certificates - letsencrypt

LetsEncrypt provides free SSL certs that you renew every few weeks.

It strongly suggests python27, so for CentOS, you'll need to use SCL or some other option.

1. install packages:

   yum install centos-release-SCL
   yum install git python27 openssl-devel
   yum install gcc libffi-devel openssl-devel

2. clone repo:

   git clone https://github.com/letsencrypt/letsencrypt

3. new get letsencrypt to install itself:

   # scl enable python27 './letsencrypt-auto --help'

4. some examples (YMMV - read the letsencrypt docs for specifics on the different certification renewal/request options):

   # scl enable python27 './letsencrypt-auto certonly --webroot -w /path/site1/htdocs/ -d site1.net,www.site1.net'
   # scl enable python27 './letsencrypt-auto certonly --webroot -w /path/site2/htdocs/ -d site2.com,www.site2.com -w /lamp/sub.site2/htdocs/ -d sub.site2.com'

• cron:

  10 8 * * * /usr/bin/scl enable python27 '/bin/bash /usr/local/sbin/letsencrypt_cron.sh'

• script (/usr/local/sbin/letsencrypt_cron.sh):

  #!/bin/bash
  #
  # letsencrypt cert renewal script
  #
  # Author: John Friar
  # Info:   https://wiki.thoughtbit.com/linux:server:certificates_letsencrypt
  #
  
  # CDIR can be used by cfg mgmt to copy certs into place/restart webserver
  CDIR=/cert_staging/ssl_certs
  
  # letsencrypt installation dir
  LEPATH=/opt/letsencrypt
  
  LDIR=/etc/letsencrypt/live
  
  # the key is the letsencrypt dir within LDIR
  # the value is the dir within CDIR to copy in the cert to
  declare -A CERTS
  CERTS["site1.net-0001"]="site1.net"
  CERTS["mysite.com"]="www"
  CERTS["wiki.mysite.com"]="wiki"
  
  
  
  # run letsencrypt
  run_letsencrypt() {
      conf=$1
      if ! ${LEPATH}/letsencrypt-auto -c $conf -vv certonly; then
          echo "letsencrypt failed!"
      fi
  }
  
  # return true if certs are the same
  compare_certs() {
      src_name=$1
      dst_name=$2
  
      src=`md5sum ${src_name} |awk '{ print $1 }'`
      dst=`md5sum ${dst_name} |awk '{ print $1 }'`
  
      # diff returns true if no matches
      if ! diff -sq <(echo $src) <(echo $dst) &>/dev/null; then
          return 1
      fi
      return 0
  }
  
  # parse our array and do the things
  for cert in "${!CERTS[@]}"; do
      name="${CERTS[$cert]}"
  
      # run letsencrypt
      run_letsencrypt $CDIR/$name/letsencrypt.ini &>> $CDIR/$name/letsencrypt.log
  
      # compare the certs
      new_cert=$LDIR/$cert/cert.pem
      cur_cert=$CDIR/$name/$name.crt
  
      new_key=$LDIR/$cert/privkey.pem
      cur_key=$CDIR/$name/$name.key
      
      new_chain=$LDIR/$cert/chain.pem
      cur_chain=$CDIR/$name/$name-chain.crt
  
      # returns true if no matches
      if ! compare_certs $new_cert $cur_cert; then
          echo >> $CDIR/$name/letsencrypt.log
          echo 'new cert' >> $CDIR/$name/letsencrypt.log
          cp -f $new_cert $cur_cert &>> $CDIR/$name/letsencrypt.log
      fi
      if ! compare_certs $new_key $cur_key; then
          echo >> $CDIR/$name/letsencrypt.log
          echo 'new key' >> $CDIR/$name/letsencrypt.log
          cp -f $new_key $cur_key &>> $CDIR/$name/letsencrypt.log
      fi
      if ! compare_certs $new_chain $cur_chain; then
          echo >> $CDIR/$name/letsencrypt.log
          echo 'new chain' >> $CDIR/$name/letsencrypt.log
          cp -f $new_chain $cur_chain &>> $CDIR/$name/letsencrypt.log
      fi
      echo >> $CDIR/$name/letsencrypt.log
      echo "$(date) Done" >> $CDIR/$name/letsencrypt.log
  done

• https://letsencrypt.readthedocs.org/en/latest/using.html
• https://letsencrypt.org/getting-started/
• https://letsencrypt.org/howitworks/
• https://digitz.org/blog/lets-encrypt-ssl-centos-7-setup/