Home Explore Help
Register Sign In
bida
/
Mastodon-documentation
6
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Add Let's Encrypt section (#335)

* Add Let's Encrypt section with a short guide to certificate tool installation, certificate generation and automated renewal.

* Use systemctl instead of service in LE section
This is for consistency reasons.
Sadiq Saif 6 years ago
parent
aa28bbc4b6
commit
cc3b0e393d
1 changed files with 53 additions and 0 deletions
Split View Show Diff Stats
  1. 53 0
      Running-Mastodon/Production-guide.md

+ 53 - 0
Running-Mastodon/Production-guide.md
View File 

@@ -335,6 +335,59 @@ WantedBy=multi-user.target
 
 
 This allows you to `sudo systemctl enable /etc/systemd/system/mastodon-*.service` and `sudo systemctl start mastodon-web.service mastodon-sidekiq.service mastodon-streaming.service` to get things going.
 
 
+## Let's Encrypt
 
+
 
+This section is only relevant if you are using [Let's Encrypt](https://letsencrypt.org/)
 
+as your TLS certificate provider.
 
+
 
+Other assumptions - Ubuntu 16.04, letsencrypt tool installed from distro repositories.
 
+
 
+### Installation of tool
 
+
 
+This is how you install the `letsencrypt` package:
 
+
 
+`sudo apt -y install letsencrypt`
 
+
 
+### Generation of certificate
 
+
 
+This is the command you should use to generate a Let's Encrypt certificate.
 
+Make sure to replace any instances of 'example.com' with your Mastodon instance's domain.
 
+
 
+Additional note: This command will require that nginx or another web server is correctly
 
+configured with your Mastodon instance's domain.
 
+
 
+`letsencrypt certonly --webroot -d example.com -w /home/mastodon/live/public/`
 
+
 
+### Automated renewal of Let's Encrypt certificate
 
+
 
+Let's Encrypt certificates have a validity period of 90 days.
 
+
 
+You need to renew your certificate before the expiration date. Failure to do so will
 
+result in your users being unable to access your instance and other instances being unable 
+to federate with yours.
 
+
 
+We can do this with a cron job that runs daily:
 
+
 
+`nano /etc/cron.daily/letsencrypt-renew`
 
+
 
+Copy and paste this script into that file:
 
+
 
+```
 
+#!/usr/bin/env bash
 
+letsencrypt renew
 
+systemctl reload nginx
 
+```
 
+
 
+Save and exit the file.
 
+
 
+Make the script executable and restart the cron daemon so that the script runs daily:
 
+```
 
+chmod +x /etc/cron.daily/letsencrypt-renew
 
+systemctl restart cron
 
+```
 
+
 
+That is it. Your server will now automatically renew your Let's Encrypt certificate(s).
 
+
 
 ## Things to look out for when upgrading Mastodon
 
 
 If you want a stable release for production use, you should use tagged releases. To checkout the latest available tagged version: