Zum Inhalt

Using Certbot with TomatenHTTP

Install Certbot

See instructions on the Certbot website. Select Software: Other and your target System. Follow only the instructions to get the certbot command running (steps 1 to 5), then before actually using it come back here.

State-of-the-Art, automatic way to obtain your certificate

Assuming your TomatenHTTP server is located at /root/http/.

Initial

  • cd /root/http
  • Stop the TomatenHTTP server.
  • tomatenpack install TomatenHTTP-CertbotWebroot
  • Start the TomatenHTTP server.
  • Run certbot certonly --webroot and follow the interactive instructions to obtain your certificate. Provide /root/http/certbotwebroot as the servers webroot folder.

You now already have an initial certificate, see certificate installation on how to configure your TomatenHTTP server to use it.

Renewal

With this method, renewal is automatic.

Certbot automatically renews the certificate every 2 months. The certificates are valid for 3 months.

Certbot places files inside <http>/certbotwebroot/.well-known/acme-challenge which TomatenHTTP will then serve under */.well-known/acme-challenge to complete the challenge and obtain a new certificate without any user interaction.

Classic, manual way to obtain your certificate

Initial

  • If running on port 80, stop the TomatenHTTP server or at least close port 80 temporarily.
  • Run certbot certonly --standalone and follow the interactive instructions to obtain your certificate.

You now already have an initial certificate, see certificate installation on how to put it into your TomatenHTTP server.

Renewal

Renewal is necessary every 2 to 3 months.

  • If running on port 80, stop the TomatenHTTP server or at least close port 80 temporarily.
  • Run certbot renew

Certificate installation

Once certbot obtained your certificate, it is located in /etc/letsencrypt/live/<primary-domain>/. If you only have one certificate (may cover multiple domains) there is only one folder in /etc/letsencrypt/live/.

Since TomatenHTTP 10.0, you can directly use the certificates from /etc/letsencrypt/live/<primary-domain>/ without manual conversion and they are automatically reloaded by TomatenHTTP when they change (are renewed). This is implemented with calls to openssl, so you need to have it installed for this to work.

Open ports and their used certificates are now configured in config/server.toml. To use your cerfiticates, include something like this in the config:

[[ports]]
port = 443
secure.keystore.pemdirectory = ["/etc/letsencrypt/live/<primary-domain>/", "/etc/letsencrypt/live/<another-domain>/"]

If your TomatenHTTP server does not have permission to read these files, you need to make them readable somehow, e.g. by adding a post-renewal hook in /etc/letsencrypt/renewal-hooks/post/ that copies the certificate and key somewhere such that TomatenHTTP can access it.