Letsencrypt automatic script

[lordcris]

Hello,
I've written a simple script to install and renew letsencrypt certificates.
I'm assuming you are using nginx as a proxy or web server. The script will try and generate a certificate for every domain of every user.
Here is how to use it.

1) Install git

2)Clone letsencrypt repository (I'm assuming you will be working as root in your /root directory):

Code: Select all

user@webserver:~$ git clone https://github.com/letsencrypt/letsencrypt
user@webserver:~$ cd letsencrypt

3) create a /etc/letsencrypt directory and save a file in it called webroot.ini (just fill your correct email address)

Code: Select all

# webroot.ini general config ini
rsa-key-size = 4096
email = [email protected]
text = True
agree-tos = True
#agree-dev-preview = 1
renew-by-default = True
authenticator = webroot
webroot-path = /etc/letsencrypt

4) edit the templates you are using situated in /usr/local/vesta/data/templates/web/nginx
the default ones are default.tpl and default.stpl

and add

Code: Select all

    location /.well-known/acme-challenge {
        alias /etc/letsencrypt/.well-known/acme-challenge;
        location ~ /.well-known/acme-challenge/(.*) {
            add_header Content-Type text/plain;
        }
    }

in the server section. then reload your nginx configuration

5) create a script with the following content

Code: Select all

#!/bin/bash
#creates or renews (if older than 60 days) certificates for all domains 

MAXAGE=$(echo '60*24*60*60' | bc) # seconds in 60 days 
cd /root/letsencrypt

for u in $(v-list-users | cut -f1 -d' '  | tail -n+3)
do
  for f in $(v-list-dns-domains $u | cut -f1 -d' '  | tail -n+3)
  do
	 #FILEAGE=$(($(date +%s) - $(stat -c '%Y' "/etc/letsencrypt/live/$f")))
	  if [ ! -d "/etc/letsencrypt/live/$f" ] || [ ! $(($(date +%s) - $(stat -c '%Y' "/etc/letsencrypt/live/$f"))) -lt $MAXAGE ]; then
		  ./letsencrypt-auto -c /etc/letsencrypt/webroot.ini -d $f -d www.$f certonly 
      [[ -e /etc/letsencrypt/live/$f ]] && cp -Lr --remove-destination /etc/letsencrypt/live/$f/fullchain.pem /home/$u/conf/web/ssl.$f.pem
      [[ -e /etc/letsencrypt/live/$f ]] && cp -Lr --remove-destination /etc/letsencrypt/live/$f/privkey.pem /home/$u/conf/web/ssl.$f.key
      [[ -e /etc/letsencrypt/live/$f ]] && cp -Lr --remove-destination /etc/letsencrypt/live/$f/cert.pem /home/$u/conf/web/ssl.$f.crt
      [[ -e /etc/letsencrypt/live/$f ]] && cp -Lr --remove-destination /etc/letsencrypt/live/$f/chain.pem /home/$u/conf/web/ssl.$f.ca
	  fi
  done
done
service nginx reload
cd "$OLDPWD"

and run it. It should obtain and install your certificates.
If you run it again it should renew the ones older than 60 days.
you can add it to your crontab and execute it twice a month.
good luck

[dizzy7]

Thanks!!!

[syph]

Hi,

following your instructions but when running the script in step 5 i get the following

Code: Select all

update.sh: 4: update.sh: Syntax error: redirection unexpected

I have cloned into /root/letsencrypt

and created the webroot.ini file here /etc/letsencrypt

any help would be appreciated. Im running ubuntu 14.04

[lordcris]

do you have bash installed?
try and run

Code: Select all

bash update.sh

p.s. I've updated the script so it's compatible with other shell interpreters. try now.

[labasus]

Nice job,
anyone adapt it for apache2 - please share...

Another question: why do you modify default.tpl and default.stpl, I though that only public_shtml directory are for https?

[ScIT]

Another question: why do you modify default.tpl and default.stpl, I though that only public_shtml directory are for https?

You have to modify the templates for the letsencrypt client domain authentification, so you don't have to stop your nginx server for the authentification.

You can use public_html directory for http and https content at the same time (see in web -> SSL Support -> SSL Home).

Nice job,
anyone adapt it for apache2 - please share...

I work at a complet implementation of Let's Encrypt for VestaCP:

SSL Certs Field will be automatically greyed out if "Let's Encrypt Option" is checked. At the moment, I create the modification for business internal use only. Is there any interest from the VestaCP team or anyone for an public release?

Best Regards
Raphael

[vlahonick]

In later stages it would be awesome if Vesta would install Let's Encrypt automatically during installation. The Debian package reached already testing (https://packages.debian.org/testing/letsencrypt) and I imagine the CentOS/RHEL version is having a similar development. Meaning that there will be no need to clone the git repo and add all this extra unnecessary python to your server.

For those interested, you can already install Let's Encrypt from the Debian repositories safely even in a production server by following the tutorials below (I've done thins in my own VPS and it works without problems/bugs):
(I guess that Ubuntu users could make it work with the same or similar process though I haven't personally tested the guides below in Ubuntu)

1. Set your repos to be something like that:
http://serverfault.com/questions/22414/ ... 101#382101

2. Check your pin and install
https://www.rootatwc.com/blog/article/4

[vlahonick]

I would like to suggest you adding a "fix" in this automatic script for users to be able to use it with Drupal or other CMS.
I didn't have the time to test your script thoroughly but is a known Let's Encrypt bug to have broken authorization when used with Drupal (https://community.letsencrypt.org/t/dru ... ation/3014).

The problem is that the Drupal .htaccess (I will soon try to reproduce the problem in Joomla and WordPress) breaks the issuing of the certificate and it has to be temporarily removed so you can successfully issue the certificate.

The solution is a simple command and it would be awesome if you implement another checkbox in Vesta UI, something like "Certificate for CMS" and when ticked by the user to have it run the command below:

Code: Select all

cd /{putYOURdirectoryhere}/public_html && mv .htaccess .htaccess_dis && 
service apache2 reload && 
{put YOUR letsencrypt-auto command here} && 
mv .htaccess_dis .htaccess && 
service apache2 reload

Of course any user could disable the .htaccess manually or having the checkbox mention above to just rename the .htaccess when ticked and undo it when unticked.

For those who want to use Drupal + Let's Encrypt + Multisite here: http://forum.vestacp.com/viewtopic.php? ... ite#p36554. I do not know if there could be some automation in issuing certificates for Drupal multisite though.

[sacredwebsite]

I work at a complet implementation of Let's Encrypt for VestaCP:

SSL Certs Field will be automatically greyed out if "Let's Encrypt Option" is checked. At the moment, I create the modification for business internal use only. Is there any interest from the VestaCP team or anyone for an public release?

Best Regards
Raphael

Raphael, I am very interested in this automated implementation you have created. I believe this is something that Vesta can support as a core feature.

How may I have access to your work?

If you wish, github is a create way to share the code or or any other private git repo host.

I look forward to your reply,
Best regards,
Ramael

[ScIT]

Raphael, I am very interested in this automated implementation you have created. I believe this is something that Vesta can support as a core feature.

How may I have access to your work?

If you wish, github is a create way to share the code or or any other private git repo host.

I look forward to your reply,
Best regards,
Ramael

Hi Ramael

I'm almost done with developing the modification.

Created 4 new Scripts, based from VestaCP Source:

Code: Select all

-rwxr-x--- 1 root root 5811 Dez 30 14:15 v-add-web-domain-ssl-letsencrypt
-rwxr-x--- 1 root root 3085 Dez 30 12:40 v-delete-web-domain-ssl-letsencrypt
-rwxr-x--- 1 root root 1589 Dez 30 19:07 v-list-web-domains-ssl-letsencrypt
-rwxr-xr-x 1 root root 1601 Dez 30 20:37 v-update-web-domains-ssl-letsencrypt

I've to do now some bugfixing and also error reporting, if the certification creation fails. So a bit more develop and also testing and it should be done...

Best Regards
Raphael