Letsencrypt setup | Free automated SSL certificates
mouse 2706 · person cloud · link
Last update
2019-03-27
2019
03-27
«via acme.sh»

I chose acme.sh shell script among the available clients because it is simple to install and does not require any extra library.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# 1. install script:
git clone https://github.com/Neilpang/acme.sh.git acme.sh.repo

cd acme.sh.repo

DIR="$HOME/letsencrypt"
./acme.sh --install                           \
  --home          $DIR/acme.sh                \
  --certhome      $DIR/certs                  \
  --accountkey    $DIR/acme.sh/myaccount.key  \
  --accountconf   $DIR/acme.sh/myaccount.conf \
  --accountemail  "xxx@yyy.com"

exit # and reopen a shell

# 2. set autoupdate of the script:
acme.sh --upgrade --auto-upgrade

# 3. run it twice per day on a random minute, set crontab:
#    see: https://certbot.eff.org/#debianwheezy-nginx
10  0 * * * /path_to/acme.sh/acme.sh --cron --home /path_to/acme.sh > /dev/null
20 12 * * * /path_to/acme.sh/acme.sh --cron --home /path_to/acme.sh > /dev/null

# 4a. issue a certificate (add --test for the staging environment):
acme.sh --issue -d acavalin.com -d www.acavalin.com -w /path_to/webserver_public_root

# 4b. issue a wildcard certificate with a specific dns service plugin
acme.sh --issue -d acavalin.com -d '*.acavalin.com' --dns dns_plugin_name

# 5. install certificate for NGINX (do not manually copy acme.sh files!):
acme.sh --install-cert -d acavalin.com \
  --key-file       /path_to/ssl_app.key \
  --fullchain-file /path_to/ssl_app.crt \
  --reloadcmd      "/path_to/server_script.sh restart"

All commands will update the configuration files present in --home and --certhome, and every issued certificate will be valid for 60 days by default.

For wildcard certificates you can configure dnsmasq as an authoritative dns server and then use this plugin in step 4b via --dns dns_dnsmasq to issue your certificate:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/env sh
# acme.sh plugin @ $HOME/letsencrypt/acme.sh/dnsapi/dns_dnsmasq.sh

CONF=/etc/dnsmasq.d/acme-challenge.conf

dns_dnsmasq_add() {
  echo "txt-record=$1,\"$2\"" >> $CONF
  systemctl restart dnsmasq ; sleep 1
}

dns_dnsmasq_rm() {
  sed -i "/$1,.$2./d" $CONF
  systemctl restart dnsmasq ; sleep 1 # optional
}

Reference: Let's Encrypt HP and acme.sh

Wildcard cert: issue example, dns api ref, dns api dev guide, dns manual and alias mode, acme-dns