Letsencrypt setup | Free automated SSL certificates
Last update
2019-03-27
2019-03-27
«via acme.sh»
I chose acme.sh shell script among the available clients because it is simple to install and does not require any extra library.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | # 1. install script: git clone https://github.com/Neilpang/acme.sh.git acme.sh.repo cd acme.sh.repo DIR="$HOME/letsencrypt" ./acme.sh --install \ --home $DIR/acme.sh \ --certhome $DIR/certs \ --accountkey $DIR/acme.sh/myaccount.key \ --accountconf $DIR/acme.sh/myaccount.conf \ --accountemail "xxx@yyy.com" exit # and reopen a shell # 2. set autoupdate of the script: acme.sh --upgrade --auto-upgrade # 3. run it twice per day on a random minute, set crontab: # see: https://certbot.eff.org/#debianwheezy-nginx 10 0 * * * /path_to/acme.sh/acme.sh --cron --home /path_to/acme.sh > /dev/null 20 12 * * * /path_to/acme.sh/acme.sh --cron --home /path_to/acme.sh > /dev/null # 4a. issue a certificate (add --test for the staging environment): acme.sh --issue -d acavalin.com -d www.acavalin.com -w /path_to/webserver_public_root # 4b. issue a wildcard certificate with a specific dns service plugin acme.sh --issue -d acavalin.com -d '*.acavalin.com' --dns dns_plugin_name # 5. install certificate for NGINX (do not manually copy acme.sh files!): acme.sh --install-cert -d acavalin.com \ --key-file /path_to/ssl_app.key \ --fullchain-file /path_to/ssl_app.crt \ --reloadcmd "/path_to/server_script.sh restart" |
All commands will update the configuration files present in --home
and --certhome
, and every issued certificate will be valid for 60 days by default.
For wildcard certificates you can configure dnsmasq as an authoritative dns server and then use this plugin in step 4b via --dns dns_dnsmasq
to issue your certificate:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | #!/usr/bin/env sh # acme.sh plugin @ $HOME/letsencrypt/acme.sh/dnsapi/dns_dnsmasq.sh CONF=/etc/dnsmasq.d/acme-challenge.conf dns_dnsmasq_add() { echo "txt-record=$1,\"$2\"" >> $CONF systemctl restart dnsmasq ; sleep 1 } dns_dnsmasq_rm() { sed -i "/$1,.$2./d" $CONF systemctl restart dnsmasq ; sleep 1 # optional } |
Reference: Let's Encrypt HP and acme.sh
Wildcard cert: issue example, dns api ref, dns api dev guide, dns manual and alias mode, acme-dns