This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
ssl [2016/06/09 16:30] alex [Apache] |
ssl [2017/10/26 18:59] (current) mb [Standalone (non-HTTP)] |
||
---|---|---|---|
Line 8: | Line 8: | ||
/var/www/well-known | /var/www/well-known | ||
+-- example.com | +-- example.com | ||
- | \-- .well-known -> . | + | | \-- .well-known -> . |
+ | \-- www.example.com -> example.com | ||
</code> | </code> | ||
Line 21: | Line 22: | ||
Finally run: | Finally run: | ||
<code> | <code> | ||
- | sudo certbot certonly --webroot -w /var/www/well-known/coremem.com -d example.com -d www.example.com | + | sudo certbot certonly --webroot -w /var/www/well-known/example.com -d example.com -d www.example.com |
</code> | </code> | ||
- | '''N.B.''' you can add append many more sub-domains on there if you want to use use multiple domains in the same certificate, though you might have to play with ''mod_rewrite'' in ''/etc/apache2/conf-available/well-known.conf'' to line things up. | + | **N.B.** you can append many more sub-domains on there if you want to use use multiple domains in the same certificate |
- | Now go back to your Apache configuration section and add a new ''<VirtualHost/>'' block for your domain but create your HTTPS section and insert the following lines into it: | + | Now go back to your ''<VirtualHost/>'' block for your domain and make the opening look like: |
+ | <code> | ||
+ | <VirtualHost *:80 *:443> | ||
+ | </code> | ||
+ | |||
+ | Now slip into in the following lines into the block its-self: | ||
<code> | <code> | ||
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem | SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem | ||
Line 32: | Line 38: | ||
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem | SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem | ||
Include /etc/letsencrypt/options-ssl-apache.conf | Include /etc/letsencrypt/options-ssl-apache.conf | ||
+ | |||
+ | RewriteEngine on | ||
+ | RewriteCond %{HTTPS} off | ||
+ | RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] | ||
</code> | </code> | ||
- | Finally, do one last reload and you should have a secure site. | + | Finally, do one last reload and you should have a secure site (with your non-secure site redirecting to the secure one). |
+ | |||
+ | ===== Standalone (non-HTTP) ===== | ||
+ | |||
+ | Simply a case of running: | ||
+ | |||
+ | <code> | ||
+ | sudo certbot certonly --standalone --standalone-supported-challenges http-01 -d marmot.wormnet.eu -d imap.wormnet.eu -d smtp.wormnet.eu | ||
+ | </code> | ||
+ | |||
+ | You will need to shut down any webserver listening on ''80/tcp'' or ''443/tcp''. **N.B.** on marmot sslh is listening on 443; it's ok to shut down ''apache2'' only. | ||
+ | |||
+ | |||
+ | Then you can tie in the certs at: | ||
+ | |||
+ | * **''/etc/exim4/exim4.conf.template'':** ''tls_certificate'' and ''tls_privatekey'' | ||
+ | * **''/etc/imapd.conf'':** ''tls_cert_file'' and ''tls_key_file'' | ||
+ | * **''/etc/imapd-http.conf'':** ''tls_cert_file'' and ''tls_key_file'' |