'':​ if set, Let's Encrypt will send notification about your certificate to this mail address (this must be set before executing the letsencrypt-certs script for the first time!)
 +* ''​LetsEncryptRenewDays'':​ minimum days before expiration to automatically renew certificate (default: 30)
 +
 +Example:
 +
 +<​file>​
 +config setprop pki LetsEncryptMail admin@mydomain.com
 </​file>​ </​file>​
 ===== Test certificate creation ===== ===== Test certificate creation =====
Line 97: Line 121:
 ===== Obtaining a valid certificate ===== ===== Obtaining a valid certificate =====
  
-If your configuration has been validated by the testing ​ step, you're ready to request a new valid certificate.+If your configuration has been validated by the testing step, you're ready to request a new valid certificate.
 Execute the following script against the real Let's Encrypt server: Execute the following script against the real Let's Encrypt server:
  
Line 106: Line 130:
 **Done!** ​ **Done!** ​
  
-''​Access your http server and check you'​r ​certificate is valid.''​+//Access your http server and check your certificate is valid.//
  
  
-===== Options ===== +{{tag>​userguide ​letsencrypt ​developer ht_testing dev_tips}}
- +
-You can customize the following options by using config command: +
- +
-* ''​LetsEncryptMail'':​ if set, Let's Encrypt will send notification about your certificate to this mail address (this must be set before executing the letsencrypt-certs script for the first time!) +
-* ''​LetsEncryptRenewDays'':​ minimum days before expiration to automatically renew certificate (default: 30) +
- +
-Example: +
- +
-<​file>​ +
-config setprop pki LetsEncryptMail admin@mydomain.com +
-</​file>​+