From e5f4282ccae03abd8bfd41f2055915c22ac21c83 Mon Sep 17 00:00:00 2001 From: Norm Date: Sun, 21 Apr 2024 00:25:32 -0400 Subject: [PATCH] Update certbot instructions for Alpine Linux --- docs/docs/installation/alpine_linux_en.md | 67 ++++++++++------------- 1 file changed, 30 insertions(+), 37 deletions(-) diff --git a/docs/docs/installation/alpine_linux_en.md b/docs/docs/installation/alpine_linux_en.md index bdfb96d77..e5f88ac30 100644 --- a/docs/docs/installation/alpine_linux_en.md +++ b/docs/docs/installation/alpine_linux_en.md @@ -145,47 +145,13 @@ If you want to open your newly installed instance to the world, you should run n doas apk add nginx ``` -* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it: - -```shell -doas apk add certbot -``` - -and then set it up: - -```shell -doas mkdir -p /var/lib/letsencrypt/ -doas certbot certonly --email -d --standalone -``` - -If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again). - * Copy the example nginx configuration to the nginx folder ```shell doas cp /opt/akkoma/installation/nginx/akkoma.nginx /etc/nginx/conf.d/akkoma.conf ``` -* Before starting nginx edit the configuration and change it to your needs. You must change change `server_name` and the paths to the certificates. You can use `nano` (install with `apk add nano` if missing). - -``` -server { - server_name your.domain; - listen 80; - ... -} - -server { - server_name your.domain; - listen 443 ssl http2; - ... - ssl_trusted_certificate /etc/letsencrypt/live/your.domain/chain.pem; - ssl_certificate /etc/letsencrypt/live/your.domain/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/your.domain/privkey.pem; - ... -} -``` - +* Before starting nginx edit the configuration and change it to your needs. You must change change `server_name`. You can use `nano` (install with `apk add nano` if missing). * Enable and start nginx: ```shell @@ -193,10 +159,37 @@ doas rc-update add nginx doas rc-service nginx start ``` -If you need to renew the certificate in the future, uncomment the relevant location block in the nginx config and run: +* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it: ```shell -doas certbot certonly --email -d --webroot -w /var/lib/letsencrypt/ +doas apk add certbot certbot-nginx +``` + +and then set it up: + +```shell +doas mkdir -p /var/lib/letsencrypt/ +doas certbot --email -d -d --nginx +``` + +If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`. + +To automatically renew, set up a cron job like so: + +```shell +# Enable the crond service +doas rc-update add crond +doas rc-service crond start + +# Test that renewals work +doas certbot renew --cert-name yourinstance.tld --nginx --dry-run + +# Add the renewal task to cron +echo '#!/bin/sh +certbot renew --cert-name yourinstance.tld --nginx +' | doas tee /etc/periodic/daily/renew-akkoma-cert +doas chmod +x /etc/periodic/daily/renew-akkoma-cert + ``` #### OpenRC service