{{tag>ssl letsencrypt}}

====== Setup certificate on servers without root access ======
This is done on your local computer or another server.

[[wiki:certbot_installation|Install certbot via manual method]]


===== Get certs locally then copy them on server =====

<code bash>
    user@host:/tmp$ certbot-auto certonly --manual --preferred-challenges http -d www.example.org -d example.org
    Requesting to rerun ./certbot-auto with root privileges...
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator manual, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for www.example.org
    http-01 challenge for example.org

    -------------------------------------------------------------------------------
    NOTE: The IP of this machine will be publicly logged as having requested this
    certificate. If you're running certbot in manual mode on a machine that is not
    your server, please ensure you're okay with that.

    Are you OK with your IP being logged?
    -------------------------------------------------------------------------------
    (Y)es/(N)o: Y

    -------------------------------------------------------------------------------
    Create a file containing just this data:

    9FJ7fcvUnLcOiiS6YRGOJYEG9N7T8th0nRt6PXuXew0.S-aYTCKC5avf_-CQ-YfiKcZHP8ULQQhACYtAQLw_5FY

    And make it available on your web server at this URL:

    http://www.example.org/.well-known/acme-challenge/9FJ7fcvUnLcOiiS6YRGOJYEG9N7T8th0nRt6PXuXew0

    -------------------------------------------------------------------------------
    Press Enter to Continue

    -------------------------------------------------------------------------------
    Create a file containing just this data:

    hBKwxrxzV-ZJUC7Ah5iDiifsMy5vOZUlrugDv7gtS5s.S-aYTCKC5avf_-CQ-YfiKcZHP8ULQQhACYtAQLw_5FY

    And make it available on your web server at this URL:

    http://example.org/.well-known/acme-challenge/hBKwxrxzV-ZJUC7Ah5iDiifsMy5vOZUlrugDv7gtS5s

    -------------------------------------------------------------------------------
    Press Enter to Continue
    Waiting for verification...
    Cleaning up challenges

    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/www.example.org/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/www.example.org/privkey.pem
       Your cert will expire on 2018-07-10. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot-auto
       again. To non-interactively renew *all* of your certificates, run
       "certbot-auto renew"
     - If you like Certbot, please consider supporting our work by:

       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:
</code> 
   
Above URLs need to accessble via web browser otherwise it will fail. Then the ///etc/letsencrypt/live/www.example.org/fullchain.pem// and ///etc/example/live/www.example.org/privkey.pem// can copied via providers web interface.


====== Tested on ======
  * Xubuntu 18.04
  * Xubuntu 20.04.1

====== See also ======
  * [[wiki:proxying_dns_name_local_service|Proxying DNS name to local service]]
  * [[wiki:openssl_commands|Openssl commands]]

====== References ======
  * https://certbot.eff.org/docs/using.html#manual