====== certificates - letsencrypt ======

[[https://letsencrypt.org|LetsEncrypt]] provides free SSL certs that you renew every few weeks.

It strongly suggests python27, so for CentOS, you'll need to use SCL or some other option.

===== Setup =====

  - install packages:<code>yum install centos-release-SCL
yum install git python27 openssl-devel
yum install gcc libffi-devel openssl-devel</code>
  - clone repo: <code>git clone https://github.com/letsencrypt/letsencrypt</code>
  - new get letsencrypt to install itself: <code># scl enable python27 './letsencrypt-auto --help'</code>
  - some examples (YMMV - read the letsencrypt docs for specifics on the different certification renewal/request options):<code>
# scl enable python27 './letsencrypt-auto certonly --webroot -w /path/site1/htdocs/ -d site1.net,www.site1.net'
# scl enable python27 './letsencrypt-auto certonly --webroot -w /path/site2/htdocs/ -d site2.com,www.site2.com -w /lamp/sub.site2/htdocs/ -d sub.site2.com'
</code>

===== Cron =====

  * cron: <code>10 8 * * * /usr/bin/scl enable python27 '/bin/bash /usr/local/sbin/letsencrypt_cron.sh'</code>
  * script ''(/usr/local/sbin/letsencrypt_cron.sh''):<code>
#!/bin/bash
#
# letsencrypt cert renewal script
#
# Author: John Friar
# Info:   https://wiki.thoughtbit.com/linux:server:certificates_letsencrypt
#

# CDIR can be used by cfg mgmt to copy certs into place/restart webserver
CDIR=/cert_staging/ssl_certs

# letsencrypt installation dir
LEPATH=/opt/letsencrypt

LDIR=/etc/letsencrypt/live

# the key is the letsencrypt dir within LDIR
# the value is the dir within CDIR to copy in the cert to
declare -A CERTS
CERTS["site1.net-0001"]="site1.net"
CERTS["mysite.com"]="www"
CERTS["wiki.mysite.com"]="wiki"



# run letsencrypt
run_letsencrypt() {
    conf=$1
    if ! ${LEPATH}/letsencrypt-auto -c $conf -vv certonly; then
        echo "letsencrypt failed!"
    fi
}

# return true if certs are the same
compare_certs() {
    src_name=$1
    dst_name=$2

    src=`md5sum ${src_name} |awk '{ print $1 }'`
    dst=`md5sum ${dst_name} |awk '{ print $1 }'`

    # diff returns true if no matches
    if ! diff -sq <(echo $src) <(echo $dst) &>/dev/null; then
        return 1
    fi
    return 0
}

# parse our array and do the things
for cert in "${!CERTS[@]}"; do
    name="${CERTS[$cert]}"

    # run letsencrypt
    run_letsencrypt $CDIR/$name/letsencrypt.ini &>> $CDIR/$name/letsencrypt.log

    # compare the certs
    new_cert=$LDIR/$cert/cert.pem
    cur_cert=$CDIR/$name/$name.crt

    new_key=$LDIR/$cert/privkey.pem
    cur_key=$CDIR/$name/$name.key
    
    new_chain=$LDIR/$cert/chain.pem
    cur_chain=$CDIR/$name/$name-chain.crt

    # returns true if no matches
    if ! compare_certs $new_cert $cur_cert; then
        echo >> $CDIR/$name/letsencrypt.log
        echo 'new cert' >> $CDIR/$name/letsencrypt.log
        cp -f $new_cert $cur_cert &>> $CDIR/$name/letsencrypt.log
    fi
    if ! compare_certs $new_key $cur_key; then
        echo >> $CDIR/$name/letsencrypt.log
        echo 'new key' >> $CDIR/$name/letsencrypt.log
        cp -f $new_key $cur_key &>> $CDIR/$name/letsencrypt.log
    fi
    if ! compare_certs $new_chain $cur_chain; then
        echo >> $CDIR/$name/letsencrypt.log
        echo 'new chain' >> $CDIR/$name/letsencrypt.log
        cp -f $new_chain $cur_chain &>> $CDIR/$name/letsencrypt.log
    fi
    echo >> $CDIR/$name/letsencrypt.log
    echo "$(date) Done" >> $CDIR/$name/letsencrypt.log
done
</code>

===== Reference =====

  * https://letsencrypt.readthedocs.org/en/latest/using.html
  * https://letsencrypt.org/getting-started/
  * https://letsencrypt.org/howitworks/
  * https://digitz.org/blog/lets-encrypt-ssl-centos-7-setup/


==

{{tag>:linux:server :linux}}