X-Git-Url: https://git.ralfj.de/web.git/blobdiff_plain/e4d8d236ef9699ef9c0072d97ebc80e18ef785cb..a84c03aaa616d8e3de75d581954d8af45afe6464:/personal/_posts/2017-12-26-lets-encrypt.md?ds=sidebyside diff --git a/personal/_posts/2017-12-26-lets-encrypt.md b/personal/_posts/2017-12-26-lets-encrypt.md index f8f848d..e63d77b 100644 --- a/personal/_posts/2017-12-26-lets-encrypt.md +++ b/personal/_posts/2017-12-26-lets-encrypt.md @@ -1,6 +1,6 @@ --- title: Let's Encrypt Tiny -categories: Sysadmin +categories: sysadmin --- I think all HTTP communication on the internet should be encrypted -- and thanks @@ -26,11 +26,12 @@ The client is based on [acme-tiny](https://github.com/diafygi/acme-tiny), a beautifully small Python library (<200 lines) speaking the ACME protocol. That's the protocol developed by Let's Encrypt to communicate with an automated CA. I duly called my client "Let's Encrypt Tiny", and with less than 250 lines -I think that name is still fair. For now, -[Let's Encrypt Tiny](https://github.com/RalfJung/server-scripts/blob/master/letsencrypt-tiny) -resides in my [server-scripts](https://github.com/RalfJung/server-scripts) -repository, and it will stay there until anyone else has an interesting in using -it. ;) +I think that name is still fair. For now, Let's Encrypt Tiny resides in my +[server-scripts](https://github.com/RalfJung/server-scripts) repository, and it +will stay there until anyone else has an interesting in using it. ;) + +**Update:** Let's Encrypt Tiny now has its +[own repository](https://github.com/RalfJung/lets-encrypt-tiny). **/Update** The central concept of Let's Encrypt Tiny is a "certificate line" -- a sequence of certificates, possibly for different private keys, that "belong together" in @@ -191,7 +192,7 @@ SSLHonorCipherOrder on [bettercrypto.org](https://bettercrypto.org) because I prefer to not update it with every change in OpenSSL's supported ciphers.) -## Obtaining the first certificate +## Obtaining the First Certificate You can now run `letsencrypt-tiny -c letsencrypt.conf init` to perform the initial setup. @@ -200,7 +201,7 @@ In the future, to change the set of domains, first edit the config file and then run `letsencrypt-tiny -c letsencrypt.conf -k renew`. The `-k` tells Let's Encrypt Tiny to also run the certificate hook. -## Automation via cron +## Automation Via Cron Let's Encrypt certificates expire after 90 days, so we want renewal to be automated. To this end, just make sure that `letsencrypt-tiny -c @@ -258,4 +259,4 @@ added to my zone. At least 25h later (I have the TTL set to 24h), the key gets unstaged, and the old TLSA record is removed from the zone. That's it! If you have any questions, feel free to report -[issues at GitHub](https://github.com/RalfJung/server-scripts/issues). +[issues at GitHub](https://github.com/RalfJung/lets-encrypt-tiny/issues).