LetsEncrypt: Difference between revisions
From fakedWiki
(Created page with "== Configuration == '''/etc/letsencrypt/cli.ini''' <pre> email = info@example.com agree-tos = true authenticator = webroot webroot-path = /etc/letsencrypt/webroot text = true ...") |
m (7 revisions imported) |
||
| (8 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
= Configuration = | |||
'''/etc/letsencrypt/cli.ini''' | '''/etc/letsencrypt/cli.ini''' | ||
<pre> | <pre> | ||
| Line 14: | Line 14: | ||
<IfModule mod_alias.c> | <IfModule mod_alias.c> | ||
Alias /.well-known/acme-challenge /etc/letsencrypt/webroot | Alias /.well-known/acme-challenge /etc/letsencrypt/webroot | ||
</IfModule> | |||
<IfModule mod_proxy.c> | |||
ProxyPass /.well-known/acme-challenge ! | |||
</IfModule> | </IfModule> | ||
<Directory /etc/letsencrypt/webroot> | <Directory /etc/letsencrypt/webroot> | ||
Require all granted | Require all granted | ||
Order deny,allow | Order deny,allow | ||
| Line 26: | Line 27: | ||
Make sure to run ''a2enconf letsencrypt && service apache2 reload'' after creating this config. | Make sure to run ''a2enconf letsencrypt && service apache2 reload'' after creating this config. | ||
== Proxy vHosts and Rewrite == | |||
You may have to keep the Alias URL from being proxied on some vHosts: | You may have to keep the Alias URL from being proxied on some vHosts: : | ||
<pre> | <pre> | ||
# put this line before all other relevant ProxyPass lines | |||
ProxyPass /.well-known/acme-challenge ! | ProxyPass /.well-known/acme-challenge ! | ||
</pre> | </pre> | ||
or if URLs are being | or if URLs are being rewritten, exclude it: | ||
<pre> | <pre> | ||
RewriteCond %{REQUEST_URI} !^/\.well | # put this line before the RewriteRule that will be used | ||
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/.*$ | |||
</pre> | </pre> | ||
= Renew Script = | |||
Create the text file that the renew script uses to check if it's being able to access the Alias URL: | Create the text file that the renew script uses to check if it's being able to access the Alias URL: | ||
<pre> | <pre> | ||
| Line 60: | Line 61: | ||
done | done | ||
</pre> | </pre> | ||
= Alternative Client = | |||
https://github.com/lukas2511/letsencrypt.sh | |||
Latest revision as of 21:10, 26 August 2016
Configuration
/etc/letsencrypt/cli.ini
email = info@example.com agree-tos = true authenticator = webroot webroot-path = /etc/letsencrypt/webroot text = true renew-by-default = true
/etc/apache2/conf-available/letsencrypt.conf
<IfModule mod_alias.c>
Alias /.well-known/acme-challenge /etc/letsencrypt/webroot
</IfModule>
<IfModule mod_proxy.c>
ProxyPass /.well-known/acme-challenge !
</IfModule>
<Directory /etc/letsencrypt/webroot>
Require all granted
Order deny,allow
Allow from all
Satisfy any
</Directory>
Make sure to run a2enconf letsencrypt && service apache2 reload after creating this config.
Proxy vHosts and Rewrite
You may have to keep the Alias URL from being proxied on some vHosts: :
# put this line before all other relevant ProxyPass lines ProxyPass /.well-known/acme-challenge !
or if URLs are being rewritten, exclude it:
# put this line before the RewriteRule that will be used
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/.*$
Renew Script
Create the text file that the renew script uses to check if it's being able to access the Alias URL:
echo 'true' > /etc/letsencrypt/webroot/access.txt
And the renew scripts itself:
#!/bin/bash
cd /opt/letsencrypt
for DOMAIN in $(ls -1 /etc/letsencrypt/live); do
ACCESS=$(curl -s -k "https://${DOMAIN}/.well-known/acme-challenge/access.txt")
if [ ${ACCESS} == "true" ]; then
echo "Updating certificate for ${DOMAIN}"
SAN=$(openssl x509 -text -noout -in /etc/letsencrypt/live/${DOMAIN}/cert.pem | grep 'DNS:' | tr -d ' ,' | sed 's/DNS:/ -d /g')
/opt/letsencrypt/letsencrypt-auto certonly ${SAN}
else
echo "Can't access /.well-known on ${DOMAIN}"
fi
done