LetsEncrypt: Difference between revisions
From fakedWiki
(Created page with "== Configuration == '''/etc/letsencrypt/cli.ini''' <pre> email = info@example.com agree-tos = true authenticator = webroot webroot-path = /etc/letsencrypt/webroot text = true ...") |
No edit summary |
||
| Line 1: | Line 1: | ||
== Configuration == | === Configuration === | ||
'''/etc/letsencrypt/cli.ini''' | '''/etc/letsencrypt/cli.ini''' | ||
<pre> | <pre> | ||
| Line 26: | Line 26: | ||
Make sure to run ''a2enconf letsencrypt && service apache2 reload'' after creating this config. | Make sure to run ''a2enconf letsencrypt && service apache2 reload'' after creating this config. | ||
=== Proxy vHosts and Rewrite === | ==== Proxy vHosts and Rewrite ==== | ||
You may have to keep the Alias URL from being proxied on some vHosts: | You may have to keep the Alias URL from being proxied on some vHosts: | ||
<pre> | <pre> | ||
| Line 38: | Line 38: | ||
</pre> | </pre> | ||
== Renew Script == | === Renew Script === | ||
Create the text file that the renew script uses to check if it's being able to access the Alias URL: | Create the text file that the renew script uses to check if it's being able to access the Alias URL: | ||
<pre> | <pre> | ||
Revision as of 08:40, 21 January 2016
Configuration
/etc/letsencrypt/cli.ini
email = info@example.com agree-tos = true authenticator = webroot webroot-path = /etc/letsencrypt/webroot text = true renew-by-default = true
/etc/apache2/conf-available/letsencrypt.conf
<IfModule mod_alias.c>
Alias /.well-known/acme-challenge /etc/letsencrypt/webroot
</IfModule>
<Directory /etc/letsencrypt/webroot>
Options FollowSymLinks
AllowOverride All
Require all granted
Order deny,allow
Allow from all
Satisfy any
</Directory>
Make sure to run a2enconf letsencrypt && service apache2 reload after creating this config.
Proxy vHosts and Rewrite
You may have to keep the Alias URL from being proxied on some vHosts:
ProxyPass /.well-known/acme-challenge ! ProxyPass / http://127.0.0.1:81/ ProxyPassReverse / http://127.0.0.1:81/
or if URLs are being rewritted, exclude it:
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/.*$
Renew Script
Create the text file that the renew script uses to check if it's being able to access the Alias URL:
echo 'true' > /etc/letsencrypt/webroot/access.txt
And the renew scripts itself:
#!/bin/bash
cd /opt/letsencrypt
for DOMAIN in $(ls -1 /etc/letsencrypt/live); do
ACCESS=$(curl -s -k "https://${DOMAIN}/.well-known/acme-challenge/access.txt")
if [ ${ACCESS} == "true" ]; then
echo "Updating certificate for ${DOMAIN}"
SAN=$(openssl x509 -text -noout -in /etc/letsencrypt/live/${DOMAIN}/cert.pem | grep 'DNS:' | tr -d ' ,' | sed 's/DNS:/ -d /g')
/opt/letsencrypt/letsencrypt-auto certonly ${SAN}
else
echo "Can't access /.well-known on ${DOMAIN}"
fi
done