Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
developer:letsencrypt [2016/02/26 04:16]
Giacomo Sanchietti [Obtaining a valid certificate]
developer:letsencrypt [2016/04/19 17:46] (current)
Filippo Carletti [Obtaining a valid certificate]
Line 3: Line 3:
 **This documents is ONLY for NethServer 6** **This documents is ONLY for NethServer 6**
  
-From https://​letsencrypt.readthedocs.org1:+From https://​letsencrypt.readthedocs.org:
  
 >The Let’s Encrypt Client is a fully-featured,​ extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol) that can automate >the tasks of obtaining certificates and configuring webservers to use them. >The Let’s Encrypt Client is a fully-featured,​ extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol) that can automate >the tasks of obtaining certificates and configuring webservers to use them.
Line 18: Line 18:
 1. The server must be reachable from outside at port 80. 1. The server must be reachable from outside at port 80.
  
-   Make sure your port 80 is open to the public Internet, you can check with sites like http://​www.canyouseeme.org/​4)+   Make sure your port 80 is open to the public Internet, you can check with sites like http://​www.canyouseeme.org/​)
  
 2. The fully qualified name (FQDN) of the server must be a public domain name associated to its own public IP. 2. The fully qualified name (FQDN) of the server must be a public domain name associated to its own public IP.
  
-   Make sure you have a public DNS name pointing to your server, you can check with sites like http://​viewdns.info/​5)+   Make sure you have a public DNS name pointing to your server, you can check with sites like http://​viewdns.info/​)
  
 ====== How it works ====== ====== How it works ======
  
 +Actual implementation will release a single certificate for server FQDN (Fully Qualified Domain Name).
  
-When Let's Encrypt ​is enabled, ​the system ​will create and automatically renew:+When you want to access your server, you MUST always use the FQDN, but sometimes the server has multiple aliases. 
 +Let's Encrypt ​can add extra valid names to the FQDN certificate,​ so you will be able to access the server with other names.
  
-one certificate for server FQDN + 
-all enabled ​server ​alias will be added as SAN (https://en.wikipedia.org/wiki/SubjectAltName) ​to the FQDN certificate+**Example** 
 + 
 +The server FQDN is: ''​server.nethserver.org''​ with public IP ''​1.2.3.4''​. 
 +But you want to access the server ​also using this names (aliases):''​ mail.nethserver.org''​ and ''​www.nethserver.org''​. 
 + 
 +To make it work, the server must: 
 + 
 +* have the port 80 open to the public internet: if you access http://1.2.3.4 from a remote site you must see NethServer landing page 
 +* have a DNS public record for ''​server.nethserver.org'',​ ''​mail.nethserver.org''​ and ''​www.nethserver.org''​. All DNS records must point to the same server (it may have multiple public IP addresses, though)
  
 ====== Installation ====== ====== Installation ======
Line 58: Line 68:
 This feature is called SubjectAltName (SAN): https://​en.wikipedia.org/​wiki/​SubjectAltName This feature is called SubjectAltName (SAN): https://​en.wikipedia.org/​wiki/​SubjectAltName
  
-Create a server alias inside the DNS page, then enable Let's Encrypt on the newly created record:+Create a server alias inside the DNS page, then enable Let's Encrypt on the newly created record
 Example for ''​alias.mydomain.com''​ alias: Example for ''​alias.mydomain.com''​ alias:
  
 <​file>​ <​file>​
 db hosts setprop alias.mydomain.com LetsEncrypt enabled db hosts setprop alias.mydomain.com LetsEncrypt enabled
 +</​file>​
 +
 +
 +===== Options =====
 +
 +You can customize the following options by using config command:
 +
 +* ''​LetsEncryptMail'':​ if set, Let's Encrypt will send notification about your certificate to this mail address (this must be set before executing the letsencrypt-certs script for the first time!)
 +* ''​LetsEncryptRenewDays'':​ minimum days before expiration to automatically renew certificate (default: 30)
 +
 +Example:
 +
 +<​file>​
 +config setprop pki LetsEncryptMail admin@mydomain.com
 </​file>​ </​file>​
 ===== Test certificate creation ===== ===== Test certificate creation =====
Line 96: Line 121:
 ===== Obtaining a valid certificate ===== ===== Obtaining a valid certificate =====
  
-If your configuration has been validated by the testing ​ step, you're ready to request a new valid certificate.+If your configuration has been validated by the testing step, you're ready to request a new valid certificate.
 Execute the following script against the real Let's Encrypt server: Execute the following script against the real Let's Encrypt server:
  
Line 103: Line 128:
 </​file>​ </​file>​
  
-**Done!** ​Access your http server and check you'r certificate is valid.+**Done!** ​
  
 +//Access your http server and check your certificate is valid.//
  
-===== Options ===== 
  
-You can customize the following options by using config command: +{{tag>​userguide ​letsencrypt ​developer ht_testing dev_tips}}
-* LetsEncryptMail:​ if set, Let's Encrypt will send notification about your certificate to this mail address (this must be set before executing the letsencrypt-certs script for the first time!) +
-* LetsEncryptRenewDays:​ minimum days before expiration to automatically renew certificate (default: 30) +
- +
-Example: +
- +
-config setprop pki LetsEncryptMail admin@mydomain.com+