Update nginx config and install docs to use certbot's nginx plugin #752
No reviewers
Oneric
Labels
No Label
approved, awaiting change
bug
configuration
documentation
duplicate
enhancement
extremely low priority
feature request
Fix it yourself
help wanted
invalid
mastodon_api
needs docs
needs tests
not a bug
planned
pleroma_api
privacy
question
static_fe
triage
wontfix
No Milestone
No project
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: AkkomaGang/akkoma#752
Loading…
Reference in New Issue
No description provided.
Delete Branch "norm/akkoma:docs-nginx-certbot"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This should make it less confusing to properly configure Let's Encrypt certificates and importantly allow for automatic renewals without futzing around.
I've left the *BSD stuff alone as I'm not that familiar with how things are done there.
Closes #747
Alongside moving to certbot's nginx plugin, also use conf.d instead of recreating the sites-{available,enabled} setup that Debian/Ubuntu uses. Furthermore, also request a certificate for the media domain at the same time since that's now required.6b04382539to588e2141e3looks good to me except for one thing in Gentoo instructions
@ -243,0 +236,4 @@If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again). Often the answer to issues with certbot is to use the `--nginx` flag once you have nginx up and running.If you are using any additional subdomains, such as for a media proxy, you can re-run the same command with the subdomain in question. When it comes time to renew later, you will not need to run multiple times for each domain, one renew will handle it.The first paragraph after the
certbot --nginxcommand talks about making sure nginx isn’t runnning and disabling SSL, but i think this was only relevant to the old way and probably now counterproductive.The
--dry-runhint on the other hand might be goo to add to all instruction versions.The second paragraph about subdomain should have been obsoleted by the
-d <media_domain>additionI'll look at adding in the
--dry-runstuff to the other install instructions. The rest should be fixed up now.588e2141e3to4effa3806b4effa3806btoc066044c09Added in the
--dry-runtroubleshooting steps to the setup instructions for all distrosc066044c09to9d871d32649d871d3264to6f1ac4b843Forgot about the OTP stuff, that should be updated now.
OTPs don’t have the
--dry-run + nginx -thints yet but otherwise good afaict6f1ac4b843tof168c79c2d(idk if you just hadn’t time to update both yet, but otp_redhat doesn’t have the troubleshooting hints yet, only normal OTP)
f168c79c2dto0fa3fbf55eseems sensible - I do wonder if we should at some point recommend caddy as a generic webserver given how it takes out the managing of certbot alltogether
probably, caddy is a lot simpler to set up, though nginx does have a few useful things that isn't natively present in caddy like caching