====== Certificates ======
Most everything makes use of [[https://github.com/acmesh-official/acme.sh|ACME.sh]], with auto-renewing certificates from LetsEncrypt and Cloudflare domain verification.
[[https://CRT.sh|CRT.sh]] is a good resource for viewing certificates issued for a domain
----
===== Deploying a Cert with ACME.sh =====
==== Cloudflare DNS verification ====
1. Set environment variables
export CF_Token="pybhqsynervfirelpbby"
export CF_Account_ID="pybhqsynervfirelpbby"
export CF_Zone_ID="pybhqsynervfirelpbby"
2. Generate cert
acme.sh --issue --dns dns_cf -d example.com
==== Webroot Verification ====
acme.sh --issue -d example.com -w /var/www/example.com/
==== ACME.sh Deployment ====
export DOMAIN=example.com
# 1. Create Certificate Path
mkdir -p /etc/nginx/acme.sh/${DOMAIN}/
# 2. Tell acme.sh about it
acme.sh --install-cert -d ${DOMAIN} \
--cert-file /etc/nginx/acme.sh/${DOMAIN}/cert \
--key-file /etc/nginx/acme.sh/${DOMAIN}/key \
--fullchain-file /etc/nginx/acme.sh/${DOMAIN}/fullchain \
--reloadcmd "systemctl reload nginx.service"
Then in NGINX config...
ssl_certificate /etc/nginx/acme.sh/example.com/fullchain;
ssl_certificate_key /etc/nginx/acme.sh/example.com/key;