https://github.com/diafygi/acme-tiny
make sure permissions are such that deploy user does not have access to domain.key
Last active
January 12, 2016 05:28
-
-
Save Aeon/81fd6652afc087c67718 to your computer and use it in GitHub Desktop.
set up letsencrypt for apache and postfix on rimuhosting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| as deploy user, crontab -e, and add the line | |
| 0 0 1 * * /opt/renew_ssl_cert.sh 2>> /var/log/acme_tiny.log |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # add alias so /.well-known/ directory resolves for any vhost | |
| Alias /.well-known/ "/var/www/.well-known/" | |
| <Directory "/var/www/.well-known"> | |
| AllowOverride None | |
| Options IncludesNoExec | |
| Order allow,deny | |
| Allow from all | |
| </Directory> | |
| # point SSL conf to ssl keys: | |
| <VirtualHost *:443> | |
| # ... | |
| SSLEngine On | |
| SSLCertificateFile /etc/letsencrypt/chained.pem | |
| SSLCertificateKeyFile /etc/letsencrypt/domain.key | |
| </VirtualHost> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Make a copy of openssl.cnf to add the additional domains the cert should cover | |
| cp /etc/pki/tls/openssl.cnf to /etc/letsencrypt/openssl.cnf | |
| edit openssl.cnf | |
| req_extensions = v3_req | |
| [ v3_req ] | |
| # ... | |
| subjectAltName = @alt_names | |
| [alt_names] | |
| DNS.1=www.domain.com | |
| DNS.2=mail.domain.com | |
| DNS.3=foobar.com | |
| DNS.4=www.foobar.com | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| edit /etc/postfix/main.cf to point to new SSL certs: | |
| smtpd_tls_cert_file = /etc/letsencrypt/chained.pem | |
| smtpd_tls_key_file = /etc/letsencrypt/domain.key |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # acme_tiny requires 2.7 | |
| wget https://centos5.iuscommunity.org/ius-release.rpm | |
| sudo rpm -Uvh ius-release*.rpm | |
| yum -y install python27 python27-devel python27-pip python27-setuptools python27-virtualenv --enablerepo=ius | |
| git clone https://github.com/diafygi/acme-tiny.git /opt/acme-tiny | |
| sed -i "s|--python python2|--python python2.7|" /opt/acme-tiny/acme_tiny.py | |
| mkdir -p /etc/letsencrypt/ | |
| openssl genrsa 4096 > /etc/letsencrypt/account.key | |
| openssl genrsa 4096 > /etc/letsencrypt/domain.key | |
| chmod 600 /etc/letsencrypt/domain.key | |
| # generate cert request: | |
| openssl req -new -sha256 -key /etc/letsencrypt/domain.key -subj "/CN=$DOMAIN" -reqexts v3_req -config /etc/letsencrypt/openssl.cnf > /etc/letsencrypt/domain.csr | |
| mkdir -p /var/www/.well-known/acme-challenge/ | |
| chown -R deploy /var/www/.well-known/ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/sh | |
| DOMAIN=mydomain.com | |
| KEY=/etc/letsencrypt/account.key | |
| CSR=/etc/letsencrypt/domain.csr | |
| DIR=/var/www/.well-known/acme-challenge/ | |
| NEWCERT=/etc/letsencrypt/signed.crt | |
| INTERMEDIATE=/etc/letsencrypt/intermediate.pem | |
| # generate new cert | |
| # retry up to 10 times | |
| maxtries=10; tries=0 | |
| until [[ $tries -ge $maxtries ]]; do | |
| python2.7 /opt/acme-tiny/acme_tiny.py \ | |
| --account-key $KEY \ | |
| --csr $CSR \ | |
| --acme-dir $DIR > $NEWCERT && break | |
| ((tries++)) | |
| sleep 60 | |
| done | |
| if [[ $tries -eq $tries ]]; then | |
| echo "Failure to update $domain" | |
| exit 1 | |
| fi | |
| wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > $INTERMEDIATE | |
| # create chained cert file | |
| cat $NEWCERT $INTERMEDIATE > /etc/letsencrypt/chained.pem | |
| # restart apache and postfix | |
| sudo service postfix reload | |
| sudo service httpd reload |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # add ability for deploy user to reload services without password. | |
| # This will make sure that user can restart the services after SSL cert is renewed. | |
| deploy ALL=NOPASSWD: SERVICES |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment