LetsEncrypt

From fakedWiki
Revision as of 22:37, 25 January 2016 by Jan (talk | contribs)
Jump to: navigation, search

Configuration

/etc/letsencrypt/cli.ini

email = info@example.com
agree-tos = true
authenticator = webroot
webroot-path = /etc/letsencrypt/webroot
text = true
renew-by-default = true

/etc/apache2/conf-available/letsencrypt.conf

<IfModule mod_alias.c>
    Alias /.well-known/acme-challenge /etc/letsencrypt/webroot
</IfModule>
<IfModule mod_proxy.c>
    ProxyPass /.well-known/acme-challenge !
</IfModule>
<Directory /etc/letsencrypt/webroot>
  Require all granted
  Order deny,allow
  Allow from all
  Satisfy any
</Directory>

Make sure to run a2enconf letsencrypt && service apache2 reload after creating this config.

Proxy vHosts and Rewrite

You may have to keep the Alias URL from being proxied on some vHosts: :

# put this line before all other relevant ProxyPass lines
ProxyPass /.well-known/acme-challenge !

or if URLs are being rewritten, exclude it:

# put this line before the RewriteRule that will be used
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/.*$

Renew Script

Create the text file that the renew script uses to check if it's being able to access the Alias URL:

echo 'true' > /etc/letsencrypt/webroot/access.txt

And the renew scripts itself:

#!/bin/bash

cd /opt/letsencrypt

for DOMAIN in $(ls -1 /etc/letsencrypt/live); do 
  ACCESS=$(curl -s -k "https://${DOMAIN}/.well-known/acme-challenge/access.txt")
  if [ ${ACCESS} == "true" ]; then
    echo "Updating certificate for ${DOMAIN}"
    SAN=$(openssl x509 -text -noout -in /etc/letsencrypt/live/${DOMAIN}/cert.pem | grep 'DNS:' | tr -d ' ,' | sed 's/DNS:/ -d /g')
    /opt/letsencrypt/letsencrypt-auto certonly ${SAN}
  else
    echo "Can't access /.well-known on ${DOMAIN}"
  fi
done

Alternative Client

https://github.com/lukas2511/letsencrypt.sh