LetsEncrypt
From fakedWiki
Configuration
/etc/letsencrypt/cli.ini
email = info@example.com agree-tos = true authenticator = webroot webroot-path = /etc/letsencrypt/webroot text = true renew-by-default = true
/etc/apache2/conf-available/letsencrypt.conf
<IfModule mod_alias.c>
Alias /.well-known/acme-challenge /etc/letsencrypt/webroot
</IfModule>
<IfModule mod_proxy.c>
ProxyPass /.well-known/acme-challenge !
</IfModule>
<Directory /etc/letsencrypt/webroot>
Require all granted
Order deny,allow
Allow from all
Satisfy any
</Directory>
Make sure to run a2enconf letsencrypt && service apache2 reload after creating this config.
Proxy vHosts and Rewrite
You may have to keep the Alias URL from being proxied on some vHosts: :
# put this line before all other relevant ProxyPass lines ProxyPass /.well-known/acme-challenge !
or if URLs are being rewritten, exclude it:
# put this line before the RewriteRule that will be used
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/.*$
Renew Script
Create the text file that the renew script uses to check if it's being able to access the Alias URL:
echo 'true' > /etc/letsencrypt/webroot/access.txt
And the renew scripts itself:
#!/bin/bash
cd /opt/letsencrypt
for DOMAIN in $(ls -1 /etc/letsencrypt/live); do
ACCESS=$(curl -s -k "https://${DOMAIN}/.well-known/acme-challenge/access.txt")
if [ ${ACCESS} == "true" ]; then
echo "Updating certificate for ${DOMAIN}"
SAN=$(openssl x509 -text -noout -in /etc/letsencrypt/live/${DOMAIN}/cert.pem | grep 'DNS:' | tr -d ' ,' | sed 's/DNS:/ -d /g')
/opt/letsencrypt/letsencrypt-auto certonly ${SAN}
else
echo "Can't access /.well-known on ${DOMAIN}"
fi
done