LetsEncrypt
From fakedWiki
Configuration
/etc/letsencrypt/cli.ini
email = info@example.com agree-tos = true authenticator = webroot webroot-path = /etc/letsencrypt/webroot text = true renew-by-default = true
/etc/apache2/conf-available/letsencrypt.conf
<IfModule mod_alias.c>
Alias /.well-known/acme-challenge /etc/letsencrypt/webroot
</IfModule>
<IfModule mod_proxy.c>
ProxyPass /.well-known/acme-challenge !
</IfModule>
<Directory /etc/letsencrypt/webroot>
Require all granted
Order deny,allow
Allow from all
Satisfy any
</Directory>
Make sure to run a2enconf letsencrypt && service apache2 reload after creating this config.
Proxy vHosts and Rewrite
You may have to keep the Alias URL from being proxied on some vHosts (place before all other relevant ProxyPass lines):
ProxyPass /.well-known/acme-challenge !
or if URLs are being rewritted, exclude it (place this line before the RewriteRule that will be used):
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/.*$
Renew Script
Create the text file that the renew script uses to check if it's being able to access the Alias URL:
echo 'true' > /etc/letsencrypt/webroot/access.txt
And the renew scripts itself:
#!/bin/bash
cd /opt/letsencrypt
for DOMAIN in $(ls -1 /etc/letsencrypt/live); do
ACCESS=$(curl -s -k "https://${DOMAIN}/.well-known/acme-challenge/access.txt")
if [ ${ACCESS} == "true" ]; then
echo "Updating certificate for ${DOMAIN}"
SAN=$(openssl x509 -text -noout -in /etc/letsencrypt/live/${DOMAIN}/cert.pem | grep 'DNS:' | tr -d ' ,' | sed 's/DNS:/ -d /g')
/opt/letsencrypt/letsencrypt-auto certonly ${SAN}
else
echo "Can't access /.well-known on ${DOMAIN}"
fi
done