letsencrypt basics

Author: marcel-dempers

security/letsencrypt/introduction/nginx.conf

@@ -36,20 +36,20 @@ http {
 
     }
 
-    server {
-      listen 443 ssl default_server;
-      listen [::]:443 ssl default_server ;
-      server_name marcel.guru;
-      ssl_certificate /etc/letsencrypt/live/marcel.guru/fullchain.pem;
-      ssl_certificate_key /etc/letsencrypt/live/marcel.guru/privkey.pem;
-      root /usr/share/nginx/html/;
-
-      location / {
-        gzip off;
-        root /usr/share/nginx/html/;
-        index  index.html;
-      }
-
-    }
+    # server {
+    #   listen 443 ssl default_server;
+    #   listen [::]:443 ssl default_server ;
+    #   server_name marcel.guru;
+    #   ssl_certificate /etc/letsencrypt/live/marcel.guru/fullchain.pem;
+    #   ssl_certificate_key /etc/letsencrypt/live/marcel.guru/privkey.pem;
+    #   root /usr/share/nginx/html/;
+
+    #   location / {
+    #     gzip off;
+    #     root /usr/share/nginx/html/;
+    #     index  index.html;
+    #   }
+
+    # }
 
 }

security/letsencrypt/introduction/readme.md

@@ -0,0 +1,113 @@
+# Let's encrypt
+
+## Introduction
+To start off, I run an NGINX web server. <br/>
+This could be running anywhere in the cloud. <br/>
+
+```
+docker run -it -p 80:80 nginx bash
+
+# get my public IP for this server 
+curl ifconfig.co
+
+# lets get out of the container
+exit
+
+```
+
+Now that we have the public IP for our server, lets start it up again <br/>
+This time, without bash <br/>
+We should be able to access it in the browser <br/>
+
+```
+docker run -it -p 80:80 nginx
+```
+
+In the video, we create a DNS record and point it to the IP of our server <br/>
+
+## Certbot
+
+The [docs](https://certbot.eff.org/)
+
+To build certbot, i simply change directory and build my certbot container <br/>
+
+```
+cd .\security\letsencrypt\introduction\
+
+docker build . -t certbot
+
+docker run -it --rm --name certbot `
+-v ${PWD}:/letsencrypt `
+-v ${PWD}/certs:/etc/letsencrypt `
+certbot bash
+
+```
+
+## NGINX 
+
+We've customised our `nginx.conf` as shown in the video <br/>
+
+Run this NGINX, we mount the shared folder that certbot will use:
+
+```
+cd .\security\letsencrypt\introduction\
+
+docker run -it --rm --name nginx `
+-v ${PWD}/nginx.conf:/etc/nginx/nginx.conf `
+-v ${PWD}:/letsencrypt `
+-v ${PWD}/certs:/etc/letsencrypt `
+-p 80:80 `
+-p 443:443 `
+nginx
+
+```
+
+## Issue certificate
+
+In certbot, generate our cert:
+
+```
+certbot certonly --webroot
+
+# webroot is the folder we mounted: /letsencrypt
+
+# certificate outputs under etc/letsencrypt/live/**
+# since we share this volume with our webserver, we dont need to copy
+# certificates across.
+
+IMPORTANT NOTES:
+ - Congratulations! Your certificate and chain have been saved at:
+   /etc/letsencrypt/live/marcel.guru/fullchain.pem
+   Your key file has been saved at:
+   /etc/letsencrypt/live/marcel.guru/privkey.pem
+   Your cert will expire on 2020-12-03. To obtain a new or tweaked
+   version of this certificate in the future, simply run certbot
+   again. To non-interactively renew *all* of your certificates, run
+   "certbot renew"
+ - Your account credentials have been saved in your Certbot
+   configuration directory at /etc/letsencrypt. You should make a
+   secure backup of this folder now. This configuration directory will
+   also contain certificates and private keys obtained by Certbot so
+   making regular backups of this folder is ideal.
+ - If you like Certbot, please consider supporting our work by:
+
+   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
+   Donating to EFF:                    https://eff.org/donate-le
+
+```
+
+## Renewal
+
+To do a dry run of cert renewal:
+
+```
+certbot renew --dry-run
+```
+
+Reload our NGINX web server if the certs change:
+
+```
+docker exec -it nginx sh -c "nginx -s reload"
+```
+
+Checkout the Certbot [docs](https://certbot.eff.org/instructions) for more details