MatthieuLemoine · May 24, 2016 13:13
diff --git a/1_install_lets_encrypt b/1_install_lets_encrypt
 #!/bin/bash

 sudo apt-get install git bc
 sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
 sudo mkdir /var/www/letsencrypt
 sudo chown www-data /var/www/letsencrypt
diff --git a/2_generate_cert b/2_generate_cert
 #!bin/bash

 sudo service nginx stop
 cd /opt/lestencrypt
 ./letsencrypt-auto certonly --standalone
 sudo service nginx start
diff --git a/3_https.vhost b/3_https.vhost
 server {
 	listen 443 ssl; 
 	server_name domain.com;
 	ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 	ssl_prefer_server_ciphers on;
 	ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
 	
 	location /.well-known/acme-challenge {
        	root /var/www/letsencrypt;
    	}

 	access_log /var/log/nginx/website.log;
 	location / {
 		proxy_set_header X-Real-IP $remote_addr;
      		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      		proxy_set_header Host $http_host;
      		proxy_set_header X-NginX-Proxy true;

      		proxy_pass http://localhost:3000/;
      		proxy_redirect off;      
 	}
 }
 server {
 	listen 80;
 	server_name domain.com;
 	return 301 https://$host$request_uri;
 }
diff --git a/4_renew-letsencrypt.ini b/4_renew-letsencrypt.ini
 # /usr/local/etc/renew-letsencrypt.ini
 # All flags used by the client can be configured here. Run Let's Encrypt with
 # "--help" to learn more about the available options.

 # Use a 4096 bit RSA key instead of 2048
 rsa-key-size = 4096

 # Uncomment and update to register with the specified e-mail address
 email = [email protected]

 # Uncomment and update to generate certificates for the specified
 # domains.
 domains = domain.com, www.domain.com, sub.domain.com

 # Uncomment to use a text interface instead of ncurses
 # text = True

 # Uncomment to use the standalone authenticator on port 443
 # authenticator = standalone
 # standalone-supported-challenges = tls-sni-01

 # Uncomment to use the webroot authenticator. Replace webroot-path with the
 # path to the public_html / webroot folder being served by your web server.
 # authenticator = webroot
 webroot-path = /var/www/letsencrypt
diff --git a/5_renew_letsencrypt.sh b/5_renew_letsencrypt.sh
 #!/bin/bash
 # /usr/local/sbin/renew_letsencrypt.sh
 # https://gist.githubusercontent.com/thisismitch/e1b603165523df66d5cc/raw/fbffbf358e96110d5566f13677d9bd5f4f65794c/le-renew-webroot

 web_service='nginx'
 config_file="/usr/local/etc/renew-letsencrypt.ini"

 le_path='/opt/letsencrypt'
 exp_limit=30;

 if [ ! -f $config_file ]; then
        echo "[ERROR] config file does not exist: $config_file"
        exit 1;
 fi

 domain=`grep "^\s*domains" $config_file | sed "s/^\s*domains\s*=\s*//" | sed 's/(\s*)\|,.*$//'`
 cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"

 if [ ! -f $cert_file ]; then
 	echo "[ERROR] certificate file not found for domain $domain."
 fi

 exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)
 datenow=$(date -d "now" +%s)
 days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)

 echo "Checking expiration date for $domain..."

 if [ "$days_exp" -gt "$exp_limit" ] ; then
 	echo "The certificate is up to date, no need for renewal : $days_exp days left."
 	exit 0;
 else
 	echo "The certificate for $domain is about to expire soon. Starting webroot renewal script..."
        $le_path/letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --config $config_file
 	echo "Reloading $web_service"
 	/usr/sbin/service $web_service restart
 	echo "Renewal process finished for domain $domain"
 	exit 0;
 fi
diff --git a/6_auto_renewal b/6_auto_renewal
 sudo chmod +x /usr/local/sbin/renew_letsencrypt.sh
 sudo crontab -e
 # Crontab entry
 # 30 2 * * 1 /usr/local/sbin/renew_letsencrypt.sh >> /var/log/renew_letsencrypt.log
diff --git a/7_test_renewal_conf b/7_test_renewal_conf
 cd /opt/letsencrypt
 ./letsencrypt-auto certonly -a webroot --renew-by-default --config /usr/local/etc/renew-letsencrypt.ini
 sudo service nginx restart
	#!/bin/bash

	sudo apt-get install git bc
	sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
	sudo mkdir /var/www/letsencrypt
	sudo chown www-data /var/www/letsencrypt
	#!bin/bash

	sudo service nginx stop
	cd /opt/lestencrypt
	./letsencrypt-auto certonly --standalone
	sudo service nginx start
	server {
	listen 443 ssl;
	server_name domain.com;
	ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

	location /.well-known/acme-challenge {
	root /var/www/letsencrypt;
	}

	access_log /var/log/nginx/website.log;
	location / {
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_set_header X-NginX-Proxy true;

	proxy_pass http://localhost:3000/;
	proxy_redirect off;
	}
	}
	server {
	listen 80;
	server_name domain.com;
	return 301 https://$host$request_uri;
	}
	# /usr/local/etc/renew-letsencrypt.ini
	# All flags used by the client can be configured here. Run Let's Encrypt with
	# "--help" to learn more about the available options.

	# Use a 4096 bit RSA key instead of 2048
	rsa-key-size = 4096

	# Uncomment and update to register with the specified e-mail address
	email = [email protected]

	# Uncomment and update to generate certificates for the specified
	# domains.
	domains = domain.com, www.domain.com, sub.domain.com

	# Uncomment to use a text interface instead of ncurses
	# text = True

	# Uncomment to use the standalone authenticator on port 443
	# authenticator = standalone
	# standalone-supported-challenges = tls-sni-01

	# Uncomment to use the webroot authenticator. Replace webroot-path with the
	# path to the public_html / webroot folder being served by your web server.
	# authenticator = webroot
	webroot-path = /var/www/letsencrypt
	#!/bin/bash
	# /usr/local/sbin/renew_letsencrypt.sh
	# https://gist.githubusercontent.com/thisismitch/e1b603165523df66d5cc/raw/fbffbf358e96110d5566f13677d9bd5f4f65794c/le-renew-webroot

	web_service='nginx'
	config_file="/usr/local/etc/renew-letsencrypt.ini"

	le_path='/opt/letsencrypt'
	exp_limit=30;

	if [ ! -f $config_file ]; then
	echo "[ERROR] config file does not exist: $config_file"
	exit 1;
	fi

	domain=`grep "^\sdomains" $config_file \| sed "s/^\sdomains\s=\s//" \| sed 's/(\s)\\|,.$//'`
	cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"

	if [ ! -f $cert_file ]; then
	echo "[ERROR] certificate file not found for domain $domain."
	fi

	exp=$(date -d "`openssl x509 -in $cert_file -text -noout\|grep "Not After"\|cut -c 25-`" +%s)
	datenow=$(date -d "now" +%s)
	days_exp=$(echo \( $exp - $datenow \) / 86400 \|bc)

	echo "Checking expiration date for $domain..."

	if [ "$days_exp" -gt "$exp_limit" ] ; then
	echo "The certificate is up to date, no need for renewal : $days_exp days left."
	exit 0;
	else
	echo "The certificate for $domain is about to expire soon. Starting webroot renewal script..."
	$le_path/letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --config $config_file
	echo "Reloading $web_service"
	/usr/sbin/service $web_service restart
	echo "Renewal process finished for domain $domain"
	exit 0;
	fi
	sudo chmod +x /usr/local/sbin/renew_letsencrypt.sh
	sudo crontab -e
	# Crontab entry
	# 30 2 * * 1 /usr/local/sbin/renew_letsencrypt.sh >> /var/log/renew_letsencrypt.log
	cd /opt/letsencrypt
	./letsencrypt-auto certonly -a webroot --renew-by-default --config /usr/local/etc/renew-letsencrypt.ini
	sudo service nginx restart