...
| Info |
|---|
These Instructions are for an ubuntu installation with nginx as the server. This method enables a user to get (free) certificates from an opensource provider and requires the website name to be publicly accessible. These instructions may not be applicable in other environments. Follow all applicable certificate policies when installing. Instructions for creating and renewing a certificate are here. |
Before obtaining the certificates ensure that there are two DNS A record for the website name (i.e. demonodepublicdns).
...
The instructions to do these steps are outlined at the following link: https://github.com/OHIEDATIM/datim-auto-cert-updater/blob/master/docs/testing/readme.md
Certificate creation on CentOS:
BAO has created custom scripts to aid in the creation of certificates on CentOS and Amazon Linux hosts. That script is called certbot-new and is available on hosts with the BAO yum repository installed. In order to create a new certificate, use the following steps:
- If you need a cert for
$( hostname ):- Use the wrapper script:
certbot-new --domain=$( hostname ) - Add the Nginx config from
certbot-newto/etc/nginx/conf.d/ssl-files.conf
- Use the wrapper script:
- Create another certificate if
$( hostname )begins withwww.or is a naked domain:- Use the wrapper script:
cerbot-new --domain=www.example.com - Add the Nginx config to the non-default
server{}in Nginx, NOT theconf.d/ssl-files.conffile (that is intended for the default hostname/domain)
- Use the wrapper script:
Certificate Renewal:
If the server was installed by BAO, or using BAO's tools, the cron job will automatically be installed in /etc/cron.daily/certbot-renew.
Essentially, the certbot-renew script runs the following:
certbot \ renew \ --quiet \ --non-interactive \ --agree-tos \ --preferred-challenges 'http-01' \ --pre-hook '/bin/mkdir -pv /var/lib/letsencrypt/html/' \ --renew-hook "$RENEW_HOOK"