# Certificates / SSL --- ## For localhost - See https://letsencrypt.org/docs/certificates-for-localhost/ > The simplest way to generate a private key and self-signed certificate for localhost is with this openssl command: ### Certificate generation: ``` openssl req -x509 -out ./ssl/certs/fullchain.pem -keyout ./ssl/private/privkey.pem \ -newkey rsa:2048 -nodes -sha256 \ -subj '/CN=localhost' -extensions EXT -config <( \ printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") ``` ### Customized Certificate generation: ``` #!/bin/bash DOMAIN=local.host \ CERT_OUT=./$DOMAIN.fullchain.pem \ KEY_OUT=./$DOMAIN.privkey.pem \ ; \ openssl req -x509 -out $CERT_OUT -keyout $KEY_OUT \ -newkey rsa:2048 -nodes -sha256 \ -subj '/CN=$DOMAIN' -extensions EXT -config <( \ printf "[dn]\nCN=$DOMAIN\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:$DOMAIN\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") ``` --- ## Production Environment - See https://certbot.eff.org/docs/using.html#manual - Certificates are stored at `/etc/letsencrypt/live/`. - But those are symlinks, the real ones are are stored at `/etc/letsencrypt/archive/`. - Need to be installed in both the vps-router and the destination VPS. ### Certificate generation (optional `--dry-run`): ``` #!/bin/bash DOMAIN=panzera.pro \ EMAIL=s.panzera@gmail.com \ ; \ docker run --rm -it --name certbot \ -v /etc/letsencrypt:/etc/letsencrypt \ -v /var/lib/letsencrypt:/var/lib/letsencrypt \ certbot/certbot \ certonly \ --manual \ --preferred-challenges dns \ -d $DOMAIN \ -d *.$DOMAIN \ -m $EMAIL --agree-tos --no-eff-email \ --dry-run ``` ---