[[linux:server:certificates_letsencrypt]]
 
Trace: certificates_letsencrypt
You are here: start » linux » server » certificates_letsencrypt

Table of Contents

certificates - letsencrypt

LetsEncrypt provides free SSL certs that you renew every few weeks.

It strongly suggests python27, so for CentOS, you'll need to use SCL or some other option.

Setup

  1. install packages:
    yum install centos-release-SCL
yum install git python27 openssl-devel
yum install gcc libffi-devel openssl-devel
  2. clone repo: 
    git clone https://github.com/letsencrypt/letsencrypt
  3. new get letsencrypt to install itself: 
    # scl enable python27 './letsencrypt-auto --help'
  4. some examples (YMMV - read the letsencrypt docs for specifics on the different certification renewal/request options):
    # scl enable python27 './letsencrypt-auto certonly --webroot -w /path/site1/htdocs/ -d site1.net,www.site1.net'
# scl enable python27 './letsencrypt-auto certonly --webroot -w /path/site2/htdocs/ -d site2.com,www.site2.com -w /lamp/sub.site2/htdocs/ -d sub.site2.com'

Cron

  • cron: 
    10 8 * * * /usr/bin/scl enable python27 '/bin/bash /usr/local/sbin/letsencrypt_cron.sh'
  • script (/usr/local/sbin/letsencrypt_cron.sh):
    #!/bin/bash
#
# letsencrypt cert renewal script
#
# Author: John Friar
# Info:   https://wiki.thoughtbit.com/linux:server:certificates_letsencrypt
#

# CDIR can be used by cfg mgmt to copy certs into place/restart webserver
CDIR=/cert_staging/ssl_certs

# letsencrypt installation dir
LEPATH=/opt/letsencrypt

LDIR=/etc/letsencrypt/live

# the key is the letsencrypt dir within LDIR
# the value is the dir within CDIR to copy in the cert to
declare -A CERTS
CERTS["site1.net-0001"]="site1.net"
CERTS["mysite.com"]="www"
CERTS["wiki.mysite.com"]="wiki"



# run letsencrypt
run_letsencrypt() {
    conf=$1
    if ! ${LEPATH}/letsencrypt-auto -c $conf -vv certonly; then
        echo "letsencrypt failed!"
    fi
}

# return true if certs are the same
compare_certs() {
    src_name=$1
    dst_name=$2

    src=`md5sum ${src_name} |awk '{ print $1 }'`
    dst=`md5sum ${dst_name} |awk '{ print $1 }'`

    # diff returns true if no matches
    if ! diff -sq <(echo $src) <(echo $dst) &>/dev/null; then
        return 1
    fi
    return 0
}

# parse our array and do the things
for cert in "${!CERTS[@]}"; do
    name="${CERTS[$cert]}"

    # run letsencrypt
    run_letsencrypt $CDIR/$name/letsencrypt.ini &>> $CDIR/$name/letsencrypt.log

    # compare the certs
    new_cert=$LDIR/$cert/cert.pem
    cur_cert=$CDIR/$name/$name.crt

    new_key=$LDIR/$cert/privkey.pem
    cur_key=$CDIR/$name/$name.key
    
    new_chain=$LDIR/$cert/chain.pem
    cur_chain=$CDIR/$name/$name-chain.crt

    # returns true if no matches
    if ! compare_certs $new_cert $cur_cert; then
        echo >> $CDIR/$name/letsencrypt.log
        echo 'new cert' >> $CDIR/$name/letsencrypt.log
        cp -f $new_cert $cur_cert &>> $CDIR/$name/letsencrypt.log
    fi
    if ! compare_certs $new_key $cur_key; then
        echo >> $CDIR/$name/letsencrypt.log
        echo 'new key' >> $CDIR/$name/letsencrypt.log
        cp -f $new_key $cur_key &>> $CDIR/$name/letsencrypt.log
    fi
    if ! compare_certs $new_chain $cur_chain; then
        echo >> $CDIR/$name/letsencrypt.log
        echo 'new chain' >> $CDIR/$name/letsencrypt.log
        cp -f $new_chain $cur_chain &>> $CDIR/$name/letsencrypt.log
    fi
    echo >> $CDIR/$name/letsencrypt.log
    echo "$(date) Done" >> $CDIR/$name/letsencrypt.log
done

Reference

,
linux/server/certificates_letsencrypt.txt · Last modified: 2016/05/02 03:33 by john
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki