Difference between revisions of "Certbot"

From Request Tracker Wiki
Jump to navigation Jump to search
(Added auto-renew text)
(Certbot is by eff not by letsencrypt)
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
=== Returning content NOT in RT such as ACME challenges for certbot ===
=== Returning content NOT in RT such as ACME challenges for certbot ===


Getting RT to serve static content can seem to be quite an issue, especially if it is to be dynamically created such as the ACME challenge/response that [http://letsencrypt.org LetsEncrypt's] certbot uses.  The solution is quite simple.  In your RT_SiteConfig.pm you can add the StaticRoots directive to serve static pages.  Follows is an example of how to use this feature for obtaining certbot authorised requests:
Getting RT to serve static content can seem to be quite an issue, especially if it is to be dynamically created such as the ACME challenge/response that [https://certbot.eff.org certbot] uses to get [http://letsencrypt.org LetsEncrypt] free SSL certificates.  The solution is quite simple.  In your RT_SiteConfig.pm you can add the StaticRoots directive to serve static pages.  Follows is an example of how to use this feature for obtaining [https://certbot.eff.org certbot] authorised requests:
  <nowiki>
  <nowiki>
Set( @StaticRoots,
Set( @StaticRoots,
Line 12: Line 12:
After restarting your RT server, you can then issue a certbot request as follows:
After restarting your RT server, you can then issue a certbot request as follows:
  <nowiki>
  <nowiki>
    certbot certonly --webroot -w /usr/local/share/html -d <your domain or rt hostname></nowiki>
certbot certonly --webroot -w /usr/local/share/html -d <your domain or rt hostname></nowiki>


'''Note:''' This assumes '/usr/local/share/html' is your document root, change as appropriate to your site, it does '''not''' have to be the location of your RT server or files.
'''Note:''' This assumes '/usr/local/share/html' is your document root, change as appropriate to your site, it does '''not''' have to be the location of your RT server or files.
Line 18: Line 18:
You can then install the certificate in your webserver as per it's documentation, by default the keys and certificates will be located in:
You can then install the certificate in your webserver as per it's documentation, by default the keys and certificates will be located in:
  <nowiki>
  <nowiki>
    /etc/letsencrypt/live/<your domain or rt hostname>/fullchain.pem
/etc/letsencrypt/live/<your domain or rt hostname>/cert.pem
    /etc/letsencrypt/live/<your domain or rt hostname>/privkey.pem</nowiki>
/etc/letsencrypt/live/<your domain or rt hostname>/fullchain.pem
/etc/letsencrypt/live/<your domain or rt hostname>/privkey.pem</nowiki>
To finish the installation and make certificate renewals automatic on UNIX you can add the following to crontab:
To finish the installation and make certificate renewals automatic on UNIX you can add the following to crontab:
  <nowiki>
  <nowiki>
    2 2 1 * * /usr/local/bin/certbot renew --webroot -w /usr/local/share/html -d <your domain or rt hostname> && service apache24 restart</nowiki>
2 2 1 * * /usr/local/bin/certbot renew --webroot -w /usr/local/share/html -d <your domain or rt hostname> && service apache24 restart</nowiki>

Latest revision as of 21:12, 14 February 2019

Returning content NOT in RT such as ACME challenges for certbot

Getting RT to serve static content can seem to be quite an issue, especially if it is to be dynamically created such as the ACME challenge/response that certbot uses to get LetsEncrypt free SSL certificates. The solution is quite simple. In your RT_SiteConfig.pm you can add the StaticRoots directive to serve static pages. Follows is an example of how to use this feature for obtaining certbot authorised requests:

Set( @StaticRoots,
        {
            path => sub { s!^/.well-known/!! },
            root => '/usr/local/share/html/.well-known/'
        },
    );

After restarting your RT server, you can then issue a certbot request as follows:

certbot certonly --webroot -w /usr/local/share/html -d <your domain or rt hostname>

Note: This assumes '/usr/local/share/html' is your document root, change as appropriate to your site, it does not have to be the location of your RT server or files.

You can then install the certificate in your webserver as per it's documentation, by default the keys and certificates will be located in:

/etc/letsencrypt/live/<your domain or rt hostname>/cert.pem
/etc/letsencrypt/live/<your domain or rt hostname>/fullchain.pem
/etc/letsencrypt/live/<your domain or rt hostname>/privkey.pem

To finish the installation and make certificate renewals automatic on UNIX you can add the following to crontab:

2 2 1 * * /usr/local/bin/certbot renew --webroot -w /usr/local/share/html -d <your domain or rt hostname> && service apache24 restart