Page 1 of 2
Letsencrypt automatic script
Posted: Mon Dec 14, 2015 11:21 pm
by lordcris
Hello,
I've written a simple script to install and renew letsencrypt certificates.
I'm assuming you are using nginx as a proxy or web server. The script will try and generate a certificate for every domain of every user.
Here is how to use it.
1) Install git
2)Clone letsencrypt repository (I'm assuming you will be working as root in your /root directory):
Code: Select all
user@webserver:~$ git clone https://github.com/letsencrypt/letsencrypt
user@webserver:~$ cd letsencrypt
3) create a
/etc/letsencrypt directory and save a file in it called
webroot.ini (just fill your correct email address)
Code: Select all
# webroot.ini general config ini
rsa-key-size = 4096
email = [email protected]
text = True
agree-tos = True
#agree-dev-preview = 1
renew-by-default = True
authenticator = webroot
webroot-path = /etc/letsencrypt
4) edit the templates you are using situated in /usr/local/vesta/data/templates/web/nginx
the default ones are
default.tpl and
default.stpl
and add
Code: Select all
location /.well-known/acme-challenge {
alias /etc/letsencrypt/.well-known/acme-challenge;
location ~ /.well-known/acme-challenge/(.*) {
add_header Content-Type text/plain;
}
}
in the server section. then reload your nginx configuration
5) create a script with the following content
Code: Select all
#!/bin/bash
#creates or renews (if older than 60 days) certificates for all domains
MAXAGE=$(echo '60*24*60*60' | bc) # seconds in 60 days
cd /root/letsencrypt
for u in $(v-list-users | cut -f1 -d' ' | tail -n+3)
do
for f in $(v-list-dns-domains $u | cut -f1 -d' ' | tail -n+3)
do
#FILEAGE=$(($(date +%s) - $(stat -c '%Y' "/etc/letsencrypt/live/$f")))
if [ ! -d "/etc/letsencrypt/live/$f" ] || [ ! $(($(date +%s) - $(stat -c '%Y' "/etc/letsencrypt/live/$f"))) -lt $MAXAGE ]; then
./letsencrypt-auto -c /etc/letsencrypt/webroot.ini -d $f -d www.$f certonly
[[ -e /etc/letsencrypt/live/$f ]] && cp -Lr --remove-destination /etc/letsencrypt/live/$f/fullchain.pem /home/$u/conf/web/ssl.$f.pem
[[ -e /etc/letsencrypt/live/$f ]] && cp -Lr --remove-destination /etc/letsencrypt/live/$f/privkey.pem /home/$u/conf/web/ssl.$f.key
[[ -e /etc/letsencrypt/live/$f ]] && cp -Lr --remove-destination /etc/letsencrypt/live/$f/cert.pem /home/$u/conf/web/ssl.$f.crt
[[ -e /etc/letsencrypt/live/$f ]] && cp -Lr --remove-destination /etc/letsencrypt/live/$f/chain.pem /home/$u/conf/web/ssl.$f.ca
fi
done
done
service nginx reload
cd "$OLDPWD"
and run it. It should obtain and install your certificates.
If you run it again it should renew the ones older than 60 days.
you can add it to your crontab and execute it twice a month.
good luck
Re: Letsencrypt automatic script
Posted: Tue Dec 15, 2015 8:36 am
by dizzy7
Thanks!!!
Re: Letsencrypt automatic script
Posted: Tue Dec 22, 2015 1:47 am
by syph
Hi,
following your instructions but when running the script in step 5 i get the following
Code: Select all
update.sh: 4: update.sh: Syntax error: redirection unexpected
I have cloned into /root/letsencrypt
and created the webroot.ini file here /etc/letsencrypt
any help would be appreciated. Im running ubuntu 14.04
Re: Letsencrypt automatic script
Posted: Tue Dec 22, 2015 7:47 am
by lordcris
do you have bash installed?
try and run
p.s. I've updated the script so it's compatible with other shell interpreters. try now.
Re: Letsencrypt automatic script
Posted: Thu Dec 24, 2015 2:51 pm
by labasus
Nice job,
anyone adapt it for apache2 - please share...
Another question: why do you modify default.tpl and default.stpl, I though that only public_shtml directory are for https?
Re: Letsencrypt automatic script
Posted: Sun Dec 27, 2015 9:59 pm
by ScIT
labasus wrote:
Another question: why do you modify default.tpl and default.stpl, I though that only public_shtml directory are for https?
You have to modify the templates for the letsencrypt client domain authentification, so you don't have to stop your nginx server for the authentification.
You can use public_html directory for http and https content at the same time (see in web -> SSL Support -> SSL Home).
labasus wrote:Nice job,
anyone adapt it for apache2 - please share...
I work at a complet implementation of Let's Encrypt for VestaCP:
SSL Certs Field will be automatically greyed out if "Let's Encrypt Option" is checked. At the moment, I create the modification for business internal use only. Is there any interest from the VestaCP team or anyone for an public release?
Best Regards
Raphael
Re: Letsencrypt automatic script - Native Debian Installation
Posted: Mon Dec 28, 2015 12:10 pm
by vlahonick
In later stages it would be awesome if Vesta would install Let's Encrypt automatically during installation. The Debian package reached already testing (
https://packages.debian.org/testing/letsencrypt) and I imagine the CentOS/RHEL version is having a similar development. Meaning that there will be no need to clone the git repo and add all this extra unnecessary python to your server.
For those interested, you can already install Let's Encrypt from the Debian repositories safely even in a production server by following the tutorials below (I've done thins in my own VPS and it works without problems/bugs):
(I guess that Ubuntu users could make it work with the same or similar process though I haven't personally tested the guides below in Ubuntu)
1. Set your repos to be something like that:
http://serverfault.com/questions/22414/ ... 101#382101
2. Check your pin and install
https://www.rootatwc.com/blog/article/4
Re: Letsencrypt automatic script - Suggestion about CMS use
Posted: Mon Dec 28, 2015 12:24 pm
by vlahonick
I would like to suggest you adding a "fix" in this automatic script for users to be able to use it with Drupal or other CMS.
I didn't have the time to test your script thoroughly but is a known Let's Encrypt bug to have broken authorization when used with Drupal (
https://community.letsencrypt.org/t/dru ... ation/3014).
The problem is that the Drupal .htaccess (I will soon try to reproduce the problem in Joomla and WordPress) breaks the issuing of the certificate and it has to be temporarily removed so you can successfully issue the certificate.
The solution is a simple command and it would be awesome if you implement another checkbox in Vesta UI, something like "Certificate for CMS" and when ticked by the user to have it run the command below:
Code: Select all
cd /{putYOURdirectoryhere}/public_html && mv .htaccess .htaccess_dis &&
service apache2 reload &&
{put YOUR letsencrypt-auto command here} &&
mv .htaccess_dis .htaccess &&
service apache2 reload
Of course any user could disable the .htaccess manually or having the checkbox mention above to just rename the .htaccess when ticked and undo it when unticked.
For those who want to use Drupal + Let's Encrypt + Multisite here:
http://forum.vestacp.com/viewtopic.php? ... ite#p36554. I do not know if there could be some automation in issuing certificates for Drupal multisite though.
Re: Letsencrypt automatic script
Posted: Tue Dec 29, 2015 11:55 pm
by sacredwebsite
I work at a complet implementation of Let's Encrypt for VestaCP:
SSL Certs Field will be automatically greyed out if "Let's Encrypt Option" is checked. At the moment, I create the modification for business internal use only. Is there any interest from the VestaCP team or anyone for an public release?
Best Regards
Raphael
Raphael, I am very interested in this automated implementation you have created. I believe this is something that Vesta can support as a core feature.
How may I have access to your work?
If you wish, github is a create way to share the code or or any other private git repo host.
I look forward to your reply,
Best regards,
Ramael
Re: Letsencrypt automatic script
Posted: Wed Dec 30, 2015 7:55 pm
by ScIT
sacredwebsite wrote:
Raphael, I am very interested in this automated implementation you have created. I believe this is something that Vesta can support as a core feature.
How may I have access to your work?
If you wish, github is a create way to share the code or or any other private git repo host.
I look forward to your reply,
Best regards,
Ramael
Hi Ramael
I'm almost done with developing the modification.
Created 4 new Scripts, based from VestaCP Source:
Code: Select all
-rwxr-x--- 1 root root 5811 Dez 30 14:15 v-add-web-domain-ssl-letsencrypt
-rwxr-x--- 1 root root 3085 Dez 30 12:40 v-delete-web-domain-ssl-letsencrypt
-rwxr-x--- 1 root root 1589 Dez 30 19:07 v-list-web-domains-ssl-letsencrypt
-rwxr-xr-x 1 root root 1601 Dez 30 20:37 v-update-web-domains-ssl-letsencrypt
I've to do now some bugfixing and also error reporting, if the certification creation fails. So a bit more develop and also testing and it should be done...
Best Regards
Raphael