certbot --apache
chmod 640 /etc/letsencrypt/live/*/privkey.pem
in /etc/apache2/sites-enabled/$sitenamefqdn-ssl.conf:
Header always set Strict-Transport-Security "max-age=31536000"
ServerAdmin njh@bandsman.co.uk
ServerName www.$sitenamefqdn
ServerAlias $sitenamefqdn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log "%t %h %{SSL_CLIENT_S_DN}x%{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b %{User-agent}i"
SSLCertificateFile /etc/letsencrypt/live/$sitenamefqdn/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/$sitenamefqdn/privkey.pem
in /etc/mail/sendmail.mc:
define(`SSL_DIR',`/etc/ssl')dnl
define(`CERT_DIR',`/etc/letsencrypt/live/$sitenamefqdn')dnldefine(`confCACERT_PATH', SSL_DIR`/certs')dnl
define(`confCACERT', CERT_DIR`/fullchain.pem')dnl
define(`confSERVER_CERT', CERT_DIR`/cert.pem')dnl
define(`confSERVER_KEY', CERT_DIR`/privkey.pem')dnl
define(`confCLIENT_CERT', CERT_DIR`/cert.pem')dnl
define(`confCLIENT_KEY', CERT_DIR`/privkey.pem')dnl
define(`confCRL',SSL_DIR`/crl/cacert.org.revoke.crl')dnlin /etc/dovecot/conf.d/10-ssl.conf:
ssl_cert =
$sitenamefqdn/fullchain.pemssl_key =
$sitenamefqdn/privkey.pem Add this to puppet
cron {
'lets encrypt renewal':
command => '/usr/bin/certbot renew',
user => root,
hour => 2,
minute => 22,
monthday => 3,
month => 1,4,7,10;
}
