contrib/certbot: new document
This commit is contained in:
parent
5ac4978456
commit
a52cd5aa43
35
contrib/certbot.md
Normal file
35
contrib/certbot.md
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
# Setting up Certbot for soju
|
||||||
|
|
||||||
|
If you are using [Certbot] to obtain HTTPS certificates, you can set up soju
|
||||||
|
like so:
|
||||||
|
|
||||||
|
- Obtain the certificate:
|
||||||
|
|
||||||
|
certbot certonly -d <domain>
|
||||||
|
|
||||||
|
- Allow all local users to access certificates (private keys are still
|
||||||
|
protected):
|
||||||
|
|
||||||
|
chmod 0755 /etc/letsencrypt/{live,archive}
|
||||||
|
|
||||||
|
- Allow the soju user to read the private key:
|
||||||
|
|
||||||
|
chmod 0640 /etc/letsencrypt/live/<domain>/privkey.pem
|
||||||
|
chgrp soju /etc/letsencrypt/live/<domain>/privkey.pem
|
||||||
|
|
||||||
|
- Set the `tls` directive in the soju configuration file:
|
||||||
|
|
||||||
|
tls /etc/letsencrypt/live/<domain>/fullchain.pem /etc/letsencrypt/live/<domain>/privkey.pem
|
||||||
|
|
||||||
|
- Configure Certbot to reload soju. Edit
|
||||||
|
`/etc/letsencrypt/renewal-hooks/post/soju.sh` and add a command to reload
|
||||||
|
soju, for instance:
|
||||||
|
|
||||||
|
#!/bin/sh
|
||||||
|
systemctl reload soju
|
||||||
|
|
||||||
|
Then mark the script as executable:
|
||||||
|
|
||||||
|
sudo chmod 755 /etc/letsencrypt/renewal-hooks/post/soju.sh
|
||||||
|
|
||||||
|
[Certbot]: https://certbot.eff.org/
|
Loading…
Reference in New Issue
Block a user