Here's an example for the fictional domain r2d2.replicant.us
To add this domain, we first need to have the domain resolvable through the DNS system.
For that you need to first add the domain in the /etc/bind/db.replicant.us configuration file and increment the serial.
To add the example r2d2.replicant.us domain, we add this line:
r2d2 3M IN A 220.127.116.11
And then we increment the serial from by at least one, here it's 1000000007:
; replicant.us @ 1D IN SOA replicant.us. gnutoo.no-log.org. ( 1000000007 ; serial 3H ; refresh 1H ; retry 24D ; expiry 3H ) ; minimum ttl
So we make it become 1000000008:
; replicant.us @ 1D IN SOA replicant.us. gnutoo.no-log.org. ( 1000000008 ; serial 3H ; refresh 1H ; retry 24D ; expiry 3H ) ; minimum ttl
Then we need to make bind9 take the changes into account. We can use the following command for that:
systemctl reload bind9
As we need to protect people's privacy and security, we often need a TLS certificate associated with every new domains.
We first need to have a web server be able to serve files at that domain to make letsencrypt work.
To do that you can either add the new domain in /etc/apache2/sites-enabled/letsencrypt.conf, or another configuration file in the same directory.
Here's configuration directives for r2d2.replicant.us, you'll need to adapt it for a different domain:
<VirtualHost *:80> ServerName r2d2.replicant.us DocumentRoot /var/www/letsencrypt/r2d2.replicant.us/ </VirtualHost>You can paste that in any file in /etc/apache2/sites-enabled/:
- You can add it to /etc/apache2/sites-enabled/letsencrypt.conf if you plan to keep using it after for enabling letencrypt to renew the certificates automatically. This is typically useful if you don't need a web server at that domain, which can be the case if you only intend to host a mail server there for instance.
- You can add it in a temporary file like /etc/apache2/sites-enabled/r2d2.conf if you use another configuration for that later on.
- Or you can add it to any existing or new file in the /etc/apache2/sites-enabled/ depending on your needs.
Then you need to make apache2 take this into account. You can do it with the following command:
root@replicantserver0:~# systemctl reload apache2
You can check if apache2 is still running fine with the following command:
root@replicantserver0:~# pidof apache2 10465 10456 10421 230
At this point it would be a good idea to verify that everything works well before proceding as there is a limited number of (failed) attempt with letencrypt. When the limit is reached you have to wait before being able to retry which can be time consuming.To check if everything is fine, it would be a good idea to:
- make sure that you can ping the domain
- make sure that apache responds, a "Forbidden" web page is good enough for that
It's then a good time to finally get a certifificate. You can use the 'certbot certonly --webroot' command to do that.
Here's an example of usage for the r2d2.replicant.us domain:
root@replicantserver0:~# certbot certonly --webroot Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): r2d2.replicant.us Obtaining a new certificate Performing the following challenges: http-01 challenge for r2d2.replicant.us Input the webroot for r2d2.replicant.us: (Enter 'c' to cancel): /var/www/letsencrypt/r2d2.replicant.us/ Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/r2d2.replicant.us/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/r2d2.replicant.us/privkey.pem Your cert will expire on 2020-08-28. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Finally don't forget to change the apache configuration again if the changes you made were only meant to be temporary.