Lets Encrypt

Pre-requisites

Domain mapped to public ip, public ip mapped to local ip
DNS queries updated/ DNS hosts resolved
Check firewall not blocking supporters.eff.org (https://eff.org), letsencrypt.org (https://letsencrypt.org) URLs
Check firewall port 80 (http), 443 (https) is open for server
Main ref

Installation

Windows

Download & install exe
Test Installation

C:\WINDOWS\system32> certbot --help
C:\WINDOWS\system32> certbot --version

Linux

//centos
sudo yum install certbot

//ubuntu
sudo apt update
sudo apt install certbot

//test installation
certbot --version

CLI

Command & options

Syntax 1 (interactive questions to be answered)

certbot certonly --PLUGIN_NAME
//PLUGIN_NAME like webroot/standalone/manual 

syntax 2 (pass options to skip those questions)

certbot certonly --webroot --agree-tos --email your-email address -d your-domain.com -w /your/web/server/roo/path/

certonly = obtain the certificate only, don’t install it

//plugin to be used
--standalone = Setup running in same server where certificates must be installed, But web server must be stopped.
--webroot = Same like stand alone, but no need to stop webserver.  
--manual = If certificates are  being generated for other server

-w = web root path if webroot plugin used (can be specified multiple times)
--agree-tos = agree Let’s Encrypt’s terms of service
--email =  to receive expiry notice from Let’s Encrypt and can also be used to recover lost key
-d = domain name (can be specified multiple times)

Standalone setup

ref
Stop running web server

certbot certonly --standalone --preferred-challenges http -d example.com

//example 2
certbot certonly --standalone --preferred-challenges http --agree-tos --email some@example.com -d domain.in -d www.domain.in 

--preferred-challenges = http, it runs own http server (80 port) with few dynamic files served, Now tests those dynamic files by domain URL so that Domain linking to current Server can be confirmed. Stop current web server to free up port 80 //in short Domain validation 

preferred-challenges = http (80)/ tls-sni (443)

After running the command, you should see a message telling you the process was successful and where your certificates are stored

//say windows
C:\Certbot\live\domain.in\fullchain.pem
C:\Certbot\live\domain.in\privkey.pem

//say linux
/etc/letsencrypt/live/domain.in/fullchain.pem
 /etc/letsencrypt/live/domain.in/privkey.pem

webroot setup

better user --webroot instead --standalone, so that server stop is not required ref, ensure that files inside /.well-known/acme-challenge are served by the webserver

certbot certonly --webroot -w /var/www/example -d www.example.com -d example.com 

//example 2
certbot certonly --webroot --agree-tos --email some@example.com -d domain.in -d www.domain.in -w /your/web/server/roo/path/

for domain validation http://domain/.well-known/acme-challenge/SOMEFILE will be fetched

Manual Setup

If certificates are being generated for other server
Manual ref

Auto Renewal

The Certbot installation on your system comes with a pre-installed Scheduled Task that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running the command
If linux task in /etc/crontab/ or /etc/cron./ can check list of tasks with 'systemctl list-timers'
Test Auto Renewal after installation

certbot renew --dry-run

//if  standalone setup
certbot renew --dry-run --pre-hook "net stop WebServerOrServiceName" --post-hook "net start WebServerOrServiceName"

Actual MS Schedular task command must be changed for stand alone installation

//from "certbot renew" to following
certbot renew --pre-hook "net stop WebServerOrServiceName" --post-hook "net start WebServerOrServiceName"

eg: WebServerOrServiceName like Apache2.4, SapphireIMS

Manual renewal

Disable auto renewal MS Schedular task,
Stop existing web server (if standalone plugin installation is used earlier)

//run following command with admin privileges
certbot renew    

Start web server (if standalone plugin installation is used earlier)

Convert to pfx (pkcs12) format

Install openssl in windows by cygwin Ref OR GIT has built in
add c:\path-to-git-installation-folder\usr\bin in environment variables to access openssl in cmd prompt

//it contains openssl exe
c:\path-to-git-installation-folder\usr\bin\openssl.exe

Conversion Ref

//in C:\Certbot\live\domain.in folder
openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:somepassword

-password, then type of passphrase like plain pass phrase (pass:)

Convert to Haproxy .pem

# move to the correct let's encrypt directory
cd /etc/letsencrypt/live/domain.in

# cat files to make combined .pem for haproxy (bash -c for sudo chaining issue)
sudo bash -c 'cat fullchain.pem privkey.pem > /etc/ssl/certs/domain.in.pem'

References

Note

reload webserver to refresh old certificate cache

#Pre-requisites

#Installation

#Windows

#Linux

#CLI

#Command & options

#Standalone setup

#webroot setup

#Manual Setup

#Auto Renewal

#Manual renewal

#Convert to pfx (pkcs12) format

#Convert to Haproxy .pem

#References

#Note

Pre-requisites

Installation

Windows

Linux

CLI

Command & options

Standalone setup

webroot setup

Manual Setup

Auto Renewal

Manual renewal

Convert to pfx (pkcs12) format

Convert to Haproxy .pem

References

Note