Update certbot instructions for Alpine Linux

Update gentoo install guide to use certbot-nginx
2024-04-21 18:01:11 -04:00 · 2024-04-21 18:01:11 -04:00
2 changed files with 43 additions and 57 deletions
--- a/docs/docs/installation/alpine_linux_en.md
+++ b/docs/docs/installation/alpine_linux_en.md
@ -145,47 +145,13 @@ If you want to open your newly installed instance to the world, you should run n
 doas apk add nginx
 ```

-* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:
-
-```shell
-doas apk add certbot
-```
-
-and then set it up:
-
-```shell
-doas mkdir -p /var/lib/letsencrypt/
-doas certbot certonly --email <your@emailaddress> -d <yourdomain> --standalone
-```
-
-If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again).
-
 * Copy the example nginx configuration to the nginx folder

 ```shell
 doas cp /opt/akkoma/installation/nginx/akkoma.nginx /etc/nginx/conf.d/akkoma.conf
 ```

-* Before starting nginx edit the configuration and change it to your needs. You must change change `server_name` and the paths to the certificates. You can use `nano` (install with `apk add nano` if missing).
-
-```
-server {
-    server_name    your.domain;
-    listen         80;
-    ...
-}
-
-server {
-    server_name your.domain;
-    listen 443 ssl http2;
-    ...
-    ssl_trusted_certificate   /etc/letsencrypt/live/your.domain/chain.pem;
-    ssl_certificate           /etc/letsencrypt/live/your.domain/fullchain.pem;
-    ssl_certificate_key       /etc/letsencrypt/live/your.domain/privkey.pem;
-    ...
-}
-```
-
+* Before starting nginx edit the configuration and change it to your needs. You must change change `server_name`. You can use `nano` (install with `apk add nano` if missing).
 * Enable and start nginx:

 ```shell
@ -193,10 +159,34 @@ doas rc-update add nginx
 doas rc-service nginx start
 ```

-If you need to renew the certificate in the future, uncomment the relevant location block in the nginx config and run:
+* Setup your SSL cert, using your method of choice or certbot. If using certbot, first install it:

 ```shell
-doas certbot certonly --email <your@emailaddress> -d <yourdomain> --webroot -w /var/lib/letsencrypt/
+doas apk add certbot certbot-nginx
+```
+
+and then set it up:
+
+```shell
+doas mkdir -p /var/lib/letsencrypt/
+doas certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
+```
+
+To automatically renew, set up a cron job like so:
+
+```shell
+doas rc-update add crond
+doas rc-service crond start
+
+# Test that renewals work
+doas certbot renew --cert-name yourinstance.tld --nginx --dry-run
+
+# Add the renewal task to cron
+cat <<EOF | doas tee /etc/periodic/daily/certbot-renew.sh
+#!/bin/sh
+certbot renew --cert-name yourinstance.tld --nginx
+EOF
+doas chmod +x /etc/periodic/daily/certbot-renew.sh
 ```

 #### OpenRC service
--- a/docs/docs/installation/gentoo_en.md
+++ b/docs/docs/installation/gentoo_en.md
@ -201,25 +201,6 @@ Assuming you want to open your newly installed federated social network to, well
 include sites-enabled/*;
 ```

-* Setup your SSL cert, using your method of choice or certbot. If using certbot, install it if you haven't already:
-
-```shell
- # emerge --ask app-crypt/certbot app-crypt/certbot-nginx
-```
-
-and then set it up:
-
-```shell
- # mkdir -p /var/lib/letsencrypt/
- # certbot certonly --email <your@emailaddress> -d <yourdomain> --standalone
-```
-
-If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. If that doesn’t work, make sure, that nginx is not already running. If it still doesn’t work, try setting up nginx first (change ssl “on” to “off” and try again). Often the answer to issues with certbot is to use the `--nginx` flag once you have nginx up and running.
-
-If you are using any additional subdomains, such as for a media proxy, you can re-run the same command with the subdomain in question. When it comes time to renew later, you will not need to run multiple times for each domain, one renew will handle it.
-
---
-
 * Copy the example nginx configuration and activate it:

 ```shell
@ -237,9 +218,24 @@ Pay special attention to the line that begins with `ssl_ecdh_curve`. It is stong

 ```shell
 # rc-update add nginx default
- # /etc/init.d/nginx start
+ # rc-service nginx start
 ```

+* Setup your SSL cert, using your method of choice or certbot. If using certbot, install it if you haven't already:
+
+```shell
+ # emerge --ask app-crypt/certbot app-crypt/certbot-nginx
+```
+
+and then set it up:
+
+```shell
+ # mkdir -p /var/lib/letsencrypt/
+ # certbot --email <your@emailaddress> -d <yourdomain> -d <media_domain> --nginx
+```
+
+If that doesn't work the first time, add `--dry-run` to further attempts to avoid being ratelimited as you identify the issue, and do not remove it until the dry run succeeds. A common source of problems are nginx config syntax errors; this can be checked for by running `nginx -t`.
+
 If you are using certbot, it is HIGHLY recommend you set up a cron job that renews your certificate, and that you install the suggested `certbot-nginx` plugin. If you don't do these things, you only have yourself to blame when your instance breaks suddenly because you forgot about it.

 First, ensure that the command you will be installing into your crontab works.
Author	SHA1	Message	Date
Norm	4effa3806b	Update certbot instructions for Alpine Linux	2024-04-21 18:01:11 -04:00
Norm	185d4e5979	Update gentoo install guide to use certbot-nginx	2024-04-21 18:01:11 -04:00