LetsEncrypt
===========

Installation
------------

Was already installed by Hugh

Storage & Configs
-----------------

``/etc/letsencrypt/``

Operation
---------

Run ``certbot`` as ``root`` via ``sudo``.

To list current certificates, expiry, and (sub)domains covered, run
``sudo certbot certificates``

To verify current setup, run ``sudo certbot renew --dry-run --run-deploy-hooks``

Obtain new certificate
~~~~~~~~~~~~~~~~~~~~~~

``certbot`` is configured (via ``/etc/letsencrypt/cli.ini``) to use **webroot** as the
default authenticator, with ``/opt/homebrew/var/www/`` as the webroot path.

This path is also served by nginx via ``catch-all.conf`` virtual host, if/when enabled.

To obtain certificate for a new domain,

``sudo certbot certonly -d example.com -d www.example.com -d another.example.com``

Once certificate is created, modify nginx configs as appropriate and restart (see :doc:`nginx`).

Post-update script
~~~~~~~~~~~~~~~~~~

Some domains need special tweaks to be performed when certificates are updated.

See ``/etc/letsencrypt/renewal-hooks/deploy/update-permissions.sh``