SSL Certificates

SSL Certificates are generated and renewed automatically using certbot. Certbot is installed on CS3973 in:

/opt/eff.org/certbot

and the executable is:

/usr/local/sbin/certbot-auto

Certificates should be generated and renewed using the Cloudflare DNS challenge which requires the Cloudflare DNS plugin. You can check if it is installed using:

certbot-auto plugins

Which will then show you a list of the plugins installed, if Cloudflare is missing you need to add it using the following commands:

cd /opt/eff.org/certbot/venv
source bin/activate
sudo pip install certbot-dns-cloudflare
deactivate

Once the Cloudflare plugin is in place a certificate can be generated using the following command:

certbot-auto certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini --preferred-challenges dns-01 -d [domain-name] -d [another-domain-name]

The /root/.secrets/cloudflare.ini file contains the API key to access Cloudflare, so if this needs updating for any reason, this is where you would change it. This file is not writable by default, even by root, so you need to change the file mode before editing.

Renewals are run automatically but if you need to run them manually you can use the command:

certbot-auto renew

or if you just want to test out if renewals are working use:

certbot-auto renew --dry-run

All the configuration and the certificates are held in:

/etc/letsencrypt/

and for CS3975 this is a mount from CS3973, so any changes on CS3973 will automatically be seen on CS3975, however, you will need to restart Apache manually on CS3975 if you run the renewal process manually.

If you generate a new certificate for a new host, you will need to manually configure this in Apache. Refer to an existing virtual host configuration for details.