This guide is for generating Let's Encrypt certificates from your laptop
This blog post explains why they're issued this way.
curl https://get.acme.sh | sh -s email=contact@example.com --forceForcing in Arch because the installation script doesn't find any cron.
This is for restricting which CA can issue certificates. Add CAA records in Cloudflare
CAA @ letsencrypt.org
I'm not sure why Cloudflare doesn't allow setting Flag 128 as recommended by: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
Go to Cloudflare's API Tokens
Click Create Custom Token
Token name
acme
Permissions
Zone | Zone | Read
Zone | DNS | Edit
Zone Resources
Include | Specific Zone | example.com
Click Continue to summary
Copy the token (it's not visible afterwards)
Paste the token below.
TOKEN=EYj9ESiadttN4j4KzUBKllCss3xVhqSP_ipa405M
$REPO/Infrastructure/tls/./create-tls-certs $TOKENRepeat for each production server.
Go to Cloudflare's API Tokens
Make sure acme.sh deleted all the TXT records it temporarily created.
There are a few ways in which LetsEncrypt validates you. We use the one that's only about
adding TXT records. acme.sh takes care of deleting them after the cert is ready.
We don't use the one that requires a webserver. That creates a page and needs to be in
port 80. Plus for security, I don't want acme.sh modifying our nginx.conf, or even be
there.
This is not fully automated (e.g. in cron) because it seems insecure to let acme run as root, and mess up with Nginx.