LetsEncrypt

Installation

Was already installed by Hugh

Storage & Configs

/etc/letsencrypt/

Operation

Run certbot as root via sudo.

To list current certificates, expiry, and (sub)domains covered, run sudo certbot certificates

To verify current setup, run sudo certbot renew --dry-run --run-deploy-hooks

Obtain new certificate

certbot is configured (via /etc/letsencrypt/cli.ini) to use webroot as the default authenticator, with /opt/homebrew/var/www/ as the webroot path.

This path is also served by nginx via catch-all.conf virtual host, if/when enabled.

To obtain certificate for a new domain,

sudo certbot certonly -d example.com -d www.example.com -d another.example.com

Once certificate is created, modify nginx configs as appropriate and restart (see Nginx).

Post-update script

Some domains need special tweaks to be performed when certificates are updated.

See /etc/letsencrypt/renewal-hooks/deploy/update-permissions.sh