https://ultimatehomeserver.com/docs/getting-started/ssl

Configure certbot

example from UHS

sudo /opt/certbot/bin/certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
  --dns-cloudflare-propagation-seconds 60 \
  -d <your domain>
  -d *.<your domain>

example from certbot-dns-cloudflare

certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
  --dns-cloudflare-propagation-seconds 60 \
  -d example.com

example from certbot-dns-route53

certbot certonly \
  --dns-route53 \
  --dns-route53-propagation-seconds 30 \
  -d example.com

mine:

sudo /opt/certbot/bin/certbot certonly \
  --dns-route53 \
  --dns-route53-propagation-seconds 60 \
  -d hs.tjenwellens.eu \
  -d *.hs.tjenwellens.eu

tjen@homeserver:/$ sudo /opt/certbot/bin/certbot certonly \

--dns-route53 \

--dns-route53-propagation-seconds 60 \

-d hs.tjenwellens.eu \

-d *.hs.tjenwellens.eu

Use of --dns-route53-propagation-seconds is deprecated.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Enter email address (used for urgent renewal and security notices)

 (Enter 'c' to cancel): [redacted[



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

[https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf.](https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf.)     You must agree in

order to register with the ACME server. Do you agree?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: y



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing, once your first certificate is successfully issued, to

share your email address with the Electronic Frontier Foundation, a founding

partner of the Let's Encrypt project and the non-profit organization that

develops Certbot? We'd like to send you email about our work encrypting the web,

EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: n

Account registered.

Requesting a certificate for hs.tjenwellens.eu and *.hs.tjenwellens.eu

**Unable to locate credentials**

To use certbot-dns-route53, configure credentials as described at     [https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials](https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials)     and add the necessary permissions for Route53 access.

Ask for help or search for solutions at     [https://community.letsencrypt.org.](https://community.letsencrypt.org.)     See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Problem: unable to locate credentials

Unable to locate credentials

To use certbot-dns-route53, configure credentials as described at https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials and add the necessary permissions for Route53 access.

solution

but need to put ~/.aws/config in root’s home instead of my home

src: https://stackoverflow.com/questions/62492042/certbot-unable-to-locate-environment-variable-credentials

so in /root/.aws/config

setup auto-renewal

tjen@homeserver:~$ echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

tjen@homeserver:~$ sudo /opt/certbot/bin/certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/hs.tjenwellens.eu.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Account registered.

Simulating renewal of an existing certificate for hs.tjenwellens.eu and *.hs.tjenwellens.eu





- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all simulated renewals succeeded:

  /etc/letsencrypt/live/hs.tjenwellens.eu/fullchain.pem (success)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

tjen@homeserver:~$ sudo openssl dhparam -out /etc/letsencrypt/live/dhparam.pem 2048

Generating DH parameters, 2048 bit long safe prime

.....................................................................................................................................+...............................................................................................................................................................................................................................................+.................+.......................................................................................................................................................................................................++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*

done: https://ultimatehomeserver.com/docs/getting-started/ssl