@JaredBusch said in Validation when renewing let's encrypt?:

@Pete-S said in Validation when renewing let's encrypt?:

When LE certs are renewed are they using the same type of validation again as when they are created?

(We're using certbot)

They should, yes.

OK, thanks.

@Pete-S said in Is certbot the best way to handle Let's Encrypt certs?:

@stacksofplates said in Is certbot the best way to handle Let's Encrypt certs?:

Lego is another good one from what I've seen. It does all 3 challenge types.

https://go-acme.github.io/lego/

Thanks, might have a look at it next time.

I went with certbot this time because it was very clear what needed to be done. Debian has a package for it's all you need to do is have a http server up and running and then:

# apt-get install certbot python-certbot-apache # certbot --apache

It will do everything for you - create & install the certificate, set up redirection from http to https, set up a job that updates the cert etc.

The site has instructions for every common OS (redhat, ubuntu etc) and http daemon (apache, nginx etc) combination.
https://certbot.eff.org/lets-encrypt/debianbuster-apache

Yeah certbot is the easiest. Lego is just more flexible and you only need the binary. Def start with the easiest for now.

@EddieJennings said in Zimbra Certbot Scripts:

Since acquiring and renewing a certificate can be automated with Certbot, would it make sense to have the cert in two places? HTTP/HTTPS traffic passes through your ngingX VM, which receives its certificate through its own instance of Certbot. And you have a second instance of certbot that functions on the Zimbra server itself, so you have a cert for IMAP and SMTP connections.

Or, for you, does it not matter that IMAP and SMTP connections are unencrypted? Since beyond your own mail server, there's no guarantee that encrypted connections will exist.

You could, but it would still be such a pain to automate as certbot can't renew the certs alone for Zimbra, that you might as well just use one.

@wirestyle22 so much to work on....

@aboka said in Setup LetsEncrypt Certbot with CLoudFlare DNS authentication (Ubuntu):

hi, thanks for sharing this guide, would like to ask, what port does ppa:certbot use? im running nginx and its already using 80 & 443. i need to find a way to renew the cert when using Cloudflare as the common way(certbot renew) will not work. thank you.

There are certbot options to use the running server (Nginx in this case.) But I agree with Jared, better to use DNS.

@wirestyle22 said in Renewing Let's Encrypt certificates using a systemd timer:

sudo systemctl enable certbot-renewal.timer

As I did this again today, I thought I would post my quick tweak to this because I do not like the idea of it running hourly.

I set mine to run twice a day with a 1 hour randomizer.

[Timer] OnCalendar=*-*-* 01,13:00:00 RandomizedDelaySec=3600 Unit=certbot-renewal.service

027a0074-88ec-4c1f-b114-91722521529b-image.png

And this person has a full guide https://xcp-ng.org/forum/topic/3775/xen-orchestra-from-source-with-let-s-encrypt-certificates

It's now 2/15/2024 with Fedora 39, and this is still working.

Just setup a new reverse proxy.

@zachary715 said in Certbot Apache plugin broken in Fedora 26:

@scottalanmiller said in Certbot Apache plugin broken in Fedora 26:

I ran into this issue, forgot about this thread, went through LetsEncrypt's threads and their solution for this problem led me... here! Very nice.

Just did the exact same thing. Let'sEncrypt forum had the link which led me here right about the time @JaredBusch was responding in my other thread.

It has been posted on here more than one time. I should probably find one of those posts and make @scottalanmiller tag it appropriately.

Edit: Or too slow..

@travisdh1 said in SSL between a proxy and its target:

@Dashrender said in SSL between a proxy and its target:

@dafyre said in SSL between a proxy and its target:

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.

It's industry standard public/private key encryption, so shouldn't be an issue.

You should go read up on SQRL. In my not so humble opinion, passwords have long outlived the point where they are a useful security mechanism.

I'm fully aware of SQRL - I asked Scott on Day one of ML if he would support it when it became available, sadly it's still not released to the wild 😞